Edit tour

Windows Analysis Report
Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Overview

General Information

Sample name:	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe renamed because original name is a hash value
Original sample name:	Rfq H2110-11Order_ROYPOWTECH %100% S51105P-E01 .exe
Analysis ID:	1523111
MD5:	a168b11261c075963b1dfd139cbbfac6
SHA1:	3248fcfe659305dba908ee7271da1a3c72f103c1
SHA256:	32b59977aff73828e93c0844e7805de9c854049bb3b046399f1ce42e58679b85
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" MD5: A168B11261C075963B1DFD139CBBFAC6)

powershell.exe (PID: 6956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" MD5: A168B11261C075963B1DFD139CBBFAC6)

Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" MD5: A168B11261C075963B1DFD139CBBFAC6)

WerFault.exe (PID: 3484 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 2536 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "6783395654:AAGHZk1wugh441q673h1nDNWiVYW4p6ewXc", "Chat_id": "-4209622687", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14476:$a1: get_encryptedPassword 0x1475a:$a2: get_encryptedUsername 0x14272:$a3: get_timePasswordChanged 0x1436d:$a4: get_passwordField 0x1448c:$a5: set_encryptedPassword 0x15b1b:$a7: get_logins 0x15a7e:$a10: KeyLoggerEventArgs 0x156e9:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19434:$x1: $%SMTPDV$ 0x17df8:$x2: $#TheHashHere%& 0x193dc:$x3: %FTPDV$ 0x17d98:$x4: $%TelegramDv$ 0x156e9:$x5: KeyLoggerEventArgs 0x15a7e:$x5: KeyLoggerEventArgs 0x19400:$m2: Clipboard Logs ID 0x1963e:$m2: Screenshot Logs ID 0x1974e:$m2: keystroke Logs ID 0x19a28:$m3: SnakePW 0x19616:$m4: \SnakeKeylogger\
00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1521e:$a1: get_encryptedPassword 0x3543e:$a1: get_encryptedPassword 0x5545e:$a1: get_encryptedPassword 0x15502:$a2: get_encryptedUsername 0x35722:$a2: get_encryptedUsername 0x55742:$a2: get_encryptedUsername 0x1501a:$a3: get_timePasswordChanged 0x3523a:$a3: get_timePasswordChanged 0x5525a:$a3: get_timePasswordChanged 0x15115:$a4: get_passwordField 0x35335:$a4: get_passwordField 0x55355:$a4: get_passwordField 0x15234:$a5: set_encryptedPassword 0x35454:$a5: set_encryptedPassword 0x55474:$a5: set_encryptedPassword 0x168c3:$a7: get_logins 0x36ae3:$a7: get_logins 0x56b03:$a7: get_logins 0x16826:$a10: KeyLoggerEventArgs 0x36a46:$a10: KeyLoggerEventArgs 0x56a66:$a10: KeyLoggerEventArgs
00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a1dc:$x1: $%SMTPDV$ 0x3a3fc:$x1: $%SMTPDV$ 0x5a41c:$x1: $%SMTPDV$ 0x18ba0:$x2: $#TheHashHere%& 0x38dc0:$x2: $#TheHashHere%& 0x58de0:$x2: $#TheHashHere%& 0x1a184:$x3: %FTPDV$ 0x3a3a4:$x3: %FTPDV$ 0x5a3c4:$x3: %FTPDV$ 0x18b40:$x4: $%TelegramDv$ 0x38d60:$x4: $%TelegramDv$ 0x58d80:$x4: $%TelegramDv$ 0x16491:$x5: KeyLoggerEventArgs 0x16826:$x5: KeyLoggerEventArgs 0x366b1:$x5: KeyLoggerEventArgs 0x36a46:$x5: KeyLoggerEventArgs 0x566d1:$x5: KeyLoggerEventArgs 0x56a66:$x5: KeyLoggerEventArgs 0x1a1a8:$m2: Clipboard Logs ID 0x1a3e6:$m2: Screenshot Logs ID 0x1a4f6:$m2: keystroke Logs ID
00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf7c8f:$a1: get_encryptedPassword 0xf7f69:$a2: get_encryptedUsername 0xf7a95:$a3: get_timePasswordChanged 0xf7b90:$a4: get_passwordField 0xf7ca5:$a5: set_encryptedPassword 0xfa17c:$a7: get_logins 0xfa0df:$a10: KeyLoggerEventArgs 0xf9d4a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf9d4a:$x5: KeyLoggerEventArgs 0xfa0df:$x5: KeyLoggerEventArgs 0xfa9e6:$x5: KeyLoggerEventArgs 0xfad47:$x5: KeyLoggerEventArgs 0xfc31e:$m2: Clipboard Logs ID 0xfc424:$m2: Screenshot Logs ID 0xfc47a:$m2: keystroke Logs ID 0xfc5af:$m3: SnakePW 0xfc410:$m4: \SnakeKeylogger\
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11c91:$a1: get_encryptedPassword 0x11f6b:$a2: get_encryptedUsername 0x11a97:$a3: get_timePasswordChanged 0x11b92:$a4: get_passwordField 0x11ca7:$a5: set_encryptedPassword 0x1417e:$a7: get_logins 0x140e1:$a10: KeyLoggerEventArgs 0x13d4c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13d4c:$x5: KeyLoggerEventArgs 0x140e1:$x5: KeyLoggerEventArgs 0x149e8:$x5: KeyLoggerEventArgs 0x14d49:$x5: KeyLoggerEventArgs 0x16320:$m2: Clipboard Logs ID 0x16426:$m2: Screenshot Logs ID 0x1647c:$m2: keystroke Logs ID 0x165b1:$m3: SnakePW 0x16412:$m4: \SnakeKeylogger\
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12876:$a1: get_encryptedPassword 0x12b5a:$a2: get_encryptedUsername 0x12672:$a3: get_timePasswordChanged 0x1276d:$a4: get_passwordField 0x1288c:$a5: set_encryptedPassword 0x13f1b:$a7: get_logins 0x13e7e:$a10: KeyLoggerEventArgs 0x13ae9:$a11: KeyLoggerEventArgsEventHandler
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a214:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19446:$a3: \Google\Chrome\User Data\Default\Login Data 0x19879:$a4: \Orbitum\User Data\Default\Login Data 0x1a8b8:$a5: \Kometa\User Data\Default\Login Data
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13449:$s1: UnHook 0x13450:$s2: SetHook 0x13458:$s3: CallNextHook 0x13465:$s4: _hook
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17834:$x1: $%SMTPDV$ 0x161f8:$x2: $#TheHashHere%& 0x177dc:$x3: %FTPDV$ 0x16198:$x4: $%TelegramDv$ 0x13ae9:$x5: KeyLoggerEventArgs 0x13e7e:$x5: KeyLoggerEventArgs 0x17800:$m2: Clipboard Logs ID 0x17a3e:$m2: Screenshot Logs ID 0x17b4e:$m2: keystroke Logs ID 0x17e28:$m3: SnakePW 0x17a16:$m4: \SnakeKeylogger\
5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14676:$a1: get_encryptedPassword 0x1495a:$a2: get_encryptedUsername 0x14472:$a3: get_timePasswordChanged 0x1456d:$a4: get_passwordField 0x1468c:$a5: set_encryptedPassword 0x15d1b:$a7: get_logins 0x15c7e:$a10: KeyLoggerEventArgs 0x158e9:$a11: KeyLoggerEventArgsEventHandler
5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c014:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b246:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b679:$a4: \Orbitum\User Data\Default\Login Data 0x1c6b8:$a5: \Kometa\User Data\Default\Login Data
5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15249:$s1: UnHook 0x15250:$s2: SetHook 0x15258:$s3: CallNextHook 0x15265:$s4: _hook
5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19634:$x1: $%SMTPDV$ 0x17ff8:$x2: $#TheHashHere%& 0x195dc:$x3: %FTPDV$ 0x17f98:$x4: $%TelegramDv$ 0x158e9:$x5: KeyLoggerEventArgs 0x15c7e:$x5: KeyLoggerEventArgs 0x19600:$m2: Clipboard Logs ID 0x1983e:$m2: Screenshot Logs ID 0x1994e:$m2: keystroke Logs ID 0x19c28:$m3: SnakePW 0x19816:$m4: \SnakeKeylogger\
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12876:$a1: get_encryptedPassword 0x12b5a:$a2: get_encryptedUsername 0x12672:$a3: get_timePasswordChanged 0x1276d:$a4: get_passwordField 0x1288c:$a5: set_encryptedPassword 0x13f1b:$a7: get_logins 0x13e7e:$a10: KeyLoggerEventArgs 0x13ae9:$a11: KeyLoggerEventArgsEventHandler
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a214:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19446:$a3: \Google\Chrome\User Data\Default\Login Data 0x19879:$a4: \Orbitum\User Data\Default\Login Data 0x1a8b8:$a5: \Kometa\User Data\Default\Login Data
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13449:$s1: UnHook 0x13450:$s2: SetHook 0x13458:$s3: CallNextHook 0x13465:$s4: _hook
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17834:$x1: $%SMTPDV$ 0x161f8:$x2: $#TheHashHere%& 0x177dc:$x3: %FTPDV$ 0x16198:$x4: $%TelegramDv$ 0x13ae9:$x5: KeyLoggerEventArgs 0x13e7e:$x5: KeyLoggerEventArgs 0x17800:$m2: Clipboard Logs ID 0x17a3e:$m2: Screenshot Logs ID 0x17b4e:$m2: keystroke Logs ID 0x17e28:$m3: SnakePW 0x17a16:$m4: \SnakeKeylogger\
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14676:$a1: get_encryptedPassword 0x34696:$a1: get_encryptedPassword 0x1495a:$a2: get_encryptedUsername 0x3497a:$a2: get_encryptedUsername 0x14472:$a3: get_timePasswordChanged 0x34492:$a3: get_timePasswordChanged 0x1456d:$a4: get_passwordField 0x3458d:$a4: get_passwordField 0x1468c:$a5: set_encryptedPassword 0x346ac:$a5: set_encryptedPassword 0x15d1b:$a7: get_logins 0x35d3b:$a7: get_logins 0x15c7e:$a10: KeyLoggerEventArgs 0x35c9e:$a10: KeyLoggerEventArgs 0x158e9:$a11: KeyLoggerEventArgsEventHandler 0x35909:$a11: KeyLoggerEventArgsEventHandler
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c014:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c034:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b246:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b266:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b679:$a4: \Orbitum\User Data\Default\Login Data 0x3b699:$a4: \Orbitum\User Data\Default\Login Data 0x1c6b8:$a5: \Kometa\User Data\Default\Login Data 0x3c6d8:$a5: \Kometa\User Data\Default\Login Data
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15249:$s1: UnHook 0x35269:$s1: UnHook 0x15250:$s2: SetHook 0x35270:$s2: SetHook 0x15258:$s3: CallNextHook 0x35278:$s3: CallNextHook 0x15265:$s4: _hook 0x35285:$s4: _hook
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19634:$x1: $%SMTPDV$ 0x39654:$x1: $%SMTPDV$ 0x17ff8:$x2: $#TheHashHere%& 0x38018:$x2: $#TheHashHere%& 0x195dc:$x3: %FTPDV$ 0x395fc:$x3: %FTPDV$ 0x17f98:$x4: $%TelegramDv$ 0x37fb8:$x4: $%TelegramDv$ 0x158e9:$x5: KeyLoggerEventArgs 0x15c7e:$x5: KeyLoggerEventArgs 0x35909:$x5: KeyLoggerEventArgs 0x35c9e:$x5: KeyLoggerEventArgs 0x19600:$m2: Clipboard Logs ID 0x1983e:$m2: Screenshot Logs ID 0x1994e:$m2: keystroke Logs ID 0x39620:$m2: Clipboard Logs ID 0x3985e:$m2: Screenshot Logs ID 0x3996e:$m2: keystroke Logs ID 0x19c28:$m3: SnakePW 0x39c48:$m3: SnakePW 0x19816:$m4: \SnakeKeylogger\
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14676:$a1: get_encryptedPassword 0x34896:$a1: get_encryptedPassword 0x548b6:$a1: get_encryptedPassword 0x1495a:$a2: get_encryptedUsername 0x34b7a:$a2: get_encryptedUsername 0x54b9a:$a2: get_encryptedUsername 0x14472:$a3: get_timePasswordChanged 0x34692:$a3: get_timePasswordChanged 0x546b2:$a3: get_timePasswordChanged 0x1456d:$a4: get_passwordField 0x3478d:$a4: get_passwordField 0x547ad:$a4: get_passwordField 0x1468c:$a5: set_encryptedPassword 0x348ac:$a5: set_encryptedPassword 0x548cc:$a5: set_encryptedPassword 0x15d1b:$a7: get_logins 0x35f3b:$a7: get_logins 0x55f5b:$a7: get_logins 0x15c7e:$a10: KeyLoggerEventArgs 0x35e9e:$a10: KeyLoggerEventArgs 0x55ebe:$a10: KeyLoggerEventArgs
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c014:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c234:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5c254:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b246:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b466:$a3: \Google\Chrome\User Data\Default\Login Data 0x5b486:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b679:$a4: \Orbitum\User Data\Default\Login Data 0x3b899:$a4: \Orbitum\User Data\Default\Login Data 0x5b8b9:$a4: \Orbitum\User Data\Default\Login Data 0x1c6b8:$a5: \Kometa\User Data\Default\Login Data 0x3c8d8:$a5: \Kometa\User Data\Default\Login Data 0x5c8f8:$a5: \Kometa\User Data\Default\Login Data
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15249:$s1: UnHook 0x35469:$s1: UnHook 0x55489:$s1: UnHook 0x15250:$s2: SetHook 0x35470:$s2: SetHook 0x55490:$s2: SetHook 0x15258:$s3: CallNextHook 0x35478:$s3: CallNextHook 0x55498:$s3: CallNextHook 0x15265:$s4: _hook 0x35485:$s4: _hook 0x554a5:$s4: _hook
0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19634:$x1: $%SMTPDV$ 0x39854:$x1: $%SMTPDV$ 0x59874:$x1: $%SMTPDV$ 0x17ff8:$x2: $#TheHashHere%& 0x38218:$x2: $#TheHashHere%& 0x58238:$x2: $#TheHashHere%& 0x195dc:$x3: %FTPDV$ 0x397fc:$x3: %FTPDV$ 0x5981c:$x3: %FTPDV$ 0x17f98:$x4: $%TelegramDv$ 0x381b8:$x4: $%TelegramDv$ 0x581d8:$x4: $%TelegramDv$ 0x158e9:$x5: KeyLoggerEventArgs 0x15c7e:$x5: KeyLoggerEventArgs 0x35b09:$x5: KeyLoggerEventArgs 0x35e9e:$x5: KeyLoggerEventArgs 0x55b29:$x5: KeyLoggerEventArgs 0x55ebe:$x5: KeyLoggerEventArgs 0x19600:$m2: Clipboard Logs ID 0x1983e:$m2: Screenshot Logs ID 0x1994e:$m2: keystroke Logs ID
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", ParentImage: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, ParentProcessId: 6364, ParentProcessName: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", ProcessId: 6956, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", ParentImage: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, ParentProcessId: 6364, ParentProcessName: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe", ProcessId: 6956, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T05:22:29.305905+0200	2803305	3	Unknown Traffic	192.168.2.4	49736	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T05:22:27.555279+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	132.226.8.169	80	TCP
2024-10-01T05:22:28.727116+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	132.226.8.169	80	TCP
2024-10-01T05:22:31.461667+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.8.169	80	TCP
2024-10-01T05:22:34.586608+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "6783395654:AAGHZk1wugh441q673h1nDNWiVYW4p6ewXc", "Chat_id": "-4209622687", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	ReversingLabs: Detection: 39%
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdbexe source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbR source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !!.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|7C source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb*d source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xZjq.pdbs\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\xZjq.pdb^3? source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbL0 source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb[7 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdb@ source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: xZjq.pdbSHA256 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source:	Binary string: n@C:\Users\user\Desktop\xZjq.pdb $+ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: u.PDB source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl._ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.PDB9 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbvT source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\System.Windows.Forms.pdbj0U source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp, WER16B2.tmp.dmp.9.dr
Source:	Binary string: symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdbt source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbH source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: n(C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xZjq.pdbh source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Code function: 4x nop then jmp 07D46A66h

0_2_07D46E22

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A40000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1676535637.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678544794.0000000005EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comP&
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_0322D5BC	0_2_0322D5BC
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_059E6FD8	0_2_059E6FD8
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_059E0006	0_2_059E0006
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_059E0040	0_2_059E0040
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_059E6FC8	0_2_059E6FC8
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D43510	0_2_07D43510
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D43501	0_2_07D43501
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D44410	0_2_07D44410
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D43F18	0_2_07D43F18
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D43F08	0_2_07D43F08
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D41D10	0_2_07D41D10
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D418D8	0_2_07D418D8
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9C1DF	5_2_00F9C1DF
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F96108	5_2_00F96108
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9B328	5_2_00F9B328
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9C4BF	5_2_00F9C4BF
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F99540	5_2_00F99540
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9C79F	5_2_00F9C79F
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F96880	5_2_00F96880
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F94AE7	5_2_00F94AE7
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9CA7F	5_2_00F9CA7F
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9BBDF	5_2_00F9BBDF
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9CD5F	5_2_00F9CD5F
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F93570	5_2_00F93570

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 2536

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1676535637.0000000003640000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1679217876.0000000007CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000000.1638029816.0000000000F08000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexZjq.exeF vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004CBA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1675498294.000000000149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Binary or memory string: OriginalFilenamexZjq.exeF vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, Z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, Z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, Z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, Z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, -.cs	Base64 encoded string: 'G4pV1kZlzrWG3ii/qsKXSnYs+5NUWVZZLTztKeesew9//zKKMVqxJyBhDWLI4hit'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, -.cs	Base64 encoded string: 'G4pV1kZlzrWG3ii/qsKXSnYs+5NUWVZZLTztKeesew9//zKKMVqxJyBhDWLI4hit'

Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, YyDoaCV4XL6YvGn57w.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, YyDoaCV4XL6YvGn57w.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, YyDoaCV4XL6YvGn57w.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/11@2/2

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7032
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Mutant created: \Sessions\1\BaseNamedObjects\vPntyf

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ft1l0bfw.inc.ps1

Jump to behavior

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	ReversingLabs: Detection: 39%
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

File read: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 2536
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdbexe source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbR source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !!.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|7C source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb*d source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xZjq.pdbs\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\xZjq.pdb^3? source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbL0 source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb[7 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdb@ source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: xZjq.pdbSHA256 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source:	Binary string: n@C:\Users\user\Desktop\xZjq.pdb $+ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: u.PDB source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl._ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.PDB9 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbvT source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\System.Windows.Forms.pdbj0U source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp, WER16B2.tmp.dmp.9.dr
Source:	Binary string: symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdbt source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbH source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: n(C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xZjq.pdbh source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4489c80.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs	.Net Code: hsUh1RQq3d System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.44a1ea0.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs	.Net Code: hsUh1RQq3d System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs	.Net Code: hsUh1RQq3d System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.5d70000.6.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: 0x8E983937 [Mon Oct 23 03:06:31 2045 UTC]

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D40DC0 push esp; iretd	0_2_07D40DC1
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 0_2_07D49A35 push FFFFFF8Bh; iretd	0_2_07D49A37
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9B328 push ebp; ret	5_2_00F9B4FE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9D030 push esp; ret	5_2_00F9D03E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9C1D1 push ebp; ret	5_2_00F9C1DE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9C4B1 push ebp; ret	5_2_00F9C4BE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F914A8 push edx; ret	5_2_00F914B6
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F93570 push esp; ret	5_2_00F93906
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F907DF push edi; ret	5_2_00F907E2
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F907B8 push ebp; ret	5_2_00F907C2
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F90778 push ebp; ret	5_2_00F90782
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F918B8 push ebx; ret	5_2_00F918C6
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9D900 push esp; ret	5_2_00F9D90E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F94AD9 push esp; ret	5_2_00F94AE6
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9CA70 push ebp; ret	5_2_00F9CA7E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9BBD2 push ebp; ret	5_2_00F9BBDE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F90C8F push edx; ret	5_2_00F90C9E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Code function: 5_2_00F9CD51 push ebp; ret	5_2_00F9CD5E

Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Static PE information: section name: .text entropy: 7.647044566215728

Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, NdgYdto4tahmEQdqZr.cs	High entropy of concatenated method names: 'wujGUvCZli', 'CNPGjSFaxs', 'KgCG1O3jbQ', 'oxbGOU92Y0', 'rLcG04B6Eb', 'GQUGeLGilw', 'muEGv61uCJ', 'GM6GVpyfuc', 'fOdG9CfZ0H', 'hSgGFO5gCm'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, dy4xLZhqMOhdrZ6HKG.cs	High entropy of concatenated method names: 'HEDyGyDoaC', 'SXLyt6YvGn', 'sn7y5sw2aj', 'etMybWxl9p', 'dHhyuTCHlf', 'rUgygdWbfx', 'gy89CHUDnHLeakcNkg', 'WfW06Qb3N63ZJ9Tf0u', 'WAhyysbw69', 'YpiyIapCSY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, wOfryEKJFo7xTnyYSv.cs	High entropy of concatenated method names: 'F7fiVyymFj', 'zUJi9n5SY7', 'qX6ik7juiX', 'vR6i7Ugoss', 'tgPiYpTfeB', 'BnOiWUeKvE', 'Jm6iCwr6wk', 'qXgiwHtkof', 'HweiL1PUBY', 'diGiZ0rU2I'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, hfNmbTDiry0or0Cyxa.cs	High entropy of concatenated method names: 'XuIXyd7SfG', 'KqrXIyj7oA', 'Nu9Xhio5Mx', 'IQnXMCYN5K', 'XbKXqxiRaM', 'SKTXA8jELC', 'LfnXHl4PLh', 'tIhBRHRycB', 'sTJBng1kBo', 'gR1BlQXxcI'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, YyDoaCV4XL6YvGn57w.cs	High entropy of concatenated method names: 'mP7q2i1brC', 'LwaqEyMtps', 'VDJq4CGnVp', 'osTqpD7yT9', 'PjQqQyapjh', 'CgVqS8l7cl', 'D4yqRX750Z', 'BOlqnyFkCP', 'kiBqlxWIDq', 'hHYqD8hsWT'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, bCBBcb25EVcefRsDTB.cs	High entropy of concatenated method names: 'FkiuLdBiUB', 'Ch4uffEOIr', 'Rubu2yKRS5', 'xUouEc3xXp', 'Uo6u7cpP0j', 'UGeucbXH4r', 'nHkuYlwZVI', 'pR8uWWdpmN', 'HxBuTAS6EV', 'kEPuC6lR47'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, Ymx7jtyy97yLa3jx5ub.cs	High entropy of concatenated method names: 'ToString', 'UVK6IMx5eb', 'aFo6hY7Eva', 'kgD6PogQ3n', 'N1D6Mm1wFm', 'zoC6qp1Pvu', 'smd6mhopIm', 'ziB6AZVSXO', 'gB35Ut0kkEAF1lk2bLD', 'a9bRQr0BFYqK30fgcuP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, wZo2QMqKw7NWpE8OiU.cs	High entropy of concatenated method names: 'Dispose', 'ggwylWxY9v', 'zJRd7IJ2xV', 'PXc33GjkcH', 'GB5yD3PNTr', 'cD9yzxoElo', 'ProcessDialogKey', 'JihdsKUU8l', 'ARIdypHEHd', 'Kw9ddAfNmb'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, OOC7qVTGyde1j7I5Vv.cs	High entropy of concatenated method names: 'u6JH4X5ceH', 'RRaHpRGq1l', 'u09HQBm7r9', 'ToString', 'ksOHSCAv6A', 'JfTHRyVrdv', 'CspdehmiLZD3D28aOEW', 'A5QjgZmvBcuCbdklAM7'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, N2L5uiyIVv4xjOCY30P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'big62lAGVN', 'tQy6EFJLIk', 'ClS64YYCNl', 'QNn6pm2ab0', 'hNa6QKk4Wq', 'P8X6SsyHJ3', 'nJo6ROVNGa'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, j3gFaxSn1KuexmQWEK.cs	High entropy of concatenated method names: 'jRsanDVJe8', 'fHaaDRYNnZ', 'zMqBshKMpm', 'hxIByuqX1o', 'mFZaZ24GQQ', 'o17af0BOIK', 'eF1aKKFbTR', 'nlra2Pw4fM', 'uaGaEbyqmO', 'vdGa4M0Ohj'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, dLhNXKysico8ZTaQFMI.cs	High entropy of concatenated method names: 'EYDXUct3IS', 'GIVXj3pgyV', 'h1BX13fC9A', 'R74XODty0I', 'mUeX0IZbO5', 'aUhXewXhlU', 'gwMXvhZaun', 'LNZXVNsW4H', 'MbWX9bj8cC', 'ILoXFRgOyk'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, dKUU8ll0RIpHEHdTw9.cs	High entropy of concatenated method names: 'xDRBkZFdYn', 'XiMB7aEW78', 'st7BcXnHkT', 'bOmBYZyPyQ', 'fKJB2SfX47', 'TQgBWC3TFp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, q53PNTnrID9xoEloWi.cs	High entropy of concatenated method names: 'phEBMPYBkL', 'IZ3BqaxUNR', 'EoWBmaSV6M', 's3BBAJGu12', 'HGmBHpVaHB', 'DhsBGUWtGf', 'CERBt1RBSx', 'L8nBJysbcb', 'm5ZB5rfHBf', 'D07Bb1hyOY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, tl9p6JFu1ULHBIHhTC.cs	High entropy of concatenated method names: 'ic9A0Xs6mS', 'Wp2AvaY377', 'PNCmcH0IFA', 'llsmYILuEc', 'hU3mWwhb6P', 'eawmTcjilh', 'K0dmCikjuX', 'yu8mw6MAHW', 'WcFmodsO4C', 'eGPmLQl6ee'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, soqRI69n7sw2ajPtMW.cs	High entropy of concatenated method names: 'MlfmOn7vm9', 'WJgmeimrmF', 't4dmVD715j', 'tVom9bLUu9', 'zQ7muoVhQt', 'NyYmg6fD3o', 'lramaylYXO', 'odRmB9FGcW', 'h80mXJWQIK', 'ztvm69yEQu'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, vxGZ4lpgxdYUpSrWVq.cs	High entropy of concatenated method names: 'yWNa5vgET7', 'gqKabQ6Qk8', 'ToString', 'w7kaMkhU3p', 'Rnjaq0jjgR', 'Y4namiPD1j', 'yPNaA1hJrD', 'yjBaHVLIPJ', 'dLAaGF5fg4', 'uckatyYfWM'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, rMeTksd0q4hASIEF7p.cs	High entropy of concatenated method names: 'PSm1HgPq0', 'eO3Ob3q7F', 'MnxewpW9B', 'RH8vyeCCp', 'PF89Cxr7l', 'edJFcsvho', 'hdDChJhJ6BHrA0dGWA', 'ilNFwVTvmhA6LxEyOC', 'gUiBmGYYx', 'RRi6fllCW'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, T2f5jkYbysOmyr2JBk.cs	High entropy of concatenated method names: 'kG7HNQMmuo', 'XxWHUoo4m0', 'NdjH1S5DSd', 'RmqHOwEYlq', 'QEWHeix4GC', 'KuJHv3tSrR', 'GL4H9NAn0R', 'T2LHF1Cw69', 'z6hOb2mJYOrJLsBZ6Mf', 'CW9WM2m8r18GUyW4I5g'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs	High entropy of concatenated method names: 'ixpIPx0Me5', 'krOIMR3b08', 'XIpIq0MoYg', 'QFJImjg2Q4', 'PDyIAcxJA9', 'RqhIHO76QJ', 'Ia9IGAJi1u', 'ekTItlBYsh', 'VBOIJnD0gT', 'iOUI5p6TTP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, N3hqEl418ZpQYWVLLh.cs	High entropy of concatenated method names: 'ToString', 'UaSgZ5pK7E', 'UHng7PFhkW', 'WfbgcTyIND', 'WIxgYXuwr8', 'Ge5gWcfoQe', 'FnlgTe0Hod', 'zFCgCqikoC', 'SVwgwhtY5I', 'hXfgoOPTxU'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, jlfBUgkdWbfx37dOF6.cs	High entropy of concatenated method names: 'p3UHPrWJA4', 'v9HHqL5ETY', 'vXTHAfRnuc', 'LYIHGX0iyq', 'j5QHtpwc2j', 'j4bAQk6fsV', 'm8wASNeJSb', 'n4yARJlyW6', 'JVKAn1mEiV', 'NE7AlWucSc'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, NdgYdto4tahmEQdqZr.cs	High entropy of concatenated method names: 'wujGUvCZli', 'CNPGjSFaxs', 'KgCG1O3jbQ', 'oxbGOU92Y0', 'rLcG04B6Eb', 'GQUGeLGilw', 'muEGv61uCJ', 'GM6GVpyfuc', 'fOdG9CfZ0H', 'hSgGFO5gCm'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, dy4xLZhqMOhdrZ6HKG.cs	High entropy of concatenated method names: 'HEDyGyDoaC', 'SXLyt6YvGn', 'sn7y5sw2aj', 'etMybWxl9p', 'dHhyuTCHlf', 'rUgygdWbfx', 'gy89CHUDnHLeakcNkg', 'WfW06Qb3N63ZJ9Tf0u', 'WAhyysbw69', 'YpiyIapCSY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, wOfryEKJFo7xTnyYSv.cs	High entropy of concatenated method names: 'F7fiVyymFj', 'zUJi9n5SY7', 'qX6ik7juiX', 'vR6i7Ugoss', 'tgPiYpTfeB', 'BnOiWUeKvE', 'Jm6iCwr6wk', 'qXgiwHtkof', 'HweiL1PUBY', 'diGiZ0rU2I'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, hfNmbTDiry0or0Cyxa.cs	High entropy of concatenated method names: 'XuIXyd7SfG', 'KqrXIyj7oA', 'Nu9Xhio5Mx', 'IQnXMCYN5K', 'XbKXqxiRaM', 'SKTXA8jELC', 'LfnXHl4PLh', 'tIhBRHRycB', 'sTJBng1kBo', 'gR1BlQXxcI'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, YyDoaCV4XL6YvGn57w.cs	High entropy of concatenated method names: 'mP7q2i1brC', 'LwaqEyMtps', 'VDJq4CGnVp', 'osTqpD7yT9', 'PjQqQyapjh', 'CgVqS8l7cl', 'D4yqRX750Z', 'BOlqnyFkCP', 'kiBqlxWIDq', 'hHYqD8hsWT'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, bCBBcb25EVcefRsDTB.cs	High entropy of concatenated method names: 'FkiuLdBiUB', 'Ch4uffEOIr', 'Rubu2yKRS5', 'xUouEc3xXp', 'Uo6u7cpP0j', 'UGeucbXH4r', 'nHkuYlwZVI', 'pR8uWWdpmN', 'HxBuTAS6EV', 'kEPuC6lR47'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, Ymx7jtyy97yLa3jx5ub.cs	High entropy of concatenated method names: 'ToString', 'UVK6IMx5eb', 'aFo6hY7Eva', 'kgD6PogQ3n', 'N1D6Mm1wFm', 'zoC6qp1Pvu', 'smd6mhopIm', 'ziB6AZVSXO', 'gB35Ut0kkEAF1lk2bLD', 'a9bRQr0BFYqK30fgcuP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, wZo2QMqKw7NWpE8OiU.cs	High entropy of concatenated method names: 'Dispose', 'ggwylWxY9v', 'zJRd7IJ2xV', 'PXc33GjkcH', 'GB5yD3PNTr', 'cD9yzxoElo', 'ProcessDialogKey', 'JihdsKUU8l', 'ARIdypHEHd', 'Kw9ddAfNmb'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, OOC7qVTGyde1j7I5Vv.cs	High entropy of concatenated method names: 'u6JH4X5ceH', 'RRaHpRGq1l', 'u09HQBm7r9', 'ToString', 'ksOHSCAv6A', 'JfTHRyVrdv', 'CspdehmiLZD3D28aOEW', 'A5QjgZmvBcuCbdklAM7'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, N2L5uiyIVv4xjOCY30P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'big62lAGVN', 'tQy6EFJLIk', 'ClS64YYCNl', 'QNn6pm2ab0', 'hNa6QKk4Wq', 'P8X6SsyHJ3', 'nJo6ROVNGa'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, j3gFaxSn1KuexmQWEK.cs	High entropy of concatenated method names: 'jRsanDVJe8', 'fHaaDRYNnZ', 'zMqBshKMpm', 'hxIByuqX1o', 'mFZaZ24GQQ', 'o17af0BOIK', 'eF1aKKFbTR', 'nlra2Pw4fM', 'uaGaEbyqmO', 'vdGa4M0Ohj'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, dLhNXKysico8ZTaQFMI.cs	High entropy of concatenated method names: 'EYDXUct3IS', 'GIVXj3pgyV', 'h1BX13fC9A', 'R74XODty0I', 'mUeX0IZbO5', 'aUhXewXhlU', 'gwMXvhZaun', 'LNZXVNsW4H', 'MbWX9bj8cC', 'ILoXFRgOyk'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, dKUU8ll0RIpHEHdTw9.cs	High entropy of concatenated method names: 'xDRBkZFdYn', 'XiMB7aEW78', 'st7BcXnHkT', 'bOmBYZyPyQ', 'fKJB2SfX47', 'TQgBWC3TFp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, q53PNTnrID9xoEloWi.cs	High entropy of concatenated method names: 'phEBMPYBkL', 'IZ3BqaxUNR', 'EoWBmaSV6M', 's3BBAJGu12', 'HGmBHpVaHB', 'DhsBGUWtGf', 'CERBt1RBSx', 'L8nBJysbcb', 'm5ZB5rfHBf', 'D07Bb1hyOY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, tl9p6JFu1ULHBIHhTC.cs	High entropy of concatenated method names: 'ic9A0Xs6mS', 'Wp2AvaY377', 'PNCmcH0IFA', 'llsmYILuEc', 'hU3mWwhb6P', 'eawmTcjilh', 'K0dmCikjuX', 'yu8mw6MAHW', 'WcFmodsO4C', 'eGPmLQl6ee'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, soqRI69n7sw2ajPtMW.cs	High entropy of concatenated method names: 'MlfmOn7vm9', 'WJgmeimrmF', 't4dmVD715j', 'tVom9bLUu9', 'zQ7muoVhQt', 'NyYmg6fD3o', 'lramaylYXO', 'odRmB9FGcW', 'h80mXJWQIK', 'ztvm69yEQu'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, vxGZ4lpgxdYUpSrWVq.cs	High entropy of concatenated method names: 'yWNa5vgET7', 'gqKabQ6Qk8', 'ToString', 'w7kaMkhU3p', 'Rnjaq0jjgR', 'Y4namiPD1j', 'yPNaA1hJrD', 'yjBaHVLIPJ', 'dLAaGF5fg4', 'uckatyYfWM'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, rMeTksd0q4hASIEF7p.cs	High entropy of concatenated method names: 'PSm1HgPq0', 'eO3Ob3q7F', 'MnxewpW9B', 'RH8vyeCCp', 'PF89Cxr7l', 'edJFcsvho', 'hdDChJhJ6BHrA0dGWA', 'ilNFwVTvmhA6LxEyOC', 'gUiBmGYYx', 'RRi6fllCW'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, T2f5jkYbysOmyr2JBk.cs	High entropy of concatenated method names: 'kG7HNQMmuo', 'XxWHUoo4m0', 'NdjH1S5DSd', 'RmqHOwEYlq', 'QEWHeix4GC', 'KuJHv3tSrR', 'GL4H9NAn0R', 'T2LHF1Cw69', 'z6hOb2mJYOrJLsBZ6Mf', 'CW9WM2m8r18GUyW4I5g'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs	High entropy of concatenated method names: 'ixpIPx0Me5', 'krOIMR3b08', 'XIpIq0MoYg', 'QFJImjg2Q4', 'PDyIAcxJA9', 'RqhIHO76QJ', 'Ia9IGAJi1u', 'ekTItlBYsh', 'VBOIJnD0gT', 'iOUI5p6TTP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, N3hqEl418ZpQYWVLLh.cs	High entropy of concatenated method names: 'ToString', 'UaSgZ5pK7E', 'UHng7PFhkW', 'WfbgcTyIND', 'WIxgYXuwr8', 'Ge5gWcfoQe', 'FnlgTe0Hod', 'zFCgCqikoC', 'SVwgwhtY5I', 'hXfgoOPTxU'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, jlfBUgkdWbfx37dOF6.cs	High entropy of concatenated method names: 'p3UHPrWJA4', 'v9HHqL5ETY', 'vXTHAfRnuc', 'LYIHGX0iyq', 'j5QHtpwc2j', 'j4bAQk6fsV', 'm8wASNeJSb', 'n4yARJlyW6', 'JVKAn1mEiV', 'NE7AlWucSc'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, NdgYdto4tahmEQdqZr.cs	High entropy of concatenated method names: 'wujGUvCZli', 'CNPGjSFaxs', 'KgCG1O3jbQ', 'oxbGOU92Y0', 'rLcG04B6Eb', 'GQUGeLGilw', 'muEGv61uCJ', 'GM6GVpyfuc', 'fOdG9CfZ0H', 'hSgGFO5gCm'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, dy4xLZhqMOhdrZ6HKG.cs	High entropy of concatenated method names: 'HEDyGyDoaC', 'SXLyt6YvGn', 'sn7y5sw2aj', 'etMybWxl9p', 'dHhyuTCHlf', 'rUgygdWbfx', 'gy89CHUDnHLeakcNkg', 'WfW06Qb3N63ZJ9Tf0u', 'WAhyysbw69', 'YpiyIapCSY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, wOfryEKJFo7xTnyYSv.cs	High entropy of concatenated method names: 'F7fiVyymFj', 'zUJi9n5SY7', 'qX6ik7juiX', 'vR6i7Ugoss', 'tgPiYpTfeB', 'BnOiWUeKvE', 'Jm6iCwr6wk', 'qXgiwHtkof', 'HweiL1PUBY', 'diGiZ0rU2I'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, hfNmbTDiry0or0Cyxa.cs	High entropy of concatenated method names: 'XuIXyd7SfG', 'KqrXIyj7oA', 'Nu9Xhio5Mx', 'IQnXMCYN5K', 'XbKXqxiRaM', 'SKTXA8jELC', 'LfnXHl4PLh', 'tIhBRHRycB', 'sTJBng1kBo', 'gR1BlQXxcI'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, YyDoaCV4XL6YvGn57w.cs	High entropy of concatenated method names: 'mP7q2i1brC', 'LwaqEyMtps', 'VDJq4CGnVp', 'osTqpD7yT9', 'PjQqQyapjh', 'CgVqS8l7cl', 'D4yqRX750Z', 'BOlqnyFkCP', 'kiBqlxWIDq', 'hHYqD8hsWT'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, bCBBcb25EVcefRsDTB.cs	High entropy of concatenated method names: 'FkiuLdBiUB', 'Ch4uffEOIr', 'Rubu2yKRS5', 'xUouEc3xXp', 'Uo6u7cpP0j', 'UGeucbXH4r', 'nHkuYlwZVI', 'pR8uWWdpmN', 'HxBuTAS6EV', 'kEPuC6lR47'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, Ymx7jtyy97yLa3jx5ub.cs	High entropy of concatenated method names: 'ToString', 'UVK6IMx5eb', 'aFo6hY7Eva', 'kgD6PogQ3n', 'N1D6Mm1wFm', 'zoC6qp1Pvu', 'smd6mhopIm', 'ziB6AZVSXO', 'gB35Ut0kkEAF1lk2bLD', 'a9bRQr0BFYqK30fgcuP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, wZo2QMqKw7NWpE8OiU.cs	High entropy of concatenated method names: 'Dispose', 'ggwylWxY9v', 'zJRd7IJ2xV', 'PXc33GjkcH', 'GB5yD3PNTr', 'cD9yzxoElo', 'ProcessDialogKey', 'JihdsKUU8l', 'ARIdypHEHd', 'Kw9ddAfNmb'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, OOC7qVTGyde1j7I5Vv.cs	High entropy of concatenated method names: 'u6JH4X5ceH', 'RRaHpRGq1l', 'u09HQBm7r9', 'ToString', 'ksOHSCAv6A', 'JfTHRyVrdv', 'CspdehmiLZD3D28aOEW', 'A5QjgZmvBcuCbdklAM7'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, N2L5uiyIVv4xjOCY30P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'big62lAGVN', 'tQy6EFJLIk', 'ClS64YYCNl', 'QNn6pm2ab0', 'hNa6QKk4Wq', 'P8X6SsyHJ3', 'nJo6ROVNGa'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, j3gFaxSn1KuexmQWEK.cs	High entropy of concatenated method names: 'jRsanDVJe8', 'fHaaDRYNnZ', 'zMqBshKMpm', 'hxIByuqX1o', 'mFZaZ24GQQ', 'o17af0BOIK', 'eF1aKKFbTR', 'nlra2Pw4fM', 'uaGaEbyqmO', 'vdGa4M0Ohj'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, dLhNXKysico8ZTaQFMI.cs	High entropy of concatenated method names: 'EYDXUct3IS', 'GIVXj3pgyV', 'h1BX13fC9A', 'R74XODty0I', 'mUeX0IZbO5', 'aUhXewXhlU', 'gwMXvhZaun', 'LNZXVNsW4H', 'MbWX9bj8cC', 'ILoXFRgOyk'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, dKUU8ll0RIpHEHdTw9.cs	High entropy of concatenated method names: 'xDRBkZFdYn', 'XiMB7aEW78', 'st7BcXnHkT', 'bOmBYZyPyQ', 'fKJB2SfX47', 'TQgBWC3TFp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, q53PNTnrID9xoEloWi.cs	High entropy of concatenated method names: 'phEBMPYBkL', 'IZ3BqaxUNR', 'EoWBmaSV6M', 's3BBAJGu12', 'HGmBHpVaHB', 'DhsBGUWtGf', 'CERBt1RBSx', 'L8nBJysbcb', 'm5ZB5rfHBf', 'D07Bb1hyOY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, tl9p6JFu1ULHBIHhTC.cs	High entropy of concatenated method names: 'ic9A0Xs6mS', 'Wp2AvaY377', 'PNCmcH0IFA', 'llsmYILuEc', 'hU3mWwhb6P', 'eawmTcjilh', 'K0dmCikjuX', 'yu8mw6MAHW', 'WcFmodsO4C', 'eGPmLQl6ee'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, soqRI69n7sw2ajPtMW.cs	High entropy of concatenated method names: 'MlfmOn7vm9', 'WJgmeimrmF', 't4dmVD715j', 'tVom9bLUu9', 'zQ7muoVhQt', 'NyYmg6fD3o', 'lramaylYXO', 'odRmB9FGcW', 'h80mXJWQIK', 'ztvm69yEQu'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, vxGZ4lpgxdYUpSrWVq.cs	High entropy of concatenated method names: 'yWNa5vgET7', 'gqKabQ6Qk8', 'ToString', 'w7kaMkhU3p', 'Rnjaq0jjgR', 'Y4namiPD1j', 'yPNaA1hJrD', 'yjBaHVLIPJ', 'dLAaGF5fg4', 'uckatyYfWM'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, rMeTksd0q4hASIEF7p.cs	High entropy of concatenated method names: 'PSm1HgPq0', 'eO3Ob3q7F', 'MnxewpW9B', 'RH8vyeCCp', 'PF89Cxr7l', 'edJFcsvho', 'hdDChJhJ6BHrA0dGWA', 'ilNFwVTvmhA6LxEyOC', 'gUiBmGYYx', 'RRi6fllCW'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, T2f5jkYbysOmyr2JBk.cs	High entropy of concatenated method names: 'kG7HNQMmuo', 'XxWHUoo4m0', 'NdjH1S5DSd', 'RmqHOwEYlq', 'QEWHeix4GC', 'KuJHv3tSrR', 'GL4H9NAn0R', 'T2LHF1Cw69', 'z6hOb2mJYOrJLsBZ6Mf', 'CW9WM2m8r18GUyW4I5g'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs	High entropy of concatenated method names: 'ixpIPx0Me5', 'krOIMR3b08', 'XIpIq0MoYg', 'QFJImjg2Q4', 'PDyIAcxJA9', 'RqhIHO76QJ', 'Ia9IGAJi1u', 'ekTItlBYsh', 'VBOIJnD0gT', 'iOUI5p6TTP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, N3hqEl418ZpQYWVLLh.cs	High entropy of concatenated method names: 'ToString', 'UaSgZ5pK7E', 'UHng7PFhkW', 'WfbgcTyIND', 'WIxgYXuwr8', 'Ge5gWcfoQe', 'FnlgTe0Hod', 'zFCgCqikoC', 'SVwgwhtY5I', 'hXfgoOPTxU'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, jlfBUgkdWbfx37dOF6.cs	High entropy of concatenated method names: 'p3UHPrWJA4', 'v9HHqL5ETY', 'vXTHAfRnuc', 'LYIHGX0iyq', 'j5QHtpwc2j', 'j4bAQk6fsV', 'm8wASNeJSb', 'n4yARJlyW6', 'JVKAn1mEiV', 'NE7AlWucSc'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 3460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 83F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 93F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 95A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: A900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: B900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: C900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598576	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596826	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596278	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594736	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5725	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4088	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Window / User API: threadDelayed 1585	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Window / User API: threadDelayed 8274	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 6452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 772	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7076	Thread sleep count: 1585 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7076	Thread sleep count: 8274 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598576s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -594736s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598576	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596826	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596278	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594736	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1675498294.00000000014D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Memory written: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	39%	ReversingLabs	Win32.Trojan.Strictor
Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	44%	Virustotal		Browse
Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A40000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/DPlease	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.comP&	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678544794.0000000005EF4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fonts.com	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kr	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1676535637.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523111
Start date and time:	2024-10-01 05:21:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe renamed because original name is a hash value
Original Sample Name:	Rfq H2110-11Order_ROYPOWTECH %100% S51105P-E01 .exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/11@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, PID 7032 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:22:23	API Interceptor	122x Sleep call for process: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe modified
23:22:25	API Interceptor	7x Sleep call for process: powershell.exe modified
23:22:54	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	new shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	GEsD6lobvy.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	checkip.dyndns.org/
188.114.96.3	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	new shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	https://booking.com-partners.one/confirm/login/qAlElVVF	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	msimg32.dll	Get hash	malicious	LummaC	Browse	172.67.197.40
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.31.174
	msimg32.dll	Get hash	malicious	Unknown	Browse	172.67.197.40
	http://www.toyotanation.com//help//terms	Get hash	malicious	Unknown	Browse	172.67.41.60
	https://bestratedrobotvacuum.com/?bypass-cdn=1	Get hash	malicious	Unknown	Browse	104.21.234.234
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse	104.26.4.103
	http://azgop.org/	Get hash	malicious	Unknown	Browse	104.26.8.228
	SecuriteInfo.com.Win64.MalwareX-gen.32411.29244.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	http://azgop.org/	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	uvDYInLodR.exe	Get hash	malicious	Njrat	Browse	188.114.96.3
	uvDYInLodR.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	3nWKbZrQvF.exe	Get hash	malicious	Njrat	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OOOBE2UTTQADMYZZ_f1aacb97412eb26466c8dbf24479df3a7fdfe98_b761ca27_15888fec-3d80-4076-a090-86976d798eb2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2207849858872382
Encrypted:	false
SSDEEP:	192:ilKjyCztW0BU/qa6ce36qZzuiFFZ24IO8/:OKjyCznBU/qarVqZzuiFFY4IO8/
MD5:	CB4574E8B2C4FAFB9E0E366CF2547114
SHA1:	24F774EEEE03580F98D8B9CD0A652ABACBE8F2E8
SHA-256:	6E36B78FD9098BEB0BAC29329C6275C2A9A99238FD577C722BEBC9070002138A
SHA-512:	4ECE354605A4CD6FB5F4AD0DCAB17CEA337CDCA1B079050878F5E41F40BBBDC46E62D41F6640EEC8427BEE15129579F40B872083EC4F86B2F7FB20C77E01C8D2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.2.2.6.5.6.0.7.9.8.8.1.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.2.2.6.5.6.1.4.5.5.0.6.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.8.8.8.f.e.c.-.3.d.8.0.-.4.0.7.6.-.a.0.9.0.-.8.6.9.7.6.d.7.9.8.e.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.e.3.9.c.e.3.-.2.9.5.8.-.4.e.9.b.-.8.f.4.e.-.3.5.1.4.7.8.2.e.1.5.1.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.f.q. .H.2.1.1.0.-.1.1.#.U.3.0.0.0.O.r.d.e.r._.R.O.Y.P.O.W.T.E.C.H. .%.1.0.0.%. .S.5.1.1.0.5.P.-.E.0.1. .#.U.f.f.0.8.#.U.6.7.0.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.x.Z.j.q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.8.-.0.0.0.1.-.0.0.1.4.-.b.4.8.2.-.f.9.2.1.b.1.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.5.9.8.a.c.2.f.4.2.3.5.6.2.d.8.6.b.e.6.f.5.4.9.6.8.4.a.7.e.1.2.0.0.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Oct 1 03:22:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	332544
Entropy (8bit):	3.5543584334906293
Encrypted:	false
SSDEEP:	3072:qCQM+ZG4uEq9LTgjVyjlv451r0UgdQe4:qCQXG4mTg5ypgPrac
MD5:	48EE97EC68D4483FA7052EFF272FEC72
SHA1:	38388E6F898EB95ED81AB1B3724C81B868847520
SHA-256:	71FAF39F60C1D31308642DFAA4BFB87118A78711E6909209AD072EB076559D1E
SHA-512:	C29AC2CCB3A3CE4BB1940AC0F19F04760A44E2BF2E64154E3743E23D633903B6410E0A1A570FBADF223D6F215E3228F53EB1CFA70ACD4285B449C09457CA45BC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........k.f............4...............H.......<....).......)..vh..........`.......8...........T...........Hc..............T)..........@+..............................................................................eJ.......+......GenuineIntel............T.......x....j.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1878.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6566
Entropy (8bit):	3.743710093972469
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbtXl6PGkYZ7yQE/RBT5aM4UW89bAhsfUHgm:R6l7wVeJtl69YZe5prW89bAhsfUHgm
MD5:	4D515213DA969B9C776172EF5B6F0E91
SHA1:	3A7D405D48101627C6569659F212E6627BA974D7
SHA-256:	76398DBC593ED7D843731BC02C75626AC79D63CA69847B11D2BA85F712AF274F
SHA-512:	90A83FD91B01640E18AE6DE9E4A8148F1E4D819AF6BF335C16A89C7223C45CB38A9B628342E9CFC2A72C95CB0B26EB1779BF876C5D457686ABD0BB444FE611AC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1898.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4969
Entropy (8bit):	4.6284112210768535
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9pGWpW8VYvfYm8M4JgH2Fc+q8vcHA8TkKnIr9d:uIjfFI7TH7VnJsK/8TjnIxd
MD5:	1360EE5058115CF7403AD79661BA18E0
SHA1:	FFD2A930827AE0988C3767B94CAED8E3F5715B37
SHA-256:	BC56B4471D53FEC5E0F9AD59F47FA43BE33262BA0BACB738E6654166E26436C1
SHA-512:	4C554544C802BDA191A567906F1464A5D897B0FEBC5E9FEF244908ADA464FDB83C293FF63CDE3917F8AECAA6A33AC6A25690BEFC09BC46431EC04EF1B6C215B9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="523825" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.log

Download File

Process:	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.352012448723694
Encrypted:	false
SSDEEP:	24:3qWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:6WSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	C4E60F3542BDA5B0B67ECE8E9246A856
SHA1:	6694FFF06848CBC94B564EFE1259DD06E2413C7E
SHA-256:	765BF8C0D26A8A0B36004C5137D3E7977B5FB641C4E0440C00253286CCCBEBEC
SHA-512:	3725E52EF5A653B0D73732A5C9BECA073B5393367D294425520732BFC26B9147F1835AC0B8DF8A41E390B4D46E6630D36B330F273456B4126473763E5FA7DD6E
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ft1l0bfw.inc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljpjz21n.tlo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlipt1em.p3g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyrnnctg.5bf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466257619011033
Encrypted:	false
SSDEEP:	6144:xIXfpi67eLPU9skLmb0b4BWSPKaJG8nAgejZMMhA2gX4WABl0uN9dwBCswSb6m:SXD94BWlLZMM6YFHj+6m
MD5:	E8197040AEA96CF5C1707C82FBBA2A32
SHA1:	33B556E52BC462D46A50120ABCF8B497837200A2
SHA-256:	02056F7505D48C9894A623CF88929CCDE4E61B3706353BF35601A8447D432AD4
SHA-512:	C1F08C022A28E907D14F3ACAAE08FD8A172F14DF265DA64E31DCFFEAA2E68390EC19396B9A6D4F149EC7B6E63D23D10B2F347BEE71B558FDB1DB314BD1AAFE59
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...,.................................................................................................................................................................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.629269406357267
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
File size:	616'960 bytes
MD5:	a168b11261c075963b1dfd139cbbfac6
SHA1:	3248fcfe659305dba908ee7271da1a3c72f103c1
SHA256:	32b59977aff73828e93c0844e7805de9c854049bb3b046399f1ce42e58679b85
SHA512:	234e9aae8e8b8f959c1a1c21170619e09270eff0e8be8059a085c03adc354fcc7c1dadffd5c2dfa8644850bb8657fbfb3bee3b77cd8823ce00470517f41ec9fa
SSDEEP:	12288:PWt7LZ0ohLCU8Ow2ZHdobZZrVFtuH+c3T:PWt7V0ohLCUVw2grke
TLSH:	61D4BED43B25B30ADEB85670952ADEF553A92D287000B9E36DDD3B9775BC211AE0CF02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...79................0..N...........l... ........@.. ....................................@................................

File Icon


Icon Hash:	3d3d696465498047

Static PE Info

General

Entrypoint:	0x496cce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8E983937 [Mon Oct 23 03:06:31 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96c7c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x1784	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9556c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94cd4	0x94e00	eecf292fc48fd574c40d8618e41ec58d	False	0.8657165066120907	data	7.647044566215728	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x1784	0x1800	c92fa8fbd2919181213acf51ca0d03d6	False	0.42529296875	data	5.113645290005449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	85e044799e2d74fd1ddd38ee21bfba82	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x98130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.4148686679174484
RT_GROUP_ICON	0x991d8	0x14	data	1.1
RT_VERSION	0x991ec	0x3ac	data	0.41595744680851066
RT_MANIFEST	0x99598	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T05:22:27.555279+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	132.226.8.169	80	TCP
2024-10-01T05:22:28.727116+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	132.226.8.169	80	TCP
2024-10-01T05:22:29.305905+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49736	188.114.96.3	443	TCP
2024-10-01T05:22:31.461667+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.8.169	80	TCP
2024-10-01T05:22:34.586608+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49739	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 05:22:25.776403904 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:25.781394958 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:25.781534910 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:25.782233953 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:25.787091970 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:27.230362892 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:27.234826088 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:27.241311073 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:27.505639076 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:27.547082901 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:27.547111034 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:27.547230959 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:27.554313898 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:27.554328918 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:27.555279016 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:28.024416924 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.026161909 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.047954082 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.047972918 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.048290968 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.102128029 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.292865038 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.335405111 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.403522015 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.403590918 CEST	443	49734	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.403697014 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.410419941 CEST	49734	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.410970926 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:28.417479992 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:28.682754993 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:28.684518099 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.684608936 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.684698105 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.684890985 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:28.684928894 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:28.727116108 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:29.169125080 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:29.170759916 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:29.170840979 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:29.305910110 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:29.305983067 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:29.306036949 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:29.306344986 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:29.309299946 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:29.310283899 CEST	49738	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:29.314723969 CEST	80	49733	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:29.314780951 CEST	49733	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:29.315119982 CEST	80	49738	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:29.315186024 CEST	49738	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:29.315273046 CEST	49738	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:29.320991993 CEST	80	49738	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:31.417262077 CEST	80	49738	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:31.430346966 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:31.435440063 CEST	80	49739	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:31.435657978 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:31.435657978 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:31.440551996 CEST	80	49739	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:31.461667061 CEST	49738	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:33.251869917 CEST	80	49739	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:33.255302906 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:33.260302067 CEST	80	49739	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:34.534805059 CEST	80	49739	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:34.539232969 CEST	49740	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:34.544200897 CEST	80	49740	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:34.544274092 CEST	49740	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:34.544344902 CEST	49740	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:34.549209118 CEST	80	49740	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:34.586607933 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:35.897052050 CEST	80	49740	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:35.897603989 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:35.898116112 CEST	49741	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:35.898149967 CEST	443	49741	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:35.898226976 CEST	49741	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:35.898508072 CEST	49741	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:35.898519993 CEST	443	49741	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:35.902791023 CEST	80	49739	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:35.902852058 CEST	49739	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:35.945947886 CEST	49740	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:36.362329006 CEST	443	49741	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:36.363807917 CEST	49741	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:36.363826036 CEST	443	49741	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:36.519015074 CEST	443	49741	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:36.519124985 CEST	443	49741	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:36.519176006 CEST	49741	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:36.519594908 CEST	49741	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:36.522490978 CEST	49740	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:36.523468018 CEST	49742	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:36.527803898 CEST	80	49740	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:36.527864933 CEST	49740	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:36.528347015 CEST	80	49742	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:36.528419018 CEST	49742	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:36.528506041 CEST	49742	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:36.533324003 CEST	80	49742	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:38.398509979 CEST	80	49742	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:38.402669907 CEST	49743	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:38.407584906 CEST	80	49743	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:38.407659054 CEST	49743	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:38.407732010 CEST	49743	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:38.412556887 CEST	80	49743	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:38.445873976 CEST	49742	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:40.800487995 CEST	80	49743	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:40.801584959 CEST	49744	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:40.801683903 CEST	443	49744	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:40.801728010 CEST	49742	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:40.801769972 CEST	49744	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:40.802005053 CEST	49744	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:40.802040100 CEST	443	49744	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:40.806963921 CEST	80	49742	132.226.8.169	192.168.2.4
Oct 1, 2024 05:22:40.812141895 CEST	49742	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:40.852119923 CEST	49743	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:41.259221077 CEST	443	49744	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:41.261425018 CEST	49744	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:41.261461020 CEST	443	49744	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:41.387525082 CEST	443	49744	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:41.387630939 CEST	443	49744	188.114.96.3	192.168.2.4
Oct 1, 2024 05:22:41.387770891 CEST	49744	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:41.387980938 CEST	49744	443	192.168.2.4	188.114.96.3
Oct 1, 2024 05:22:55.984582901 CEST	49738	80	192.168.2.4	132.226.8.169
Oct 1, 2024 05:22:55.984831095 CEST	49743	80	192.168.2.4	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 05:22:25.742044926 CEST	63532	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:22:25.748845100 CEST	53	63532	1.1.1.1	192.168.2.4
Oct 1, 2024 05:22:27.539700031 CEST	57421	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:22:27.546546936 CEST	53	57421	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 05:22:25.742044926 CEST	192.168.2.4	1.1.1.1	0x7d7c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:27.539700031 CEST	192.168.2.4	1.1.1.1	0xe41d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 05:22:25.748845100 CEST	1.1.1.1	192.168.2.4	0x7d7c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 05:22:25.748845100 CEST	1.1.1.1	192.168.2.4	0x7d7c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:25.748845100 CEST	1.1.1.1	192.168.2.4	0x7d7c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:25.748845100 CEST	1.1.1.1	192.168.2.4	0x7d7c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:25.748845100 CEST	1.1.1.1	192.168.2.4	0x7d7c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:25.748845100 CEST	1.1.1.1	192.168.2.4	0x7d7c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:27.546546936 CEST	1.1.1.1	192.168.2.4	0xe41d	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:22:27.546546936 CEST	1.1.1.1	192.168.2.4	0xe41d	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	132.226.8.169	80	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 05:22:25.782233953 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 05:22:27.230362892 CEST	272	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 05:22:27.234826088 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 05:22:27.505639076 CEST	272	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 05:22:28.410970926 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 05:22:28.682754993 CEST	272	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	132.226.8.169	80	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 05:22:29.315273046 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 05:22:31.417262077 CEST	682	IN	HTTP/1.1 502 Bad Gateway Date: Tue, 01 Oct 2024 03:22:31 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	132.226.8.169	80	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 05:22:31.435657978 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 05:22:33.251869917 CEST	682	IN	HTTP/1.1 502 Bad Gateway Date: Tue, 01 Oct 2024 03:22:33 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 1, 2024 05:22:33.255302906 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 05:22:34.534805059 CEST	682	IN	HTTP/1.1 502 Bad Gateway Date: Tue, 01 Oct 2024 03:22:34 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	132.226.8.169	80	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 05:22:34.544344902 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 05:22:35.897052050 CEST	272	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	132.226.8.169	80	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 05:22:36.528506041 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 05:22:38.398509979 CEST	682	IN	HTTP/1.1 502 Bad Gateway Date: Tue, 01 Oct 2024 03:22:38 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	132.226.8.169	80	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 05:22:38.407732010 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 05:22:40.800487995 CEST	272	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:40 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	188.114.96.3	443	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:22:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 03:22:28 UTC	672	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 68979 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YXYLSbSijmvlz09WY5iXHOfIqxxld4O3zOJAzurxYLPnk82twBjHweKbG8KPWDtXKRLzndTONKg%2BJJBV0LEpeF1WcRdAd5AOngIqcXN3xj3W6RJM0NZ6s0wuJcTtsdpsTGmXBtcZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb954172f764291-EWR
2024-10-01 03:22:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 03:22:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.3	443	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:22:29 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-01 03:22:29 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 68980 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gr4wWHzEbNXsaq0z5ODdjW0MwxnckX17GwUkbP08AIi1HuwOesVu59enFle5FiDXtTDpTEbcANs0%2BxVwYNG47XqBpjp6SHKqmWnnfD0eQ4eOqRj%2F3sdT4PX%2BD3kRrAY4JxG9GSu4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb9541ccac90cb4-EWR
2024-10-01 03:22:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 03:22:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	188.114.96.3	443	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:22:36 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 03:22:36 UTC	684	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 68987 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWcTcKiu7DOxz3mGTygtTaHnn3xwUCkSbRmoRwrLw%2FI7ve296kvEWlGL49R0LP2NAjG%2BJUwc%2FbjJCph%2BFdXyzf94PK%2BTCo0fbTQUBaRpZ%2BIGyHB7sjJHCmMs4GGFD7%2BZkMQOOZbS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb95449dbcf6a5e-EWR
2024-10-01 03:22:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 03:22:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	188.114.96.3	443	7032	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:22:41 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 03:22:41 UTC	674	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 03:22:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 68992 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jf64iqW4IEuZH95O9BUVyxozV%2FyyRzNmNReuVY8sSsINPYpJKzKvnWfk5DrT67Sb73brncKSzMD9BLjPFu6QYH7L3wnElE9KzZ0%2Bk7Qg8znJEBMgTy677VWNnaa2rdL3AlS6TYK9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb954685a3d0c8a-EWR
2024-10-01 03:22:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 03:22:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Analysis Process: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exePID: 6364, Parent PID: 2580

General

Target ID:	0
Start time:	23:22:22
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Imagebase:	0xe70000
File size:	616'960 bytes
MD5 hash:	A168B11261C075963B1DFD139CBBFAC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:22:23
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Imagebase:	0xff0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exePID: 6960, Parent PID: 6364

General

Target ID:	3
Start time:	23:22:23
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Imagebase:	0x2b0000
File size:	616'960 bytes
MD5 hash:	A168B11261C075963B1DFD139CBBFAC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:22:23
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exePID: 7032, Parent PID: 6364

General

Target ID:	5
Start time:	23:22:23
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Imagebase:	0x6b0000
File size:	616'960 bytes
MD5 hash:	A168B11261C075963B1DFD139CBBFAC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:22:40
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 2536
Imagebase:	0x1e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exePID: 6364, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	350
Total number of Limit Nodes:	17

Executed Functions

Function 059E6FC8 Relevance: 1.0, Instructions: 973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3c38cef1e3db56d55664092c22458ebf174ad0f762d2a90c6ea51e01fb5c23
Instruction ID: e1041f70ae3e91870d8b4276278a21e508b7956c62bcd51860c4ee7c5c2a2359
Opcode Fuzzy Hash: cf3c38cef1e3db56d55664092c22458ebf174ad0f762d2a90c6ea51e01fb5c23
Instruction Fuzzy Hash: 08A2C234A11219CFCB65EB64C884AD9B7B2FF8A301F5185EAD4096B360DB71AEC5CF50

Function 059E6FD8 Relevance: 1.0, Instructions: 961COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c72758d09fc8b651843d1e7d6a413d898c89537b8b4296e5bed4386acdc0a31
Instruction ID: 29dc50bd13af0d441ebb20cdf2f95b299ffda1ba1c8afb7ca0dbaa833e141503
Opcode Fuzzy Hash: 3c72758d09fc8b651843d1e7d6a413d898c89537b8b4296e5bed4386acdc0a31
Instruction Fuzzy Hash: 26A2B134A11219CFCB65EB64C884AD9B7B2FF8A301F5185EAD4096B360DB71AEC5CF50

Function 07D46E22 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d033dd4dcb32080968372dbc42c5784f7d2d2d3502c4168eea513e87ab91d758
Instruction ID: d4299d0c9d9f33955b0a0a9fbd7e088bb4a9245b7b78070ef73f4cd3bec50b5e
Opcode Fuzzy Hash: d033dd4dcb32080968372dbc42c5784f7d2d2d3502c4168eea513e87ab91d758
Instruction Fuzzy Hash: 0AA002C6EAE405C380101C98E2510B5C43C424B071F58700081DF3B0424500C210012E

Function 0322D030 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0322D0BE
GetCurrentThread.KERNEL32 ref: 0322D0FB
GetCurrentProcess.KERNEL32 ref: 0322D138
GetCurrentThreadId.KERNEL32 ref: 0322D191

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8dd04adeeedc2821cfd1b2add4296e49d3117f376ef6aea72cc96319009e926d
Instruction ID: a223310e20f6a243346312c34c8a7b12512a1f7c802f7ddb09bac9bc922cbe17
Opcode Fuzzy Hash: 8dd04adeeedc2821cfd1b2add4296e49d3117f376ef6aea72cc96319009e926d
Instruction Fuzzy Hash: 095157B0A002499FDB14DFA9D988BDEBFF1EF88304F248469D059AB261C7359984CF65

Function 0322D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0322D0BE
GetCurrentThread.KERNEL32 ref: 0322D0FB
GetCurrentProcess.KERNEL32 ref: 0322D138
GetCurrentThreadId.KERNEL32 ref: 0322D191

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 08796277b32fdf7bf3bac886d7aed5cf5eb7fd3e2b8e7fc79ec4a6fd03f57976
Instruction ID: 19cffa7d6bb83cb593f43903459a0a410ecedd1f1c8a1f3c78ce7b5342e5eb36
Opcode Fuzzy Hash: 08796277b32fdf7bf3bac886d7aed5cf5eb7fd3e2b8e7fc79ec4a6fd03f57976
Instruction Fuzzy Hash: 665167B0A002099FDB14DFA9C948BDEBFF1EF88304F208469D419AB3A1C7349984CF65

Function 07D43E38 Relevance: 3.1, APIs: 2, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 07D43DF2
Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D43EBE

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: Thread$ContextResumeWow64
String ID:
API String ID: 1826235168-0
Opcode ID: 101587545d6733f20e55cb2602a174c3ecc96df39da984e4ee844ccb866978f6
Instruction ID: 5937fe9885abbad72cbd811f8db83e0069e946ee4fa9464d30d982bc023995f6
Opcode Fuzzy Hash: 101587545d6733f20e55cb2602a174c3ecc96df39da984e4ee844ccb866978f6
Instruction Fuzzy Hash: BC3158B29003098FDB10DFADC4857EEFBF0AF48324F24842AD459A7251C7789985CF95

Function 07D44AC4 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07D44D06

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f8ff14e86a491d357d65401535dbf44318638a1b766547771d4f2c40600f2b9f
Instruction ID: d62fe422c6a2c895c17268b5bcc57ac190a23f9e6dcddd1ae908addb72f7863e
Opcode Fuzzy Hash: f8ff14e86a491d357d65401535dbf44318638a1b766547771d4f2c40600f2b9f
Instruction Fuzzy Hash: B2A14CB1D0065ADFEF24CFA8C8417EDFBB2AF44314F1485A9E848A7250DB749985CF92

Function 07D44AD0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07D44D06

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 39807c9e2c3b4fa4bb085db2f36c791f6878dcf013faa59956107e00a2ad2d54
Instruction ID: 15f1788c7ecf3168f8b7a0c0a729a5a6ad013ecb01ebe8d97e2bc3a859637e59
Opcode Fuzzy Hash: 39807c9e2c3b4fa4bb085db2f36c791f6878dcf013faa59956107e00a2ad2d54
Instruction Fuzzy Hash: C1914CB1D0065ADFDF24CFA8C8417DDFBB2AF44314F1481A9E848A7250DB749985CF92

Function 0322ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0322AFFE

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ef531dbd7ae00d74980fca202fe8cca2b3d5067af7329cd23f92846b56b3e515
Instruction ID: 92e83c2a34fe20eaa6de8bab5ffccccac160c86cc6038fef6c082bfae846e2a5
Opcode Fuzzy Hash: ef531dbd7ae00d74980fca202fe8cca2b3d5067af7329cd23f92846b56b3e515
Instruction Fuzzy Hash: 19814770A10B159FD724DF29C94075ABBF1FF88304F148A2DD48ADBA50DB75E98ACB90

Function 07D44400 Relevance: 1.7, APIs: 1, Instructions: 164
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07D443BE

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a81ebaf8f724a5534d551b4f5c54bc58fc6d098c1a526c69eee3810b064c746b
Instruction ID: cf56584545ab9e70c22d32dfb55e2be902b6aaf872a1bb516144cb6dc21a665c
Opcode Fuzzy Hash: a81ebaf8f724a5534d551b4f5c54bc58fc6d098c1a526c69eee3810b064c746b
Instruction Fuzzy Hash: 00615BB0E002598FDB14CFA9C5846AEFBF2FF89304F24C56AE418A7255D7359981CFA1

Function 059E18E4 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059E1A02

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bb1923f626666e1147de0c23b30fa72aaf4063642d4d3563e7d30824463ee8aa
Instruction ID: 5558dce8078045458e28e0dba1ae340eb6a3aa410407ec0ecd9ffb40d45ea36d
Opcode Fuzzy Hash: bb1923f626666e1147de0c23b30fa72aaf4063642d4d3563e7d30824463ee8aa
Instruction Fuzzy Hash: 4751C2B1D00349DFDB15CFA9C885ADDBBB5BF88310F24822AE819AB210D7759945CF91

Function 059E18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059E1A02

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f126c8f57a8a4a7d362ec9bcd3ca9dcf2ffea79204128c0501bde81980333f0b
Instruction ID: 8325e8b3afc68c68d888fdc0368b773741e92cf5457195d781fef27f90a0b302
Opcode Fuzzy Hash: f126c8f57a8a4a7d362ec9bcd3ca9dcf2ffea79204128c0501bde81980333f0b
Instruction Fuzzy Hash: AC41B0B1D00349DFDB15CF99C984ADEBFB5BF48310F24812AE819AB210D7719985CF91

Function 0322590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 032259C9

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 76e96bc1cfee9eeec14616c6fc7f9f484d6550432c8a3a133256686d390b9779
Instruction ID: 0f660916d61baacb91aded08b97328b9ecb4b8377ced4e1d6b38850c8c7fd102
Opcode Fuzzy Hash: 76e96bc1cfee9eeec14616c6fc7f9f484d6550432c8a3a133256686d390b9779
Instruction Fuzzy Hash: 4241F1B0C10619DFDB24CFA9C884BDDBBB5BF49304F24806AD408AB255DB755989CF90

Function 032244C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 032259C9

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 55d3a818a8b39dfc04f593961ea31da7f26dc4b6cd51a7c22c49296295d11089
Instruction ID: 719df12c850a257ff99ef4d163d30449d133c0b20c5cb89603ccda0036215316
Opcode Fuzzy Hash: 55d3a818a8b39dfc04f593961ea31da7f26dc4b6cd51a7c22c49296295d11089
Instruction Fuzzy Hash: 6041F2B0C1061DDFDB24CFA9C84479DFBB5BF49314F24806AD409AB251DB755985CF90

Function 059E4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059E4101

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4f69d567bbd0f79ad358a35205cb4b94479a0ae1f69ce2b382785a767680bdd7
Instruction ID: 4c85f6803b57243c3fba724061526fa6800483e8b861b5bdddd3d95c605a892f
Opcode Fuzzy Hash: 4f69d567bbd0f79ad358a35205cb4b94479a0ae1f69ce2b382785a767680bdd7
Instruction Fuzzy Hash: 7E4137B4A00349CFCB15CF99C948AAABBF5FF99314F24C499D519AB321D375A841CFA0

Function 07D44840 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07D448D8

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9f08b8c925d28e0281bc83ab5918b49793caad55720a24789a2b1a150c3203da
Instruction ID: c01334b1c6dacda9f32d66ee2b88ffa5b4d426e4fb4b8e58f8de9ce9f24e3de6
Opcode Fuzzy Hash: 9f08b8c925d28e0281bc83ab5918b49793caad55720a24789a2b1a150c3203da
Instruction Fuzzy Hash: D72157B59003599FCB00CFA9C981BEEBBF5FF48320F14852AE558A7250D7789594CBA4

Function 07D47B70 Relevance: 1.6, APIs: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D47BD5

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2de3fd7092a8f31a446830d3285b600439927b70e20779345970688e22c06172
Instruction ID: 9340cb34ddc5ebf71b79ca2110bab50b4d91d495e0bb367877c6c672a2e6d55a
Opcode Fuzzy Hash: 2de3fd7092a8f31a446830d3285b600439927b70e20779345970688e22c06172
Instruction Fuzzy Hash: FA2124B68003498FDB10CF99D488BDEFFF4AB58324F20841AD558A7210C379A588CFA1

Function 07D44848 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07D448D8

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b7b5a88839f0fb3a35b69f5d11457e4424a6f52924ae6328c86459e829c17a30
Instruction ID: 46d455251bdc9316bf02f5de0dea5431360951342660156f7be5ad55961c9db0
Opcode Fuzzy Hash: b7b5a88839f0fb3a35b69f5d11457e4424a6f52924ae6328c86459e829c17a30
Instruction Fuzzy Hash: 2A2139B19003599FCB10CFA9C885BEEFBF5FF48310F10842AE958A7251C7789954CBA4

Function 07D44930 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07D449B8

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f4537e71b559537e490a0f9d3ed6e018c0e2d8aebb270414342262a1b85fcd34
Instruction ID: 61d59aa9dce44670d58087236dc80c6e3730e763ce816b0e1e5d7a10f2a918c3
Opcode Fuzzy Hash: f4537e71b559537e490a0f9d3ed6e018c0e2d8aebb270414342262a1b85fcd34
Instruction Fuzzy Hash: 882128B19002599FDB10CFA9C944BEEFBF1FF48310F10842EE959A7250C7359955DBA4

Function 0322D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0322D717

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cce9ee4ad43cb31db1fc38066e7eaf2970f3cc1ee4564893c3a823b5ca8ad700
Instruction ID: 487712ebd44dd5dc4e8195c42a0f5a66e86e9593e31cefa732576542431a0dae
Opcode Fuzzy Hash: cce9ee4ad43cb31db1fc38066e7eaf2970f3cc1ee4564893c3a823b5ca8ad700
Instruction Fuzzy Hash: 5E21E5B59002599FDB10CFA9D984AEEBFF5FB48314F14801AE954A3310C378A955CF60

Function 07D43E40 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D43EBE

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 54c766cd964956534bd7732e67619ed4654745aec341fb028d6262fdbb87bc09
Instruction ID: 922f7092fd3e6cfcfc637abf34025e340380b47253c48bcd32b093e6974f28f2
Opcode Fuzzy Hash: 54c766cd964956534bd7732e67619ed4654745aec341fb028d6262fdbb87bc09
Instruction Fuzzy Hash: 4F2118B19002098FDB10DFAEC4857EEFBF5EF48324F14842AD459A7251CB789945CFA5

Function 07D44938 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07D449B8

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2876a307a0bfeccb25fbc72d11fb136bbb08e38135b96eed0e084c778e5b2a92
Instruction ID: 6b4639dc1d909ec539f7ea97ce8d159e7f9ade814040fbd44c7c64546f03d85d
Opcode Fuzzy Hash: 2876a307a0bfeccb25fbc72d11fb136bbb08e38135b96eed0e084c778e5b2a92
Instruction Fuzzy Hash: C42125B18002599FCB10DFAAC880BEEFBF5FF48320F10842AE559A7250C7389954DBA5

Function 0322D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0322D717

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ace2f67f8829d61ee2c4a39082645b0c18c929e889486533a5f538910d87080e
Instruction ID: aa14071922fdc8b8c64196a8bde5c8fac72898c66032cd60149c7c7337c58d1f
Opcode Fuzzy Hash: ace2f67f8829d61ee2c4a39082645b0c18c929e889486533a5f538910d87080e
Instruction Fuzzy Hash: 2B21E4B5900258AFDB10CF9AD984ADEFFF4EB48310F14801AE954A3310C378A954CFA5

Function 07D44348 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07D443BE

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 96bea2c8c31be7a03a2e69d4f0001e9f89b27bbd1c1af882ad194381e4f018fc
Instruction ID: b418ab2db57bd4fcf8afcd736c1cc485d79be3f0f3c19379102859c704f91c28
Opcode Fuzzy Hash: 96bea2c8c31be7a03a2e69d4f0001e9f89b27bbd1c1af882ad194381e4f018fc
Instruction Fuzzy Hash: 42116AB29002898FCB10CFA9D844BEEFFF1EF88324F20842AE559A7250C7759554CFA1

Function 07D44350 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07D443BE

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ab787aa53c1f30e88c77fb130dded2e72aa2b595d6c85c57ef368f7515b4bb5
Instruction ID: 7a7125ff100a3ae5b0ca165a5d9d296f38922a0a4f23f565396efc4b418d6867
Opcode Fuzzy Hash: 8ab787aa53c1f30e88c77fb130dded2e72aa2b595d6c85c57ef368f7515b4bb5
Instruction Fuzzy Hash: 761167B28002499FCB10DFAAC844BEEFFF5EF88320F108819E559A7250C775A554CFA0

Function 07D43D90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07D43DF2

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a5e6d48cd84162a0d94ab5d28edfc2c77ee4fdd37c5ea6c4c1ee32aa1509b6fd
Instruction ID: b704941128dda68a4e41a7b4434d1061b8848f59957f748276ba06a14713c162
Opcode Fuzzy Hash: a5e6d48cd84162a0d94ab5d28edfc2c77ee4fdd37c5ea6c4c1ee32aa1509b6fd
Instruction Fuzzy Hash: 191136B19002598FCB20DFAEC4457EEFFF5EB88324F24842AD459A7250CB75A944CFA5

Function 07D43D88 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07D43DF2

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9b91b6e5e4d581fafc5db07e91cde10ab8d839eba218c86e64474edf7550a73c
Instruction ID: 68403abbef53e9537c924d876e6c3916b746a7c0c9e974b5b6743c94b58d1f9e
Opcode Fuzzy Hash: 9b91b6e5e4d581fafc5db07e91cde10ab8d839eba218c86e64474edf7550a73c
Instruction Fuzzy Hash: 171176B19002498BCB10CFA9C4457EEFBF5AB88320F24842AC059A7210C734A544CB94

Function 07D45E34 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D47BD5

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 043c2a530b339a7c06fb8f5b6e3e133d72a0bd65e514009e3904e4dc96bc72d1
Instruction ID: f91a7c58efc9a8b2eaefbd601a1c37f102825cc4494d43330c50d9c12fca261e
Opcode Fuzzy Hash: 043c2a530b339a7c06fb8f5b6e3e133d72a0bd65e514009e3904e4dc96bc72d1
Instruction Fuzzy Hash: 2E11F2B58003499FCB10DF9AC484BEEFFF8EB58324F10841AE958A7210C375A954CFA5

Function 0322AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0322AFFE

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ba65ef184590f679a61d8a2db643802549b65dd579c3b63db3a611ebf8dd32f1
Instruction ID: c557fa983771c3a221c53ad1c7883c54fadeff4a2e03512a17bcd23ff869e9e1
Opcode Fuzzy Hash: ba65ef184590f679a61d8a2db643802549b65dd579c3b63db3a611ebf8dd32f1
Instruction Fuzzy Hash: 4F11E0B5C002599FCB10CF9AC844BDEFBF4AF88324F14842AD869A7610D379A585CFA5

Function 0194D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675959042.000000000194D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0194D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_194d000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1b4a738969bfa4e93f5ae6fabfba27d2f410f7a72a4bb17090d070f3434fcb
Instruction ID: 0dbdf58241b8b25dbd1470e2eb093ff966618765426a265ea382cb8eb055cec9
Opcode Fuzzy Hash: 8e1b4a738969bfa4e93f5ae6fabfba27d2f410f7a72a4bb17090d070f3434fcb
Instruction Fuzzy Hash: BE212279604200DFDB15DF98D984F26BFA5EB94314F20C96DD80E4B256C33AD447CA61

Function 0194D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675959042.000000000194D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0194D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_194d000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e865b74c3f7bb220cd781c6bd2c25ecde2450cb5ffeeedd07a9bea1aa50e46
Instruction ID: a004dea02638b1befe6bd8293ea6f7ab06644afd64b8549a8ce5b8903d576325
Opcode Fuzzy Hash: d8e865b74c3f7bb220cd781c6bd2c25ecde2450cb5ffeeedd07a9bea1aa50e46
Instruction Fuzzy Hash: 4B21A4755093808FDB13CF64D994B15BFB1EB46214F28C5DAD8498F2A7C33AD80ACB62

Non-executed Functions

Function 059E0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbfbc363ce684bbc23b37c4b9c2a60cb14a56d35a2f40ed8db6783bcd93b177
Instruction ID: 012486ceb6bb5ffd987f766a5e5f05e762b43e85656da158e34932d78e985a11
Opcode Fuzzy Hash: fdbfbc363ce684bbc23b37c4b9c2a60cb14a56d35a2f40ed8db6783bcd93b177
Instruction Fuzzy Hash: 7F1296B8401746CBE710EF65F94C2893BB1BB46718B70C219D2E16F6E9DBB8154ACF44

Function 07D43F18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4960e80c95c84886115077ad1e2e38856b821315063f4e1dfff565f47a57bb
Instruction ID: c4d350a5e30da2db83ceeeeebd29a0d265644f9784bf17cc6e6305f67c33bd3a
Opcode Fuzzy Hash: 5f4960e80c95c84886115077ad1e2e38856b821315063f4e1dfff565f47a57bb
Instruction Fuzzy Hash: B6E108B4E101598FDB14CFA9C590AAEFBF2FF89304F248169E405AB356D731A981CF61

Function 07D43510 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b877a259f0cebb14b094b82287bccdcfe18aafa5d7e79edc92ed9a244b96b60
Instruction ID: 7d937e30b60b427d826bfd7098e16a0f22ffba7aee368c74dc79bf400fc2a8b4
Opcode Fuzzy Hash: 2b877a259f0cebb14b094b82287bccdcfe18aafa5d7e79edc92ed9a244b96b60
Instruction Fuzzy Hash: ECE1F5B4E102598FDB14CFA9C5809AEFBF2FF89304F248169E459AB356D730A941CF61

Function 07D41D10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2134025f64fa4519ba9754575bb0b20267ed25a763fcd7c1fed7118eb47bf63f
Instruction ID: 97647d693b2d71d3bc75499086e025b8a61a7e4924aba0986582eab93c55e349
Opcode Fuzzy Hash: 2134025f64fa4519ba9754575bb0b20267ed25a763fcd7c1fed7118eb47bf63f
Instruction Fuzzy Hash: EDE1F7B4E101198FDB14CFA9C5809AEFBF2FF89304F248169E415AB356D731A982CF61

Function 07D44410 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67771eff9fee2715b5314647ffea5326cec436935a73d6780049a75b95b44fe8
Instruction ID: 4f69ec35c7b2edb118b1de4bb036a91786b7bf0e8c245d5e5a57c9c9e11c7e59
Opcode Fuzzy Hash: 67771eff9fee2715b5314647ffea5326cec436935a73d6780049a75b95b44fe8
Instruction Fuzzy Hash: A1E1F9B4E101598FDB14CFA9C590AAEFBF2FF89304F248169E415AB356D730A981CF61

Function 07D418D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0543628aa37a9451087647d4b095ac30e7c820871d32d55e881d1a31502ada7b
Instruction ID: 587dbd9867e09691c902efe2691a862277dc33e4d2f2439880fe8f615dac1675
Opcode Fuzzy Hash: 0543628aa37a9451087647d4b095ac30e7c820871d32d55e881d1a31502ada7b
Instruction Fuzzy Hash: 4DE1E9B4E10159CFDB14CFA9C5809AEFBB2FF89304F248169E415AB356D731A981CF61

Function 0322D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676173797.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9180ab491129372ea15022e6ddde4b8cd4099e26c1b3cb1b1f08791ea1c6e5
Instruction ID: 1b13f6c1925c345c72929d497134b6b69d6593807c5d0ef2cd2a12ae42530da8
Opcode Fuzzy Hash: bb9180ab491129372ea15022e6ddde4b8cd4099e26c1b3cb1b1f08791ea1c6e5
Instruction Fuzzy Hash: E0A18136E10319AFCF05DFB4C94459EBBB2FF85700B15816AE801AF265DB71D955CB40

Function 059E0006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678049285.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be60e86013c395b281b5ef4c4806473e3c331fcda0a85c2537d6a9bd17cf5ef
Instruction ID: c4420fc134162fbd69d6152473e1e5c7b049d945fa16d883e5cf268df5ba5570
Opcode Fuzzy Hash: 1be60e86013c395b281b5ef4c4806473e3c331fcda0a85c2537d6a9bd17cf5ef
Instruction Fuzzy Hash: 5ED1F5B8801746CBD711EF64F84C2897BB1FF86318B74C219D1A16B2E9DBB8148ACF44

Function 07D43F08 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd976eb9fd33818239756cc9046573d7e6d6d2cd0baef77cfe5fca77c0abb42
Instruction ID: 7d7449dc800f373b16669311962e5f3d8c5614bdf001b0fa48114ab7c860a1ad
Opcode Fuzzy Hash: ebd976eb9fd33818239756cc9046573d7e6d6d2cd0baef77cfe5fca77c0abb42
Instruction Fuzzy Hash: 5F5119B0E102598FDB14CFA9C5845AEFBF2BF89304F24816AD418B7356DB319942CFA1

Function 07D43501 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679356544.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d40000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7f36397b79d15755b5ff79108423568e9d6275c7ee43d36d37165aca29e2a4
Instruction ID: 89665b62d694a2396d632a11e4b6b10f5cc71e1e2d79d9e4a297e7f89ba9f467
Opcode Fuzzy Hash: 2c7f36397b79d15755b5ff79108423568e9d6275c7ee43d36d37165aca29e2a4
Instruction Fuzzy Hash: F15108B4E102198FDB14CFA9C5805AEFBF2BF89304F24816AD418BB356D7349942CF61

Analysis Process: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exePID: 7032, Parent PID: 6364COMMON

Executed Functions

Function 00F9B328 Relevance: 6.6, Strings: 5, Instructions: 363COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00F9B6CF
PH^q, xrefs: 00F9B758
0oAp, xrefs: 00F9B562
LjAp, xrefs: 00F9B6E5
PH^q, xrefs: 00F9B747

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 15e31d3db88da7dfad34a8c63e7333ae0eb251dfadbd3ff1507ab23980979991
Instruction ID: 20b16f93e04e8adcd1c3811822a3382b9f2d73650dbcdb76e142fe7641aebbd2
Opcode Fuzzy Hash: 15e31d3db88da7dfad34a8c63e7333ae0eb251dfadbd3ff1507ab23980979991
Instruction Fuzzy Hash: F3E1E875E00618CFEF14DFA9D984A9DBBB1BF88310F158069E809AB362DB31AD41DF50

Function 00F9C1DF Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00F9C3C5
PH^q, xrefs: 00F9C427
0oAp, xrefs: 00F9C242
PH^q, xrefs: 00F9C438
LjAp, xrefs: 00F9C3AF

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8a713e9f8466433bcef05dd8972a748ec8a96354c376c8aca39240f8f5299180
Instruction ID: 79cdf01de392c6b6a718d76cb76451b61afb7e7fc2a58bc2b355208e2085b1cb
Opcode Fuzzy Hash: 8a713e9f8466433bcef05dd8972a748ec8a96354c376c8aca39240f8f5299180
Instruction Fuzzy Hash: D681B474E00218CFEB14DFAAD984A9DBBF2BF89310F14D069E409AB365DB349941DF50

Function 00F9C4BF Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9C707
0oAp, xrefs: 00F9C522
LjAp, xrefs: 00F9C6A5
PH^q, xrefs: 00F9C718
LjAp, xrefs: 00F9C68F

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 1fb9c069d40e2b3c302e11ac71e5c88019d677e0f70cb6d08018d8a306482810
Instruction ID: dfde9fad98b340b0b49a1f93b763056d508126e7ee37e5745a174919149b62a2
Opcode Fuzzy Hash: 1fb9c069d40e2b3c302e11ac71e5c88019d677e0f70cb6d08018d8a306482810
Instruction Fuzzy Hash: 1681C374E00218CFEB14DFAAD984A9DBBF2BF88310F14D069E409AB365DB349981DF50

Function 00F9C79F Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9C9E7
PH^q, xrefs: 00F9C9F8
0oAp, xrefs: 00F9C802
LjAp, xrefs: 00F9C96F
LjAp, xrefs: 00F9C985

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8526de7d7084ba6391b367148ef863f3f696f57d2a55dd300c8735ec77e429a3
Instruction ID: aaed7378c07a4f9ccde7832b1d06ca663c5587335d63dd9e6f7d5c3e5982a3b8
Opcode Fuzzy Hash: 8526de7d7084ba6391b367148ef863f3f696f57d2a55dd300c8735ec77e429a3
Instruction Fuzzy Hash: 4D81B474E00218DFEB14DFAAD984A9DBBF2BF89310F14C069E409AB365DB349981DF50

Function 00F94AE7 Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F94D30
LjAp, xrefs: 00F94CB8
LjAp, xrefs: 00F94CCE
PH^q, xrefs: 00F94D41
0oAp, xrefs: 00F94B4A

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 84fa8d788b3360feb031dee2c122ac5f893f45b36e1331009256b0328a6442a4
Instruction ID: a6bb777ab88998fbf1382d94c646d5f46341d670f48dd9b64649b7d8ce833e89
Opcode Fuzzy Hash: 84fa8d788b3360feb031dee2c122ac5f893f45b36e1331009256b0328a6442a4
Instruction Fuzzy Hash: 8281B574E01218CFEB14DFAAD984A9DBBF2BF88310F14C069E419AB365DB34A945DF10

Function 00F9CA7F Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9CCC7
LjAp, xrefs: 00F9CC4F
PH^q, xrefs: 00F9CCD8
0oAp, xrefs: 00F9CAE2
LjAp, xrefs: 00F9CC65

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 71588f8e0ceff4989975622bd6c2885c697eedd9b7dd7d371e9354bc3c209257
Instruction ID: 7f5be6d15ef34b008ef82023bb955b07777eaec3261ed9cb15825b39045d9d51
Opcode Fuzzy Hash: 71588f8e0ceff4989975622bd6c2885c697eedd9b7dd7d371e9354bc3c209257
Instruction Fuzzy Hash: 5481B474E00258CFEB14DFAAD994A9DBBF2BF88310F14C069E409AB365DB349981DF50

Function 00F9BBDF Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9BE38
LjAp, xrefs: 00F9BDC5
LjAp, xrefs: 00F9BDAF
0oAp, xrefs: 00F9BC42
PH^q, xrefs: 00F9BE27

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d9ff97a05ac408c57fb241b3f2981fdfc1f60358d8006dea8a3df4d15481bad2
Instruction ID: a914770d736ca648c9889b077549858ad9fbbc47221b86218d2444be026759c1
Opcode Fuzzy Hash: d9ff97a05ac408c57fb241b3f2981fdfc1f60358d8006dea8a3df4d15481bad2
Instruction Fuzzy Hash: E6819474E00218DFEB14DFAAD984A9DBBF2BF89310F14C06AE419AB365DB349945DF10

Function 00F9CD5F Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00F9CF2F
PH^q, xrefs: 00F9CFB8
PH^q, xrefs: 00F9CFA7
LjAp, xrefs: 00F9CF45
0oAp, xrefs: 00F9CDC2

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 33fbb004466fdc91b8b44ddd64173a6887a203ea72084c9bf26df88696e967fc
Instruction ID: 8b548109f8a95f84bd688b4ec73954664d194965f74bfc4bb441dc52e0660ee4
Opcode Fuzzy Hash: 33fbb004466fdc91b8b44ddd64173a6887a203ea72084c9bf26df88696e967fc
Instruction Fuzzy Hash: E581A474E01218DFEB14DFAAD984A9DBBF2BF88310F14C069E419AB365DB349941DF50

Function 00F99540 Relevance: 6.1, Strings: 4, Instructions: 1141COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00F99564
4'^q, xrefs: 00F9A273
(o^q, xrefs: 00F99C78
4'^q, xrefs: 00F9966C

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: 3a247aa4c903ffed5235e84cacbcce1ebdec585e8de5bb3d2645d05ffcab33ea
Instruction ID: 6a6ec2ab2a47566f4251a0540768b75a1fcc19bf33606e4dbb6d3d850eccfa58
Opcode Fuzzy Hash: 3a247aa4c903ffed5235e84cacbcce1ebdec585e8de5bb3d2645d05ffcab33ea
Instruction Fuzzy Hash: A3A2BE71A04209CFDF15CF68C884AAEBBB2FF88310F158569E805DB2A1D775ED81DB91

Function 00F96880 Relevance: 5.3, Strings: 4, Instructions: 340COMMON

Download Yara Rule

Strings

,bq, xrefs: 00F969F2
(o^q, xrefs: 00F9697A
,bq, xrefs: 00F96A00
(o^q, xrefs: 00F96988

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 814074bb3c7bdd8d5fc6ae4feedabe2e3936b6358b8372e18355a931d1fe8f13
Instruction ID: a7bdb6844f66d391a61b018fce19fe2812a6b8a7c77bc5a00336aceaf97340d5
Opcode Fuzzy Hash: 814074bb3c7bdd8d5fc6ae4feedabe2e3936b6358b8372e18355a931d1fe8f13
Instruction Fuzzy Hash: B7D14971E002099FEF15CFA9C984AADBBB2FF88355F15806AE445EB261E734EC41DB50

Function 00F96108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F9650E
(o^q, xrefs: 00F96642

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: d1cfb4a42e30b0e4a811a47a2cafbdabd875dc4d9f051716c257357ad67b43a7
Instruction ID: 5c7699f7ab5c16c498d6092e244f3630c24129ae9769c36442ce77129d3b0268
Opcode Fuzzy Hash: d1cfb4a42e30b0e4a811a47a2cafbdabd875dc4d9f051716c257357ad67b43a7
Instruction Fuzzy Hash: 7A12AC71A002188FDB15DFA9C854AAEBBF6FF88304F208569E449DB391DF349D46DB90

Function 00F96E58 Relevance: 10.5, Strings: 8, Instructions: 478COMMON

Download Yara Rule

Strings

,bq, xrefs: 00F972F8
,bq, xrefs: 00F97308
(o^q, xrefs: 00F96E96
(o^q, xrefs: 00F97377
(o^q, xrefs: 00F97367
(o^q, xrefs: 00F96F51
(o^q, xrefs: 00F96F7D
(o^q, xrefs: 00F9701A

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 8fc9736f1f91f26d6fdfca953c281896ccf165ae99d04f8d35c74d893a501bf5
Instruction ID: 596fe22e35dc597c00beb10da7512913a0e3edd42eaf74d0a1c397ae851a2a99
Opcode Fuzzy Hash: 8fc9736f1f91f26d6fdfca953c281896ccf165ae99d04f8d35c74d893a501bf5
Instruction Fuzzy Hash: F3125830A143088FDF15DF69D984A9EBBF2BF88314F1485A9E809DB2A1D731ED45DB50

Function 00F92150 Relevance: 8.4, Strings: 6, Instructions: 905COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F9220E
Xbq, xrefs: 00F92248
Xbq, xrefs: 00F9345E
Xbq, xrefs: 00F92314
Xbq, xrefs: 00F922C7
Xbq, xrefs: 00F93435

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: 3d695431fadb8dcde1f051e47e1d312183240333e53bacbbb8b69a99713be7d7
Instruction ID: c8296e70ccddb5c9446f38a5313d770ecb8b0986434e35a259c7cfbfe311cc3c
Opcode Fuzzy Hash: 3d695431fadb8dcde1f051e47e1d312183240333e53bacbbb8b69a99713be7d7
Instruction Fuzzy Hash: DD42166AD9D2814FCF034F3849FF2B93FE4EF89124B2882FE858597646D5D4840BA716

Function 00F977F0 Relevance: 3.2, Strings: 2, Instructions: 697COMMON

Download Yara Rule

Strings

$^q, xrefs: 00F98337
$^q, xrefs: 00F98314

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 045aa8d41556d7939315b910e63d2de404047f7ff2897a4b7817c99fa8dadc40
Instruction ID: 64a638d749b59d7901a30aa69d7a16dbe68a51975264e341e1f8278a5ef05c19
Opcode Fuzzy Hash: 045aa8d41556d7939315b910e63d2de404047f7ff2897a4b7817c99fa8dadc40
Instruction Fuzzy Hash: EF524274A00258CFEB15DBA4C860B9EBB72FF54300F1081A9D10A6B7A5CF359E86EF51

Function 00F987E9 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00F98811
4'^q, xrefs: 00F98837

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: d652c032813a6bdda6bc7f28d0c9671a46cc41577f2425399917a09d2dc8c5a5
Instruction ID: fe3e66c1de4bc0c50401d0d925fdf967cb5e9406ff80fae3b8b55959b20b4e9d
Opcode Fuzzy Hash: d652c032813a6bdda6bc7f28d0c9671a46cc41577f2425399917a09d2dc8c5a5
Instruction Fuzzy Hash: 8FB14F71B145018FEF159F28C968B393696AFC7794F1844AAE106CF3A1EE29CC43A752

Function 00F956A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F95793
Hbq, xrefs: 00F957C6

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 9f09833f93d6d6b33094f3a2d305a584176cb52bc8c50160d0158a3c6120a9a3
Instruction ID: 7c87f899b61d4d6d0bf8eab1fab120f354d38a7ff5d37d9a4ee206545b2f3818
Opcode Fuzzy Hash: 9f09833f93d6d6b33094f3a2d305a584176cb52bc8c50160d0158a3c6120a9a3
Instruction Fuzzy Hash: 33B1EE31B04654CFEF169F79C894B2E7BA6BB89710F148529E846CB391DB39CC02E791

Function 00F95C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,bq, xrefs: 00F95CE8
,bq, xrefs: 00F95CDE

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 07b80e17816e126629c087d7ef14730389691071e75f64c66da9b9621675b309
Instruction ID: 173f64418ee09310e9b7db9c44070717da24d13f9da2a69cbf529fdc6963a3c1
Opcode Fuzzy Hash: 07b80e17816e126629c087d7ef14730389691071e75f64c66da9b9621675b309
Instruction Fuzzy Hash: FA81A131B04A058FEF16DFB9C888A6EB7B2BF89B10B24816AD405DB365D731ED41DB50

Function 00F90CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F90E5E

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 7bacf24e6fe25ad16b65403482528f05be911f9f20602b36369b2162dd08860c
Instruction ID: 2d55f88cad440acf2a844c09dba476f50f87ed3417862f9c3182698eee6f3b9c
Opcode Fuzzy Hash: 7bacf24e6fe25ad16b65403482528f05be911f9f20602b36369b2162dd08860c
Instruction Fuzzy Hash: 1E22A774905219CFCB55EF64E994B9DBBB2FF88301F1085AAD449AB368DB306D85CF40

Function 00F90C9F Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F90E5E

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: da217b68d657cdf73d3403b718818c5d0c390bc824a5dd385d8eef8ab6125677
Instruction ID: 8fde28e0f6f77fe2051db3c2bcca0e1ed5e73fa224f18804d881ff9e1967b2d4
Opcode Fuzzy Hash: da217b68d657cdf73d3403b718818c5d0c390bc824a5dd385d8eef8ab6125677
Instruction Fuzzy Hash: 1122A774905219CFCB55EF64E994B9DBBB2FF88301F1086AAD449AB368DB306D85CF40

Function 00F9A650 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F9A7D9

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: a1bc292db24804cd88c5603a2f70d29b107295b9ee15b9ddb5d67437fedbb827
Instruction ID: daaafa66c5e3da2191e4612f73951adeaa5b50c9e9d1e008be84792df99264b8
Opcode Fuzzy Hash: a1bc292db24804cd88c5603a2f70d29b107295b9ee15b9ddb5d67437fedbb827
Instruction Fuzzy Hash: 6B4122317002048FCB169F78D855AAE7BF6BBC8310F248469E906D7391CE359C02CBE1

Function 00F9A818 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d8a0930155fa5a22b34a503418d0d8ef2c63264ad0bd12cdcfbfa04ca5e5ca
Instruction ID: d71635b3dd7c013b9164881b574b21c7086b5d19a4f2382297a0612294b17e23
Opcode Fuzzy Hash: 13d8a0930155fa5a22b34a503418d0d8ef2c63264ad0bd12cdcfbfa04ca5e5ca
Instruction Fuzzy Hash: 5EF12971E00214CFDB05DFADD9889ADBBF6BF88310B1A8059E519AB361CB35EC41DB91

Function 00F97438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea29e05a35a1c6fc7c86fbcecf05e13d0fb60a61a25f03c4ed854f005d954b2
Instruction ID: c9cdb521a1dfab89595c06945b443d309dc1ea1899d0664a9ea2ea063a26f12d
Opcode Fuzzy Hash: aea29e05a35a1c6fc7c86fbcecf05e13d0fb60a61a25f03c4ed854f005d954b2
Instruction Fuzzy Hash: EA710834B187058FDF65EF28C898AAA7BE5AF49710F1900A9E406CB3B1DB75DC41DB90

Function 00F9D378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0192206ddacbe81d3ee3fa840288c704b9cd49ff713115b26d047e8b1fbdbd2
Instruction ID: fbbc21af0551905be12f80dca308eb0395c7d66315a2882d27353e5394137402
Opcode Fuzzy Hash: b0192206ddacbe81d3ee3fa840288c704b9cd49ff713115b26d047e8b1fbdbd2
Instruction Fuzzy Hash: 49519174075746CFC3263BE4A9AC23E7BA5FB0F327B056D00A18E85058DB7A4184CB21

Function 00F9D377 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c55f0e578e449bf00bf6ef62429a83955bbfd07db7d937e6445c5853617d1fa
Instruction ID: 99624ad63331e20a737c46f8a4e229ebc6e1104ca20e4f2abca5a17b33c7eda2
Opcode Fuzzy Hash: 6c55f0e578e449bf00bf6ef62429a83955bbfd07db7d937e6445c5853617d1fa
Instruction Fuzzy Hash: 6C519174075786CFC3262BE4A9AC23E7BA1FB0F327B056D05A08E85058DB7A4185CB21

Function 00F93908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bff1e1718980e14094b3bd1fcd134fde8b8de713ed9d592015a1fdb9a06c77
Instruction ID: 9c8f3d2ce85a43be80bdd855e5b2ac5b983715c654e6cbe7930808e8ec111dcd
Opcode Fuzzy Hash: c2bff1e1718980e14094b3bd1fcd134fde8b8de713ed9d592015a1fdb9a06c77
Instruction Fuzzy Hash: 8A51A675E01208CFDB08DFA9D99499DBBF2FF89310B209469E805AB364DB35A946CF40

Function 00F93907 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6ea15b108d970be9700960b276cefa25afdeb23d6661cd9d6106754c0af51a
Instruction ID: 8c5124d666a16af4a6cd97fa524888349c4945860380aa47c285357e85c79a77
Opcode Fuzzy Hash: 3c6ea15b108d970be9700960b276cefa25afdeb23d6661cd9d6106754c0af51a
Instruction Fuzzy Hash: 2551A675E01208CFDB08DFA9D99499DBBF2FF89300B209469E805AB364DB35A946CF40

Function 00F9D03F Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a36c400c91cfb0ff91cdbacc59608a52b3d0f6ea134223c2811cab1eba35a2
Instruction ID: ed5c5175380c4f9d1b18f56ff0d4cb0cfa41b2a1a0dabbc7cad52cdb1e63ecc8
Opcode Fuzzy Hash: c6a36c400c91cfb0ff91cdbacc59608a52b3d0f6ea134223c2811cab1eba35a2
Instruction Fuzzy Hash: 46519574E01218DFDB58DFA9D58499DBBF2FF89300F208169E809AB365DB319905CF10

Function 00F99A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e04df65ec49961bddd19da408c0bc1e7fa743d5df5289f34c2868de411af8e2
Instruction ID: 526cf92c328ba0831f31ddb0564dc9ab79ff80ecb5253481bb4442bafa9c3fb8
Opcode Fuzzy Hash: 3e04df65ec49961bddd19da408c0bc1e7fa743d5df5289f34c2868de411af8e2
Instruction Fuzzy Hash: 8B41E331A08249DFEF15CFA8D844A9DBFB2FF89310F158159E8059B291D3B9DD11EB50

Function 00F96730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537e7311ec633fa0219968ca0400030a2c4efb85158a2b1cbd25ff3c5d856f4
Instruction ID: 7630704906f39289efd6ff53d3c89df52ce2b11a2ba95416a14f3ed055e72d34
Opcode Fuzzy Hash: 5537e7311ec633fa0219968ca0400030a2c4efb85158a2b1cbd25ff3c5d856f4
Instruction Fuzzy Hash: 6541F230E00248DFDF118F64C844BAA7BB6FF44314F04846AE845DB292DB78DD45EBA2

Function 00F9F218 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77298bc79a3ea6a3c10a2884180b42fa02c422ba05cabc19a714151823a1306d
Instruction ID: f6b718dfaf6c7612f4870cc4d9215d9a4fea89392244f0a31b80da4be823b02e
Opcode Fuzzy Hash: 77298bc79a3ea6a3c10a2884180b42fa02c422ba05cabc19a714151823a1306d
Instruction Fuzzy Hash: 7E3183317002195FEB05FB38E415A2E36E2FFC97147218969E406CB3A4EE78ED06DB91

Function 00F94DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8550f0261194f2d84f8d99b47bad9f4f6a6b37c1367807f593f7d5596c625b
Instruction ID: 41885bb7157bdf2a6251f84437add3165182166caf01236df541d07451142fe8
Opcode Fuzzy Hash: be8550f0261194f2d84f8d99b47bad9f4f6a6b37c1367807f593f7d5596c625b
Instruction Fuzzy Hash: ED31C531704249DFDF16AF64D454EAF3BA2FB98314F104418F9568B295CB39ED22EBA0

Function 00F976D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c6714a009247d8522121dcdc1e7ab8af51eba65ea965e8019c08638d6fe46a
Instruction ID: ba695b3c176b0aa48d893addc69c87c35eca7727c7fb5247ce0d857a771e7e65
Opcode Fuzzy Hash: 41c6714a009247d8522121dcdc1e7ab8af51eba65ea965e8019c08638d6fe46a
Instruction Fuzzy Hash: AD21F435B183005BFF2527799894A3A2797AFC4728B184079D546CB755EE29CC43F383

Function 00F9A809 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7979ddcdd51850b8e5b7645749c4f3530810a60d800b0be6615d756893ea11
Instruction ID: 3c211dbe50bfef7210a60347f05d378375f1d36a619b2664bf783228b18af5e4
Opcode Fuzzy Hash: 8e7979ddcdd51850b8e5b7645749c4f3530810a60d800b0be6615d756893ea11
Instruction Fuzzy Hash: 9531B170A006198FDB04CFADC8899AEBBF2FF88310B158159E455973A1CB34DD12CBD1

Function 00F976E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce19d31a4f29ed489cca6d44bf05be18ec6079fc3d1683b8c0186ad46fd2476c
Instruction ID: 7244267ddc8f9279d5cb018f8f8f0247b3b38c56573a62512434ee637b5268f8
Opcode Fuzzy Hash: ce19d31a4f29ed489cca6d44bf05be18ec6079fc3d1683b8c0186ad46fd2476c
Instruction Fuzzy Hash: 2321B6357283045BFF252765C854A3A36979FC4728F144074D506CB798EE29CC42F383

Function 00F92060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad35f32cbaf1c5919c9f14b034068d6456db1204bc9811fe03958fdcf00b0c3
Instruction ID: c43608b024cada7572c1ae3d01c6b830c352862dc7d6334aa1abdf4faf7f72a9
Opcode Fuzzy Hash: 2ad35f32cbaf1c5919c9f14b034068d6456db1204bc9811fe03958fdcf00b0c3
Instruction Fuzzy Hash: BF21F171A00105AFCF64DF34C4509AE37A5EB99764B10C41DD84A8B340DB35EE42DBD2

Function 00F9F208 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27421f8c1605eff9b3d87cef03436705a6a52fc8afc1ce5eecdc38886ad9eb99
Instruction ID: a7c51f0bd09f59f6c26a34def32e6139689f55f55372ecdb655f743e3ff22846
Opcode Fuzzy Hash: 27421f8c1605eff9b3d87cef03436705a6a52fc8afc1ce5eecdc38886ad9eb99
Instruction Fuzzy Hash: 682104317042555FEB06BB78E41162E37A2FFC5310B108569D406CB395EE38DD06DB92

Function 00F95A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bde94d6fcf831dd63c106dac8ca46ce718b4838009a013815f0367d99fe09ba
Instruction ID: 1fc0318477c19dac02089d8f8e212c284cb8e5b79a17455948b2dd06506b36be
Opcode Fuzzy Hash: 6bde94d6fcf831dd63c106dac8ca46ce718b4838009a013815f0367d99fe09ba
Instruction Fuzzy Hash: 7221C331701A118FDB26AB65D498A2EB7A6BFC8B64B154168E806CB354CE39DC02DBC4

Function 00F9D90F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d149747842004d9cdbcc3bc02f24ae44d8da7fbd7bbe63497cac10d47f93567
Instruction ID: 8984460e4602c6f2ac9d22801a4585c9cc7b82a0767ff36196a8b632b84eab2e
Opcode Fuzzy Hash: 1d149747842004d9cdbcc3bc02f24ae44d8da7fbd7bbe63497cac10d47f93567
Instruction Fuzzy Hash: D021D374D012099FDF14DFA4E8949EEBBB1FF88300F10812AE855B3254EB746A46CF51

Function 00F94DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc2903fd04ef7d8aea9bf8d3b1bca13a4e27c48f058b0e2d636ac6d94c50877
Instruction ID: 6e30d4799f6df712bc3f758be08ad967850ba34a8c9a7d58c248d095718c7116
Opcode Fuzzy Hash: cdc2903fd04ef7d8aea9bf8d3b1bca13a4e27c48f058b0e2d636ac6d94c50877
Instruction Fuzzy Hash: 52210531B092458FEF16AF64E454B6B3BA2FB98314F104069F9458B285CB38ED12DBE0

Function 00F939ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a494aa3bd5b20a5577bbff19892c16dc9d56eb89d650fbeab898e62c7bc8eae
Instruction ID: 0846cb0d5f2867a250f7654a4a01b8ac63db1778041f014cbc6916b5ba805f40
Opcode Fuzzy Hash: 2a494aa3bd5b20a5577bbff19892c16dc9d56eb89d650fbeab898e62c7bc8eae
Instruction Fuzzy Hash: 7931C478E15309CFCB04EFA8E59489DBBB2FF89305B20446AE859AB324D735AD45CF40

Function 00F91F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63431628b1ec1764f4ced453569f5ded2553a24dc25a9dd02c809bcee45ed575
Instruction ID: bb701158f3bc8c431c7ededf397afa9953137d7cbf37ae0c5062a9896d07e19a
Opcode Fuzzy Hash: 63431628b1ec1764f4ced453569f5ded2553a24dc25a9dd02c809bcee45ed575
Instruction Fuzzy Hash: B821F2B4C0564E8FCB42EFA8D8455EDBFF0BF4A300F10916AD845B7254EB341A85CBA1

Function 00F91F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae6aceffd3b855a6ab69fce258e7a7bc5823b4840bcbfaf6559e7fe4e1dc9e8
Instruction ID: aa7c5188687114b052d87b792e12b1954460c3826d48b32c709c780c94b670d6
Opcode Fuzzy Hash: 9ae6aceffd3b855a6ab69fce258e7a7bc5823b4840bcbfaf6559e7fe4e1dc9e8
Instruction Fuzzy Hash: F0214A74D046098FCB11EFA8D4445EDBFF0BF49314F14516AD445B7264EB311A45CB91

Function 00F95607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09119312af1dd4fe961404cb513bfa8e4615b26cda121b412e7f8cc4483d866e
Instruction ID: c7afec409c4fa77b35048f16e2a487809c9dc58351086e5606548006542cf754
Opcode Fuzzy Hash: 09119312af1dd4fe961404cb513bfa8e4615b26cda121b412e7f8cc4483d866e
Instruction Fuzzy Hash: 73012D72B042146FDF03DE6898106EF3B97DBC8751F14802AF505C7285D975CC0297A0

Function 00F92010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2479b9807f5b023139c09e66510c3195dc1cd671f07c7e87ed8e0e442b44f6fa
Instruction ID: bbe5dbed7ea75505a0df5b50cc853b62b24df1b3294706f7ec132a30e87e36e6
Opcode Fuzzy Hash: 2479b9807f5b023139c09e66510c3195dc1cd671f07c7e87ed8e0e442b44f6fa
Instruction Fuzzy Hash: A2E0923192939B5BCB039B709C105EEBF34DD97218B4441D7D8A4AB083EB60269EC7A2

Function 00F92020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc14a33a032f59d8b9cf5b3ada1bace648e55168dffd19649aced1df6261908c
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: fc14a33a032f59d8b9cf5b3ada1bace648e55168dffd19649aced1df6261908c
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00F98258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6c61be059095a56cfc54ce09728a768ed91a84a714d925eff05cbd905d717c8a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 02C0123360C1282AAA24108E7C40EA3AB8CC2C27F4A250137F91CA3200A842AC8221A8

Function 00F9A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418c64d6554033d72304ffac6ed8050950a199cea57afd708e0de1200c61b14b
Instruction ID: b8b36ef2fcaa7d24b0987f50e5c7bab5dbce987c6ca5411ee1c6abaf3937a42b
Opcode Fuzzy Hash: 418c64d6554033d72304ffac6ed8050950a199cea57afd708e0de1200c61b14b
Instruction Fuzzy Hash: A0D0173BB00008DFCF008F88E8408DDB7B6FB9C221B008016E911A3260C6319921CB50

Function 00F95EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3639759d314fc3285956d914befa8cb6784ff45d3e93690e6ff5d77084d9aa4c
Instruction ID: 18751787ddf1d15ac6203501a9a609cbefc9c51c6bfef81941ce7f259fe3850f
Opcode Fuzzy Hash: 3639759d314fc3285956d914befa8cb6784ff45d3e93690e6ff5d77084d9aa4c
Instruction Fuzzy Hash: 5AD02B7050D3860FC303F374F9214143F266981308F8080FAE8064E52FEA7D49498351

Function 00F95EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69142471bd3a716e73074623c423b202d5a99d0794b7483cba992a105f0468f5
Instruction ID: 291396a7dc86c83a37777414676412db8c92c235f180e04977387127a29f93e2
Opcode Fuzzy Hash: 69142471bd3a716e73074623c423b202d5a99d0794b7483cba992a105f0468f5
Instruction Fuzzy Hash: 12C012302583094FC505F7B5FA45959771AB6C0304F404524F40A0A62EDF7859884790

Non-executed Functions

Function 00F96088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 00F960BA
\;^q, xrefs: 00F960C6
\;^q, xrefs: 00F96094
\;^q, xrefs: 00F9609E

Memory Dump Source

Source File: 00000005.00000002.1964785029.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f90000_Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 597f44cb353609b91258ca7f615d44ce8ad633c6ecdb7e0d8efd212e0b66df7f
Instruction ID: 9fc86f05d689926a06f04a9b1e48c1556779ad18568084a747ce508b1a1d7002
Opcode Fuzzy Hash: 597f44cb353609b91258ca7f615d44ce8ad633c6ecdb7e0d8efd212e0b66df7f
Instruction Fuzzy Hash: 5301DF32B041149FDF648E2DC488A2A77EBBF88B70725417AE106CF3B4DA72DC45A780

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OOOBE2UTTQADMYZZ_f1aacb97412eb26466c8dbf24479df3a7fdfe98_b761ca27_15888fec-3d80-4076-a090-86976d798eb2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1878.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1898.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ft1l0bfw.inc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljpjz21n.tlo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlipt1em.p3g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyrnnctg.5bf.psm1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Function 0322D030 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Function 0322D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07D43E38 Relevance: 3.1, APIs: 2, Instructions: 91
threadCOMMON

Function 07D44AC4 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 07D44AD0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0322ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 07D44400 Relevance: 1.7, APIs: 1, Instructions: 164
memoryCOMMON

Function 059E18E4 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON