Edit tour

Windows Analysis Report
rUAE_LPO.com.exe

Overview

General Information

Sample name:	rUAE_LPO.com.exe
Analysis ID:	1538408
MD5:	a305269db6286fc4dd1d73ac5d2bf208
SHA1:	b8777b46a2b1ae40b8d6ff32cc79174e1e617983
SHA256:	14995ab5376dccba2f4e91e4efcf09ab18d5645f262ee8cef70d4da8b9317699
Tags:	exeuser-Porcupine
Infos:

Detection

AsyncRAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

rUAE_LPO.com.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\rUAE_LPO.com.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

rUAE_LPO.com.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\rUAE_LPO.com.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

rUAE_LPO.com.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\rUAE_LPO.com.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

rUAE_LPO.com.exe (PID: 4796 cmdline: "C:\Users\user\Desktop\rUAE_LPO.com.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

cmd.exe (PID: 5560 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1868 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6616 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6256 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

windowsBook.exe (PID: 3652 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

windowsBook.exe (PID: 5240 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

windowsBook.exe (PID: 3292 cmdline: C:\Users\user\AppData\Local\Temp\windowsBook.exe MD5: A305269DB6286FC4DD1D73AC5D2BF208)

windowsBook.exe (PID: 1868 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

windowsBook.exe (PID: 6516 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: A305269DB6286FC4DD1D73AC5D2BF208)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "quin.ydns.eu", "Ports": "1962", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "windowsBook.exe", "Install_File": "ZWVDQ2xkSDdBeUNVdEFXN0ZMenlQTERTN1l6QWdxWno="}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1e332:$x1: AsyncRAT 0x1e370:$x1: AsyncRAT

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1fe36:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1d85f:$x1: AsyncRAT 0x1d89d:$x1: AsyncRAT
00000005.00000002.2109979474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdd03:$x1: AsyncRAT 0xdd41:$x1: AsyncRAT
00000011.00000002.2229647139.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x315bb:$x1: AsyncRAT 0x315f9:$x1: AsyncRAT
00000000.00000002.2066706772.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa10b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x34fd3:$x1: AsyncRAT 0x35011:$x1: AsyncRAT 0x570b7:$x1: AsyncRAT 0x570f5:$x1: AsyncRAT
00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x13fed:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1fed1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x85e7d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x153ac:$a2: Stub.exe 0x1543c:$a2: Stub.exe 0x21290:$a2: Stub.exe 0x21320:$a2: Stub.exe 0x87254:$a2: Stub.exe 0x872e4:$a2: Stub.exe 0x10c11:$a3: get_ActivatePong 0x1caf5:$a3: get_ActivatePong 0x82aa1:$a3: get_ActivatePong 0x14205:$a4: vmware 0x200e9:$a4: vmware 0x86095:$a4: vmware 0x1407d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1ff61:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x85f0d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x11a0b:$a6: get_SslClient 0x1d8ef:$a6: get_SslClient 0x8389b:$a6: get_SslClient
00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1407f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1ff63:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x85f0f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2058828936.0000000003781000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xebae:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2b7ab:$x1: AsyncRAT 0x2b7e9:$x1: AsyncRAT
00000011.00000002.2232027757.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1d8af:$x1: AsyncRAT 0x1d8ed:$x1: AsyncRAT
0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1412d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x20011:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x85f49:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x154ec:$a2: Stub.exe 0x1557c:$a2: Stub.exe 0x213d0:$a2: Stub.exe 0x21460:$a2: Stub.exe 0x87320:$a2: Stub.exe 0x873b0:$a2: Stub.exe 0x10d51:$a3: get_ActivatePong 0x1cc35:$a3: get_ActivatePong 0x82b6d:$a3: get_ActivatePong 0x14345:$a4: vmware 0x20229:$a4: vmware 0x86161:$a4: vmware 0x141bd:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x200a1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x85fd9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x11b4b:$a6: get_SslClient 0x1da2f:$a6: get_SslClient 0x83967:$a6: get_SslClient
0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x141bf:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x200a3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x85fdb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: rUAE_LPO.com.exe PID: 6368	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: rUAE_LPO.com.exe PID: 6368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rUAE_LPO.com.exe PID: 6368	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9786e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: rUAE_LPO.com.exe PID: 4796	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: rUAE_LPO.com.exe PID: 4796	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xbf17:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x35d66:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: rUAE_LPO.com.exe PID: 4796	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbaba:$x1: AsyncRAT 0xbaec:$x1: AsyncRAT 0x2595e:$x1: AsyncRAT 0x25990:$x1: AsyncRAT 0x35e2c:$s6: VirtualBox 0x35ddf:$s8: Win32_ComputerSystem
Process Memory Space: windowsBook.exe PID: 3292	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: windowsBook.exe PID: 3292	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: windowsBook.exe PID: 3292	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x4ec5a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: windowsBook.exe PID: 3652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: windowsBook.exe PID: 6516	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: windowsBook.exe PID: 6516	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7d17c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: windowsBook.exe PID: 6516	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x965e:$x1: AsyncRAT 0x9690:$x1: AsyncRAT 0x84980:$x1: AsyncRAT 0x849b2:$x1: AsyncRAT 0x849c6:$x1: AsyncRAT 0x181d0:$s8: Win32_ComputerSystem 0x18256:$s8: Win32_ComputerSystem
Process Memory Space: windowsBook.exe PID: 5240	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ebf:$x1: AsyncRAT 0x4ef1:$x1: AsyncRAT 0xcb89:$x1: AsyncRAT 0xcbbb:$x1: AsyncRAT
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rUAE_LPO.com.exe.379e790.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.rUAE_LPO.com.exe.6bd0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.rUAE_LPO.com.exe.2796c58.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.rUAE_LPO.com.exe.2796c58.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8479:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x509d:$a3: get_ActivatePong 0x8691:$a4: vmware 0x8509:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e97:$a6: get_SslClient
0.2.rUAE_LPO.com.exe.2796c58.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x850b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.rUAE_LPO.com.exe.278ad74.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.rUAE_LPO.com.exe.278ad74.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8479:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x509d:$a3: get_ActivatePong 0x8691:$a4: vmware 0x8509:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e97:$a6: get_SslClient
0.2.rUAE_LPO.com.exe.278ad74.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x850b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.windowsBook.exe.242aeb4.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.windowsBook.exe.242aeb4.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8479:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x509d:$a3: get_ActivatePong 0x8691:$a4: vmware 0x8509:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e97:$a6: get_SslClient
12.2.windowsBook.exe.242aeb4.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x850b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
5.2.rUAE_LPO.com.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
5.2.rUAE_LPO.com.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa279:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e9d:$a3: get_ActivatePong 0xa491:$a4: vmware 0xa309:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c97:$a6: get_SslClient
5.2.rUAE_LPO.com.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa30b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.windowsBook.exe.2436d98.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.windowsBook.exe.2436d98.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8479:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x509d:$a3: get_ActivatePong 0x8691:$a4: vmware 0x8509:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e97:$a6: get_SslClient
12.2.windowsBook.exe.2436d98.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x850b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.windowsBook.exe.2436d98.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.windowsBook.exe.2436d98.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.windowsBook.exe.2436d98.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa279:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x701b1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x71588:$a2: Stub.exe 0x71618:$a2: Stub.exe 0x6e9d:$a3: get_ActivatePong 0x6cdd5:$a3: get_ActivatePong 0xa491:$a4: vmware 0x703c9:$a4: vmware 0xa309:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x70241:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c97:$a6: get_SslClient 0x6dbcf:$a6: get_SslClient
12.2.windowsBook.exe.2436d98.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa30b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x70243:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa279:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x70225:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x715fc:$a2: Stub.exe 0x7168c:$a2: Stub.exe 0x6e9d:$a3: get_ActivatePong 0x6ce49:$a3: get_ActivatePong 0xa491:$a4: vmware 0x7043d:$a4: vmware 0xa309:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x702b5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c97:$a6: get_SslClient 0x6dc43:$a6: get_SslClient
0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa30b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x702b7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa279:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1615d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x7c109:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x1751c:$a2: Stub.exe 0x175ac:$a2: Stub.exe 0x7d4e0:$a2: Stub.exe 0x7d570:$a2: Stub.exe 0x6e9d:$a3: get_ActivatePong 0x12d81:$a3: get_ActivatePong 0x78d2d:$a3: get_ActivatePong 0xa491:$a4: vmware 0x16375:$a4: vmware 0x7c321:$a4: vmware 0xa309:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x161ed:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c199:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c97:$a6: get_SslClient 0x13b7b:$a6: get_SslClient 0x79b27:$a6: get_SslClient
0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa30b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x161ef:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x7c19b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.windowsBook.exe.242aeb4.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.windowsBook.exe.242aeb4.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.windowsBook.exe.242aeb4.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa279:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1615d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x7c095:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x1751c:$a2: Stub.exe 0x175ac:$a2: Stub.exe 0x7d46c:$a2: Stub.exe 0x7d4fc:$a2: Stub.exe 0x6e9d:$a3: get_ActivatePong 0x12d81:$a3: get_ActivatePong 0x78cb9:$a3: get_ActivatePong 0xa491:$a4: vmware 0x16375:$a4: vmware 0x7c2ad:$a4: vmware 0xa309:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x161ed:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c125:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c97:$a6: get_SslClient 0x13b7b:$a6: get_SslClient 0x79ab3:$a6: get_SslClient
12.2.windowsBook.exe.242aeb4.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa30b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x161ef:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x7c127:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\rUAE_LPO.com.exe", ParentImage: C:\Users\user\Desktop\rUAE_LPO.com.exe, ParentProcessId: 4796, ParentProcessName: rUAE_LPO.com.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, ProcessId: 5560, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5560, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' , ProcessId: 1868, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T08:35:14.455430+0200	2035595	1	Domain Observed Used for C2 Detected	185.38.142.240	1962	192.168.2.5	49716	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T08:35:14.455430+0200	2035607	1	Domain Observed Used for C2 Detected	185.38.142.240	1962	192.168.2.5	49716	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T08:35:14.455430+0200	2842478	1	Malware Command and Control Activity Detected	185.38.142.240	1962	192.168.2.5	49716	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "quin.ydns.eu", "Ports": "1962", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "windowsBook.exe", "Install_File": "ZWVDQ2xkSDdBeUNVdEFXN0ZMenlQTERTN1l6QWdxWno="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: rUAE_LPO.com.exe	ReversingLabs: Detection: 26%
Source: rUAE_LPO.com.exe	Virustotal: Detection: 32%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rUAE_LPO.com.exe

Joe Sandbox ML: detected

Source: rUAE_LPO.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rUAE_LPO.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AJYP.pdb source: rUAE_LPO.com.exe, windowsBook.exe.5.dr
Source:	Binary string: AJYP.pdbSHA256 source: rUAE_LPO.com.exe, windowsBook.exe.5.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.38.142.240:1962 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1962 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.38.142.240:1962 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1962 -> 192.168.2.5:49716

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: quin.ydns.eu

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49716 -> 185.38.142.240:1962

Source: Joe Sandbox View

ASN Name: NETSOLUTIONSNL NETSOLUTIONSNL

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: quin.ydns.eu

Source: windowsBook.exe, 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.15.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: windowsBook.exe, 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabS
Source: rUAE_LPO.com.exe, 00000005.00000002.2106829519.000000000287D000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2109979474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000011.00000002.2229647139.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000011.00000002.2232027757.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: windowsBook.exe PID: 5240, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_00A0DE8C	0_2_00A0DE8C
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F1A698	0_2_06F1A698
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F1A693	0_2_06F1A693
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F164C0	0_2_06F164C0
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F183D8	0_2_06F183D8
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F1CF98	0_2_06F1CF98
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F18CB0	0_2_06F18CB0
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F16D30	0_2_06F16D30
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F168F8	0_2_06F168F8
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 12_2_00AADE8C	12_2_00AADE8C
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_0111DE8C	13_2_0111DE8C
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_0732A698	13_2_0732A698
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_0732A68F	13_2_0732A68F
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_0732648B	13_2_0732648B
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_073264C0	13_2_073264C0
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_073283D8	13_2_073283D8
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_0732CE90	13_2_0732CE90
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_07326D30	13_2_07326D30
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_07328CB0	13_2_07328CB0
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_07328CA0	13_2_07328CA0
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 13_2_073268F8	13_2_073268F8
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 15_2_017563D8	15_2_017563D8
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 15_2_01756CA8	15_2_01756CA8
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 15_2_01756090	15_2_01756090
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 15_2_0175AF58	15_2_0175AF58

Source: rUAE_LPO.com.exe, 00000000.00000002.2066995348.0000000007320000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rUAE_LPO.com.exe
Source: rUAE_LPO.com.exe, 00000000.00000002.2058828936.0000000003781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rUAE_LPO.com.exe
Source: rUAE_LPO.com.exe, 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs rUAE_LPO.com.exe
Source: rUAE_LPO.com.exe, 00000000.00000002.2057216286.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rUAE_LPO.com.exe
Source: rUAE_LPO.com.exe, 00000000.00000000.2009290346.00000000003F8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAJYP.exe" vs rUAE_LPO.com.exe
Source: rUAE_LPO.com.exe, 00000005.00000002.2105635275.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs rUAE_LPO.com.exe
Source: rUAE_LPO.com.exe	Binary or memory string: OriginalFilenameAJYP.exe" vs rUAE_LPO.com.exe

Source: rUAE_LPO.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2109979474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000011.00000002.2229647139.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000011.00000002.2232027757.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: windowsBook.exe PID: 5240, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: rUAE_LPO.com.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: windowsBook.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack, at4ONG9F0NYCELN5Tj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, OiHoolIAygQAXBT.cs	Base64 encoded string: 'yKawK3VpaUozVt7nSUZH+FnSyshePzOpFVCnRwX7U4ZB280WpfMTuTYeExR0FWuvbGpl3SI6rcp8bs+ljbVa2lDFNksGpMvQB+F6XFct3J60IeY1leqgjx0W7B1p+kqD/QtuP0XvjgWxZQ6bRM4s9auajVMXd2Y/Hgg/g2fz1ZipgNNWkwZoA0gfIfq8C+K+1i+++6eXPAokDnmrOM+EdaCtg8b5VGEj6UB1qrLieygyNrM6/SLeKezb1PA9AtA8U9IirRGLrYGl6gMwhQMH2ARPD9qVLreMF1ObJjWzeBmp1rLB4uTd/LTYiXbqf6vQ0SDyFPN74YEHEw5+xR5zSVxycirzV/2lIOJHuy1HYcQQVxoGAbLnZhMKMRQLzJEbpb/BoXIMSlHILNCGdkzsajyh/2CB9lgbze0+hcs7lWIUdnw/NG2Lh+NR9mTGqyRD8f6ztxYyBny2t7mnfhtYWyzP1/oxh+pwDbttOmnidk8vgIy4Z86FP2GdusQdiJac8alNHOjVOQGfiXF1PcBfUm0+IMYZU4BlX5S+8VjvPRSmWrd8hHO2nB+OflZE7cZ8+IQabffVZ7nGtNlcs5hpJV1n36PHaPpfOV1mftpl3KQ/IIepioZKvI0zVhG1R/MDkTxlmx+JcLVsaDJq02tWIAWR0dPcX5suErDeDucMUjXits8r7bCJ2GjAjghT1eu5Gu8Zl2ZRza7Iq/EA6DhGs5wcDpKYuHB/TOLrBxZV2S40V+lpzYBpbpzWEs6c6tIMHE3ejTrM0WAZR05tqWOuh+XvN4Ar/1NfvOHGxiSB8QZCoSyrCyJ785MPSL3gf49u/vm6Lkh1zPqAiS8w6VA1PpaEyeGajroYXuiWPP7obfDHTOwblMA6mf6orYIWZpWrFo94fu5vde5No6HKP5Yxo+VyFfKP4BwkSC75N4rviWlv81OiGc2r2X9HA3Jsc4Q6hrZSFiE7SoJhlraD1pP6yLDzfyNBmuuHE5I/e/deR6sSSPiejRj0u+JUrT+/h9acgZHQCTragNKUSpZMseB7Fiw5qpkclFu2scGyuXx+nKoO2KzPSbRjsXOfaApX/1ofb5tCm+hSFwTTih4mq7N0Tkh2mMQ4Z0ubCatWr9VO6bw3/EX5cF4oe3WV5uKBXly7ztB7lplwxOVmAxWZ3rbBOJofvRitOUtUmf/4Lgn1akzk/X8n4brrIUAMz9YS+lYKd0rLTpKme2XK3WRSa5DL/Z5Ar6MyscXBmwcY24C0yatbtGPlxZ1Lfj6Aexhbamrq8W2Ck6bqubyV+HSJvGJUcarOxwSAmQzDVNKmW3RxN452KM2y9VLc5jNxaYZdGdqteQFoDrrZb5fv0ZWR/fdDBAQCMhHQKkgfhVLIdWTr6hOpiDs9NnzmdYo0ER1y7Gj8J2whXqEYXznmo8y372z7j9PUPQhWCnEs/veEaNpHUpG4Yjy0GEvrzdp7tNpOxzDr433hsmkDwTgJHr3sD8uUGNJ0sgBTbOTtIC/hZCKqq1iieLppecA846W0MkBwrFZKesVwH/bmBMZlgbomvWhhIhEs9nGYSEAzLj0x4JkF//exESLXp6840pAL1HFBOLRknjEBXOFecVxcEgIRQZG/8NcfTlNUgJVm9re1UQP39qvdNyoESg/luLQ84lGy0DjQQpo5utjubbf0mggLLHic6Aaimct7g3buEckjUdLvvlK2LReaDwvkENlysrHLxpamLm6RRV139k/R3GBI1F1H6PbTST0J12/oFDv/1btrRvDU22dYPOLgAgRhzBOg4MlI4XrVvQUwcr2wMQbPZk1k5jixKcbjh5uJq8zl5ro3hrR5k7aWO71Qy9uxmbmD1EkZDOtYxLCMYe+eBkuE7FN7A/ioFIr/TVhMbSeP4iF4R8YS1DpJ7+1skdNZ6GeMfw/XBZJJGp/jH9ulBEolRrJ2NvXvgKDwWSw5lSEYKT5qXrX99BqwBqy3VLDQqpVEvVfuaMzqQVwpCPQI1blHF2FwZKXd6DSiO0Npi2XtAQcZjb/9SaEwoORNr8cowR/HkJIdV/pkk//7f/Y9gWsmNtiivR6bi6C0pvtSkYA+nGIVS3IRHiVt2PljPWGwCQcO/nI5qxksSsByYMBvdS5+VYRdzEQUhFPzTZPmiXi4LIMAwGcQ0NKTsb5u7zrIqhVwnBp75hJntAArJAccK1GWqjX4e+CCBwgKc1JuLSCaxzooKaKL7XfAP81lGd/phOldRleApUAXNeOHSqQN8Ru1jj3AhjYtVlIr58wknbZNIEc8atQcpyGUOAWCvCfBgeg5rqVm04R+2HJyheDy7nBnxT+rbnGvPMgGU0gwrhduZlOYsaM=', 'TYJElFG2H7en+iOkEBBBshDsd73cVMDmVb2esMoaqK3ap/chQz9T0P6HrfFDa2qaJroiBJ7K3yAqjpqTIVjRxBGcO//r84OI+XSGVvklW2xU4tMk0xCf8fYRCF3nC1MK1T36SdD+olDlwDwNYBOpJ+quxN1K0yjv0Enplty0LH3CI++7Du1qe4oa7T3GfqtG7Gg2hixaqdvtncI03OnYCHdIMzlpsPKKuImMi1U5VrUDc4G33ZmIIRjPq+RYE4+gzcJi7YXdEPQdBEboEuPTypjBpeK98De7DF3t1Iglhok0NsXWFhcEPpbpIKY8x7N9nd/XtPPMXgsoZF8EDsG8++tdPvZtENZOOKcvZsoNGSoNXZdL7TlzLViZEe8OBa+eHViDh/hq9kMqpUSesUwIh3LzOHz8TnflPbJmN9rW8zYfWH7GRKoqcJTO/TdXKBnSLoNJZzBMylfCRKYnFoZtIzWguBG9nIFBpWU3FkNt90At31OvSPSLEjYoUyl6ahl+7ueEoN04/m+aviBO7uO7GtKaXKxMbhdkSE85iaZNhZbNPfCizOGE89m3FGi/O+YRx7BnPUUsnIRv/+dDFiXzqqRS7hd/xQv0OY8Q1wIUESHkj9QAGFk+kCMnTogSiHIuWR3PUzq
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, OiHoolIAygQAXBT.cs	Base64 encoded string: 'yKawK3VpaUozVt7nSUZH+FnSyshePzOpFVCnRwX7U4ZB280WpfMTuTYeExR0FWuvbGpl3SI6rcp8bs+ljbVa2lDFNksGpMvQB+F6XFct3J60IeY1leqgjx0W7B1p+kqD/QtuP0XvjgWxZQ6bRM4s9auajVMXd2Y/Hgg/g2fz1ZipgNNWkwZoA0gfIfq8C+K+1i+++6eXPAokDnmrOM+EdaCtg8b5VGEj6UB1qrLieygyNrM6/SLeKezb1PA9AtA8U9IirRGLrYGl6gMwhQMH2ARPD9qVLreMF1ObJjWzeBmp1rLB4uTd/LTYiXbqf6vQ0SDyFPN74YEHEw5+xR5zSVxycirzV/2lIOJHuy1HYcQQVxoGAbLnZhMKMRQLzJEbpb/BoXIMSlHILNCGdkzsajyh/2CB9lgbze0+hcs7lWIUdnw/NG2Lh+NR9mTGqyRD8f6ztxYyBny2t7mnfhtYWyzP1/oxh+pwDbttOmnidk8vgIy4Z86FP2GdusQdiJac8alNHOjVOQGfiXF1PcBfUm0+IMYZU4BlX5S+8VjvPRSmWrd8hHO2nB+OflZE7cZ8+IQabffVZ7nGtNlcs5hpJV1n36PHaPpfOV1mftpl3KQ/IIepioZKvI0zVhG1R/MDkTxlmx+JcLVsaDJq02tWIAWR0dPcX5suErDeDucMUjXits8r7bCJ2GjAjghT1eu5Gu8Zl2ZRza7Iq/EA6DhGs5wcDpKYuHB/TOLrBxZV2S40V+lpzYBpbpzWEs6c6tIMHE3ejTrM0WAZR05tqWOuh+XvN4Ar/1NfvOHGxiSB8QZCoSyrCyJ785MPSL3gf49u/vm6Lkh1zPqAiS8w6VA1PpaEyeGajroYXuiWPP7obfDHTOwblMA6mf6orYIWZpWrFo94fu5vde5No6HKP5Yxo+VyFfKP4BwkSC75N4rviWlv81OiGc2r2X9HA3Jsc4Q6hrZSFiE7SoJhlraD1pP6yLDzfyNBmuuHE5I/e/deR6sSSPiejRj0u+JUrT+/h9acgZHQCTragNKUSpZMseB7Fiw5qpkclFu2scGyuXx+nKoO2KzPSbRjsXOfaApX/1ofb5tCm+hSFwTTih4mq7N0Tkh2mMQ4Z0ubCatWr9VO6bw3/EX5cF4oe3WV5uKBXly7ztB7lplwxOVmAxWZ3rbBOJofvRitOUtUmf/4Lgn1akzk/X8n4brrIUAMz9YS+lYKd0rLTpKme2XK3WRSa5DL/Z5Ar6MyscXBmwcY24C0yatbtGPlxZ1Lfj6Aexhbamrq8W2Ck6bqubyV+HSJvGJUcarOxwSAmQzDVNKmW3RxN452KM2y9VLc5jNxaYZdGdqteQFoDrrZb5fv0ZWR/fdDBAQCMhHQKkgfhVLIdWTr6hOpiDs9NnzmdYo0ER1y7Gj8J2whXqEYXznmo8y372z7j9PUPQhWCnEs/veEaNpHUpG4Yjy0GEvrzdp7tNpOxzDr433hsmkDwTgJHr3sD8uUGNJ0sgBTbOTtIC/hZCKqq1iieLppecA846W0MkBwrFZKesVwH/bmBMZlgbomvWhhIhEs9nGYSEAzLj0x4JkF//exESLXp6840pAL1HFBOLRknjEBXOFecVxcEgIRQZG/8NcfTlNUgJVm9re1UQP39qvdNyoESg/luLQ84lGy0DjQQpo5utjubbf0mggLLHic6Aaimct7g3buEckjUdLvvlK2LReaDwvkENlysrHLxpamLm6RRV139k/R3GBI1F1H6PbTST0J12/oFDv/1btrRvDU22dYPOLgAgRhzBOg4MlI4XrVvQUwcr2wMQbPZk1k5jixKcbjh5uJq8zl5ro3hrR5k7aWO71Qy9uxmbmD1EkZDOtYxLCMYe+eBkuE7FN7A/ioFIr/TVhMbSeP4iF4R8YS1DpJ7+1skdNZ6GeMfw/XBZJJGp/jH9ulBEolRrJ2NvXvgKDwWSw5lSEYKT5qXrX99BqwBqy3VLDQqpVEvVfuaMzqQVwpCPQI1blHF2FwZKXd6DSiO0Npi2XtAQcZjb/9SaEwoORNr8cowR/HkJIdV/pkk//7f/Y9gWsmNtiivR6bi6C0pvtSkYA+nGIVS3IRHiVt2PljPWGwCQcO/nI5qxksSsByYMBvdS5+VYRdzEQUhFPzTZPmiXi4LIMAwGcQ0NKTsb5u7zrIqhVwnBp75hJntAArJAccK1GWqjX4e+CCBwgKc1JuLSCaxzooKaKL7XfAP81lGd/phOldRleApUAXNeOHSqQN8Ru1jj3AhjYtVlIr58wknbZNIEc8atQcpyGUOAWCvCfBgeg5rqVm04R+2HJyheDy7nBnxT+rbnGvPMgGU0gwrhduZlOYsaM=', 'TYJElFG2H7en+iOkEBBBshDsd73cVMDmVb2esMoaqK3ap/chQz9T0P6HrfFDa2qaJroiBJ7K3yAqjpqTIVjRxBGcO//r84OI+XSGVvklW2xU4tMk0xCf8fYRCF3nC1MK1T36SdD+olDlwDwNYBOpJ+quxN1K0yjv0Enplty0LH3CI++7Du1qe4oa7T3GfqtG7Gg2hixaqdvtncI03OnYCHdIMzlpsPKKuImMi1U5VrUDc4G33ZmIIRjPq+RYE4+gzcJi7YXdEPQdBEboEuPTypjBpeK98De7DF3t1Iglhok0NsXWFhcEPpbpIKY8x7N9nd/XtPPMXgsoZF8EDsG8++tdPvZtENZOOKcvZsoNGSoNXZdL7TlzLViZEe8OBa+eHViDh/hq9kMqpUSesUwIh3LzOHz8TnflPbJmN9rW8zYfWH7GRKoqcJTO/TdXKBnSLoNJZzBMylfCRKYnFoZtIzWguBG9nIFBpWU3FkNt90At31OvSPSLEjYoUyl6ahl+7ueEoN04/m+aviBO7uO7GtKaXKxMbhdkSE85iaZNhZbNPfCizOGE89m3FGi/O+YRx7BnPUUsnIRv/+dDFiXzqqRS7hd/xQv0OY8Q1wIUESHkj9QAGFk+kCMnTogSiHIuWR3PUzq
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, OiHoolIAygQAXBT.cs	Base64 encoded string: 'yKawK3VpaUozVt7nSUZH+FnSyshePzOpFVCnRwX7U4ZB280WpfMTuTYeExR0FWuvbGpl3SI6rcp8bs+ljbVa2lDFNksGpMvQB+F6XFct3J60IeY1leqgjx0W7B1p+kqD/QtuP0XvjgWxZQ6bRM4s9auajVMXd2Y/Hgg/g2fz1ZipgNNWkwZoA0gfIfq8C+K+1i+++6eXPAokDnmrOM+EdaCtg8b5VGEj6UB1qrLieygyNrM6/SLeKezb1PA9AtA8U9IirRGLrYGl6gMwhQMH2ARPD9qVLreMF1ObJjWzeBmp1rLB4uTd/LTYiXbqf6vQ0SDyFPN74YEHEw5+xR5zSVxycirzV/2lIOJHuy1HYcQQVxoGAbLnZhMKMRQLzJEbpb/BoXIMSlHILNCGdkzsajyh/2CB9lgbze0+hcs7lWIUdnw/NG2Lh+NR9mTGqyRD8f6ztxYyBny2t7mnfhtYWyzP1/oxh+pwDbttOmnidk8vgIy4Z86FP2GdusQdiJac8alNHOjVOQGfiXF1PcBfUm0+IMYZU4BlX5S+8VjvPRSmWrd8hHO2nB+OflZE7cZ8+IQabffVZ7nGtNlcs5hpJV1n36PHaPpfOV1mftpl3KQ/IIepioZKvI0zVhG1R/MDkTxlmx+JcLVsaDJq02tWIAWR0dPcX5suErDeDucMUjXits8r7bCJ2GjAjghT1eu5Gu8Zl2ZRza7Iq/EA6DhGs5wcDpKYuHB/TOLrBxZV2S40V+lpzYBpbpzWEs6c6tIMHE3ejTrM0WAZR05tqWOuh+XvN4Ar/1NfvOHGxiSB8QZCoSyrCyJ785MPSL3gf49u/vm6Lkh1zPqAiS8w6VA1PpaEyeGajroYXuiWPP7obfDHTOwblMA6mf6orYIWZpWrFo94fu5vde5No6HKP5Yxo+VyFfKP4BwkSC75N4rviWlv81OiGc2r2X9HA3Jsc4Q6hrZSFiE7SoJhlraD1pP6yLDzfyNBmuuHE5I/e/deR6sSSPiejRj0u+JUrT+/h9acgZHQCTragNKUSpZMseB7Fiw5qpkclFu2scGyuXx+nKoO2KzPSbRjsXOfaApX/1ofb5tCm+hSFwTTih4mq7N0Tkh2mMQ4Z0ubCatWr9VO6bw3/EX5cF4oe3WV5uKBXly7ztB7lplwxOVmAxWZ3rbBOJofvRitOUtUmf/4Lgn1akzk/X8n4brrIUAMz9YS+lYKd0rLTpKme2XK3WRSa5DL/Z5Ar6MyscXBmwcY24C0yatbtGPlxZ1Lfj6Aexhbamrq8W2Ck6bqubyV+HSJvGJUcarOxwSAmQzDVNKmW3RxN452KM2y9VLc5jNxaYZdGdqteQFoDrrZb5fv0ZWR/fdDBAQCMhHQKkgfhVLIdWTr6hOpiDs9NnzmdYo0ER1y7Gj8J2whXqEYXznmo8y372z7j9PUPQhWCnEs/veEaNpHUpG4Yjy0GEvrzdp7tNpOxzDr433hsmkDwTgJHr3sD8uUGNJ0sgBTbOTtIC/hZCKqq1iieLppecA846W0MkBwrFZKesVwH/bmBMZlgbomvWhhIhEs9nGYSEAzLj0x4JkF//exESLXp6840pAL1HFBOLRknjEBXOFecVxcEgIRQZG/8NcfTlNUgJVm9re1UQP39qvdNyoESg/luLQ84lGy0DjQQpo5utjubbf0mggLLHic6Aaimct7g3buEckjUdLvvlK2LReaDwvkENlysrHLxpamLm6RRV139k/R3GBI1F1H6PbTST0J12/oFDv/1btrRvDU22dYPOLgAgRhzBOg4MlI4XrVvQUwcr2wMQbPZk1k5jixKcbjh5uJq8zl5ro3hrR5k7aWO71Qy9uxmbmD1EkZDOtYxLCMYe+eBkuE7FN7A/ioFIr/TVhMbSeP4iF4R8YS1DpJ7+1skdNZ6GeMfw/XBZJJGp/jH9ulBEolRrJ2NvXvgKDwWSw5lSEYKT5qXrX99BqwBqy3VLDQqpVEvVfuaMzqQVwpCPQI1blHF2FwZKXd6DSiO0Npi2XtAQcZjb/9SaEwoORNr8cowR/HkJIdV/pkk//7f/Y9gWsmNtiivR6bi6C0pvtSkYA+nGIVS3IRHiVt2PljPWGwCQcO/nI5qxksSsByYMBvdS5+VYRdzEQUhFPzTZPmiXi4LIMAwGcQ0NKTsb5u7zrIqhVwnBp75hJntAArJAccK1GWqjX4e+CCBwgKc1JuLSCaxzooKaKL7XfAP81lGd/phOldRleApUAXNeOHSqQN8Ru1jj3AhjYtVlIr58wknbZNIEc8atQcpyGUOAWCvCfBgeg5rqVm04R+2HJyheDy7nBnxT+rbnGvPMgGU0gwrhduZlOYsaM=', 'TYJElFG2H7en+iOkEBBBshDsd73cVMDmVb2esMoaqK3ap/chQz9T0P6HrfFDa2qaJroiBJ7K3yAqjpqTIVjRxBGcO//r84OI+XSGVvklW2xU4tMk0xCf8fYRCF3nC1MK1T36SdD+olDlwDwNYBOpJ+quxN1K0yjv0Enplty0LH3CI++7Du1qe4oa7T3GfqtG7Gg2hixaqdvtncI03OnYCHdIMzlpsPKKuImMi1U5VrUDc4G33ZmIIRjPq+RYE4+gzcJi7YXdEPQdBEboEuPTypjBpeK98De7DF3t1Iglhok0NsXWFhcEPpbpIKY8x7N9nd/XtPPMXgsoZF8EDsG8++tdPvZtENZOOKcvZsoNGSoNXZdL7TlzLViZEe8OBa+eHViDh/hq9kMqpUSesUwIh3LzOHz8TnflPbJmN9rW8zYfWH7GRKoqcJTO/TdXKBnSLoNJZzBMylfCRKYnFoZtIzWguBG9nIFBpWU3FkNt90At31OvSPSLEjYoUyl6ahl+7ueEoN04/m+aviBO7uO7GtKaXKxMbhdkSE85iaZNhZbNPfCizOGE89m3FGi/O+YRx7BnPUUsnIRv/+dDFiXzqqRS7hd/xQv0OY8Q1wIUESHkj9QAGFk+kCMnTogSiHIuWR3PUzq
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, OiHoolIAygQAXBT.cs	Base64 encoded string: 'yKawK3VpaUozVt7nSUZH+FnSyshePzOpFVCnRwX7U4ZB280WpfMTuTYeExR0FWuvbGpl3SI6rcp8bs+ljbVa2lDFNksGpMvQB+F6XFct3J60IeY1leqgjx0W7B1p+kqD/QtuP0XvjgWxZQ6bRM4s9auajVMXd2Y/Hgg/g2fz1ZipgNNWkwZoA0gfIfq8C+K+1i+++6eXPAokDnmrOM+EdaCtg8b5VGEj6UB1qrLieygyNrM6/SLeKezb1PA9AtA8U9IirRGLrYGl6gMwhQMH2ARPD9qVLreMF1ObJjWzeBmp1rLB4uTd/LTYiXbqf6vQ0SDyFPN74YEHEw5+xR5zSVxycirzV/2lIOJHuy1HYcQQVxoGAbLnZhMKMRQLzJEbpb/BoXIMSlHILNCGdkzsajyh/2CB9lgbze0+hcs7lWIUdnw/NG2Lh+NR9mTGqyRD8f6ztxYyBny2t7mnfhtYWyzP1/oxh+pwDbttOmnidk8vgIy4Z86FP2GdusQdiJac8alNHOjVOQGfiXF1PcBfUm0+IMYZU4BlX5S+8VjvPRSmWrd8hHO2nB+OflZE7cZ8+IQabffVZ7nGtNlcs5hpJV1n36PHaPpfOV1mftpl3KQ/IIepioZKvI0zVhG1R/MDkTxlmx+JcLVsaDJq02tWIAWR0dPcX5suErDeDucMUjXits8r7bCJ2GjAjghT1eu5Gu8Zl2ZRza7Iq/EA6DhGs5wcDpKYuHB/TOLrBxZV2S40V+lpzYBpbpzWEs6c6tIMHE3ejTrM0WAZR05tqWOuh+XvN4Ar/1NfvOHGxiSB8QZCoSyrCyJ785MPSL3gf49u/vm6Lkh1zPqAiS8w6VA1PpaEyeGajroYXuiWPP7obfDHTOwblMA6mf6orYIWZpWrFo94fu5vde5No6HKP5Yxo+VyFfKP4BwkSC75N4rviWlv81OiGc2r2X9HA3Jsc4Q6hrZSFiE7SoJhlraD1pP6yLDzfyNBmuuHE5I/e/deR6sSSPiejRj0u+JUrT+/h9acgZHQCTragNKUSpZMseB7Fiw5qpkclFu2scGyuXx+nKoO2KzPSbRjsXOfaApX/1ofb5tCm+hSFwTTih4mq7N0Tkh2mMQ4Z0ubCatWr9VO6bw3/EX5cF4oe3WV5uKBXly7ztB7lplwxOVmAxWZ3rbBOJofvRitOUtUmf/4Lgn1akzk/X8n4brrIUAMz9YS+lYKd0rLTpKme2XK3WRSa5DL/Z5Ar6MyscXBmwcY24C0yatbtGPlxZ1Lfj6Aexhbamrq8W2Ck6bqubyV+HSJvGJUcarOxwSAmQzDVNKmW3RxN452KM2y9VLc5jNxaYZdGdqteQFoDrrZb5fv0ZWR/fdDBAQCMhHQKkgfhVLIdWTr6hOpiDs9NnzmdYo0ER1y7Gj8J2whXqEYXznmo8y372z7j9PUPQhWCnEs/veEaNpHUpG4Yjy0GEvrzdp7tNpOxzDr433hsmkDwTgJHr3sD8uUGNJ0sgBTbOTtIC/hZCKqq1iieLppecA846W0MkBwrFZKesVwH/bmBMZlgbomvWhhIhEs9nGYSEAzLj0x4JkF//exESLXp6840pAL1HFBOLRknjEBXOFecVxcEgIRQZG/8NcfTlNUgJVm9re1UQP39qvdNyoESg/luLQ84lGy0DjQQpo5utjubbf0mggLLHic6Aaimct7g3buEckjUdLvvlK2LReaDwvkENlysrHLxpamLm6RRV139k/R3GBI1F1H6PbTST0J12/oFDv/1btrRvDU22dYPOLgAgRhzBOg4MlI4XrVvQUwcr2wMQbPZk1k5jixKcbjh5uJq8zl5ro3hrR5k7aWO71Qy9uxmbmD1EkZDOtYxLCMYe+eBkuE7FN7A/ioFIr/TVhMbSeP4iF4R8YS1DpJ7+1skdNZ6GeMfw/XBZJJGp/jH9ulBEolRrJ2NvXvgKDwWSw5lSEYKT5qXrX99BqwBqy3VLDQqpVEvVfuaMzqQVwpCPQI1blHF2FwZKXd6DSiO0Npi2XtAQcZjb/9SaEwoORNr8cowR/HkJIdV/pkk//7f/Y9gWsmNtiivR6bi6C0pvtSkYA+nGIVS3IRHiVt2PljPWGwCQcO/nI5qxksSsByYMBvdS5+VYRdzEQUhFPzTZPmiXi4LIMAwGcQ0NKTsb5u7zrIqhVwnBp75hJntAArJAccK1GWqjX4e+CCBwgKc1JuLSCaxzooKaKL7XfAP81lGd/phOldRleApUAXNeOHSqQN8Ru1jj3AhjYtVlIr58wknbZNIEc8atQcpyGUOAWCvCfBgeg5rqVm04R+2HJyheDy7nBnxT+rbnGvPMgGU0gwrhduZlOYsaM=', 'TYJElFG2H7en+iOkEBBBshDsd73cVMDmVb2esMoaqK3ap/chQz9T0P6HrfFDa2qaJroiBJ7K3yAqjpqTIVjRxBGcO//r84OI+XSGVvklW2xU4tMk0xCf8fYRCF3nC1MK1T36SdD+olDlwDwNYBOpJ+quxN1K0yjv0Enplty0LH3CI++7Du1qe4oa7T3GfqtG7Gg2hixaqdvtncI03OnYCHdIMzlpsPKKuImMi1U5VrUDc4G33ZmIIRjPq+RYE4+gzcJi7YXdEPQdBEboEuPTypjBpeK98De7DF3t1Iglhok0NsXWFhcEPpbpIKY8x7N9nd/XtPPMXgsoZF8EDsG8++tdPvZtENZOOKcvZsoNGSoNXZdL7TlzLViZEe8OBa+eHViDh/hq9kMqpUSesUwIh3LzOHz8TnflPbJmN9rW8zYfWH7GRKoqcJTO/TdXKBnSLoNJZzBMylfCRKYnFoZtIzWguBG9nIFBpWU3FkNt90At31OvSPSLEjYoUyl6ahl+7ueEoN04/m+aviBO7uO7GtKaXKxMbhdkSE85iaZNhZbNPfCizOGE89m3FGi/O+YRx7BnPUUsnIRv/+dDFiXzqqRS7hd/xQv0OY8Q1wIUESHkj9QAGFk+kCMnTogSiHIuWR3PUzq

Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, UsZR4WAuccc4bG2t0V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, UsZR4WAuccc4bG2t0V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: _0020.AddAccessRule
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, ja00XrikEODt9WNI44.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, UsZR4WAuccc4bG2t0V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, QlQTgMLzdOeM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/7@2/1

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rUAE_LPO.com.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Mutant created: \Sessions\1\BaseNamedObjects\8xLI57IVXCDFxeWa@
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

File created: C:\Users\user\AppData\Local\Temp\windowsBook.exe

Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat""

Source: rUAE_LPO.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rUAE_LPO.com.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rUAE_LPO.com.exe	ReversingLabs: Detection: 26%
Source: rUAE_LPO.com.exe	Virustotal: Detection: 32%

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

File read: C:\Users\user\Desktop\rUAE_LPO.com.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe C:\Users\user\AppData\Local\Temp\windowsBook.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: rUAE_LPO.com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rUAE_LPO.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: rUAE_LPO.com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AJYP.pdb source: rUAE_LPO.com.exe, windowsBook.exe.5.dr
Source:	Binary string: AJYP.pdbSHA256 source: rUAE_LPO.com.exe, windowsBook.exe.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
Source: 0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, ja00XrikEODt9WNI44.cs	.Net Code: zCR6xxIx4d System.Reflection.Assembly.Load(byte[])
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, ja00XrikEODt9WNI44.cs	.Net Code: zCR6xxIx4d System.Reflection.Assembly.Load(byte[])
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, ja00XrikEODt9WNI44.cs	.Net Code: zCR6xxIx4d System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_00A0FF81 push ds; iretd	0_2_00A0FF82
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F1B418 push eax; iretd	0_2_06F1B419
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F100BF push ds; iretd	0_2_06F100C2
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F10079 push ds; iretd	0_2_06F1007A
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F1007B push ds; iretd	0_2_06F10082
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Code function: 0_2_06F12C8B pushfd ; iretd	0_2_06F12C92
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Code function: 15_2_01753AE0 push ebx; retf 7135h	15_2_01753BDA

Source: rUAE_LPO.com.exe	Static PE information: section name: .text entropy: 7.958150492671751
Source: windowsBook.exe.5.dr	Static PE information: section name: .text entropy: 7.958150492671751

Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, gBcrXPOXFXIV4tRjmt.cs	High entropy of concatenated method names: 'Dispose', 'rUhKVuZLdR', 'RWp4gdtD7c', 'DTmssul2M2', 'GvHK8XnfBP', 'v2NKzdH6qI', 'ProcessDialogKey', 'R0i4MF5OWH', 'b8N4KRISIn', 'V7w443aXPC'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, rtDxqSZRhmxyxWM1jr.cs	High entropy of concatenated method names: 'DQKmCKFQuB', 'WI1moCipbE', 'BklmFcssjF', 'eCUF8C1SoV', 'ttYFzs8b2s', 'OOamMCW86k', 'Eo3mK9s66C', 'xCqm4RgD1U', 'IupmwhMqg5', 'dqCm6hx8JU'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, vaXPCn83dQ8gY8wOjK.cs	High entropy of concatenated method names: 'pY1DKBRsLF', 'fOWDwFSfdY', 'XaaD60l7f9', 'v7oDChlr2d', 'OTADOru55T', 'v9BDStx5ZO', 'XmmDFiL6dk', 'iJ2UjxexDr', 'pktUPoYvNi', 'I5iUVZxdhh'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, DFSrAf4PGsaxQIaFII.cs	High entropy of concatenated method names: 'TpQxF3BGn', 'TdOJ4VlhD', 'WRHBsp79J', 'jf6eu1e0g', 'HJGErfJlJ', 'Yxak1scfo', 'DaiFK6ptkAga7gOh8h', 'TJO11w1QBDcmifeoqJ', 'BJ8U9LEHi', 'FVvtYjgvv'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, IvfphO0H1p6GM1BGgc.cs	High entropy of concatenated method names: 'BZTFni49Uw', 'aHVFci59DJ', 'H46F1d289e', 'ToString', 'Y8hFvu3lNH', 'NEdFjDsTjP', 'PVQoUXdSxFl1awXomch', 'ekvf9HdZuy5ALaMUM5G', 'Xer0NDdFSnOfwavssmM'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, GeeTyhcaukqC48ew3U.cs	High entropy of concatenated method names: 'dHcXTQ1HPI', 'F2iX74yHKS', 'ToString', 'Ri6XCBLg8n', 'gaUXOTNKGs', 'WfxXo3SEG6', 'mOXXSqWgY7', 'USRXFRODlJ', 'ADwXmJU60Q', 'ageXij6KpK'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, u9uJTJ6I33ofmI2o9H.cs	High entropy of concatenated method names: 'L11KmsZR4W', 'tccKic4bG2', 'c9sKTupYTD', 'MnlK7PqGaa', 'UlGKljFr9Y', 'blnK5t87gE', 'HXNkauEjDbIdNksOQ4', 'V8Ux0mrVBe8pP2uWum', 'SgZKKTH3qn', 'O6XKw3v2Uy'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, lvgmbkge7XdgNrcn61.cs	High entropy of concatenated method names: 'CdEQB3dMQwqluIKh2CY', 'lBsTAcdIn4ip1f67y71', 'mZJFUKGhjP', 'pkmFD6QRvV', 'IDZFtWRkNe', 'Lug3GbdhK11sGQpqOsn', 'Qf5MyPdO2WL60JZDFyE'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, kF5OWHV48NRISInv7w.cs	High entropy of concatenated method names: 'rSRU2JVHYZ', 'ENGUgvI6w4', 'yDSUIHC29Q', 'uYbUWqqqC6', 'iavURk1OEZ', 'NgSUGZnnSJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, uGaaEuk9RaLkGvlGjF.cs	High entropy of concatenated method names: 'zvrShdSmFv', 'P84SeH1da9', 'OtXoIEqvT0', 'TWvoWEvVPC', 'EKKoGmSa5V', 'Gfmo0GTakH', 'BlwoZYk8WX', 'y3noyZl1js', 'Q9boNAkRqp', 'TkfoYalf1E'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, IohLxTKwRZmbFlUlDfy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qSwtRmfDDI', 'aHMt906o9b', 'dn4tnOv9HI', 'LW3tc98G8j', 'jJtt184S42', 'qyytvw8Z95', 'bVvtjxUxXH'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, ja00XrikEODt9WNI44.cs	High entropy of concatenated method names: 'VArwaURcZh', 'fEuwC363kj', 'bVPwO97PnS', 'Vgbwowcgny', 'jT7wSNm2Ik', 'nIvwFj261p', 'G1OwmPak6M', 'gLqwiEdYmd', 'AxDwfA7jDp', 'hDmwTIxvfW'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, EugvXbKMS5ALgobGfc0.cs	High entropy of concatenated method names: 'D9SDbsL9Ql', 'yL2Drpnc68', 'g8aDxniJfI', 'bqsDJqBrAT', 'WZQDhYEEp4', 'YaKDBmmDd0', 'kqKDekvUVg', 'r1pDAFFi5U', 'RO8DEiu3tY', 'n4uDkpgvPn'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, XE5EaNK4QbMtF8GGVwo.cs	High entropy of concatenated method names: 'E8GtbVUNWK', 'SZGtrY8XoP', 'j4WtxPGvrA', 'qrjRmZn0kys40EYaa5S', 'lebj5qng6aC3Rm3p8MD', 'oy9VX6nbw92Zs4n7LTQ', 'mID2sIn6NNwmBwKK1yY', 'Xlb5bTnEoHKNBk6vMaY'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, LfpPOSsKSUFq1iX8Nl.cs	High entropy of concatenated method names: 'NVhHAO98ki', 'e0ZHEtnoRh', 'wPIH25joY4', 'AI8Hgiebvl', 'b3iHWZC7DP', 'wLpHGDUIgk', 'QjcHZ5RnSD', 'TU6Hy6SH20', 'lgcHYQFYoA', 'BlkHLOZxXA'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, VLjh24E9supYTDNnlP.cs	High entropy of concatenated method names: 'WJboJQwBC8', 'j8soBNTq7o', 'rcqoAvUQoX', 'LXXoEX8xrw', 'VRiol5HBCW', 'zoNo5belCP', 'wT6oXTGhx8', 'PPqoU1pcUC', 'kbYoDTVBOJ', 'U65otTB1n7'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, UsZR4WAuccc4bG2t0V.cs	High entropy of concatenated method names: 'Ia6ORJvRab', 'CyLO9Wx5WQ', 'thpOnVZs7J', 'bM7OcMyIIx', 'eZKO1aNnwO', 'EurOvcMHeU', 'zTtOjTcGDC', 'NVIOPkPSOA', 'VUtOVUl3G5', 'oVaO8PLPk1'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, OkCM60NmyAtFOQfQUD.cs	High entropy of concatenated method names: 'tbNmbu9pLk', 'wSPmrOju3t', 'E59mx0I7JQ', 'N5OmJE99NZ', 'FxDmhOsHPp', 'dfMmBVWa3E', 'fjMmesLKS5', 'qVDmAa1rea', 'RdMmEBX1h1', 'Hirmk6pLmR'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, wpaG8yRb7t7ykAyuog.cs	High entropy of concatenated method names: 'FIHlYH9tTF', 'yyglpE3LFS', 'j9alRno07T', 'h2fl9dDCvo', 'StPlgRpJhU', 'jHvlIyQc1i', 'xPYlWC7IUh', 'DX6lGnYaoO', 'v27l0V07YH', 'XsFlZl7sIa'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, y9Y4ln2t87gEHOfKCO.cs	High entropy of concatenated method names: 'AxaFa12cKu', 'revFOBLcoO', 'ik6FSCIcIh', 'IMnFm4ESfd', 'VHBFiNWDlt', 'KcRS1U1fy5', 'b11SvD1QSk', 'y0uSjWQSTY', 'w6JSP5KwRh', 'we8SVfDuga'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, UHXnfBPP32NdH6qI90.cs	High entropy of concatenated method names: 'z83UC7ecxL', 'GGhUOyqxBn', 'WkrUouJvcT', 'qSdUS0HlwN', 'SbsUFLoEoh', 'oiwUmJsjBE', 'KifUiS4N2n', 'hsfUf9V5bs', 'm8bUTZGPql', 'kUyU7aKVLp'
Source: 0.2.rUAE_LPO.com.exe.38f9270.2.raw.unpack, T69rpRnjd8kRs2GVQZ.cs	High entropy of concatenated method names: 'ToString', 'uYs5Lvo5cO', 'l635g6I8Kw', 'IVj5If43W2', 'H2q5WQCnFY', 'IVO5GEmHRr', 'i8p50aGxCa', 'TKR5Zt2g06', 'MCo5yif1Ze', 'Tx35NYqmPX'
Source: 0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, gBcrXPOXFXIV4tRjmt.cs	High entropy of concatenated method names: 'Dispose', 'rUhKVuZLdR', 'RWp4gdtD7c', 'DTmssul2M2', 'GvHK8XnfBP', 'v2NKzdH6qI', 'ProcessDialogKey', 'R0i4MF5OWH', 'b8N4KRISIn', 'V7w443aXPC'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, rtDxqSZRhmxyxWM1jr.cs	High entropy of concatenated method names: 'DQKmCKFQuB', 'WI1moCipbE', 'BklmFcssjF', 'eCUF8C1SoV', 'ttYFzs8b2s', 'OOamMCW86k', 'Eo3mK9s66C', 'xCqm4RgD1U', 'IupmwhMqg5', 'dqCm6hx8JU'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, vaXPCn83dQ8gY8wOjK.cs	High entropy of concatenated method names: 'pY1DKBRsLF', 'fOWDwFSfdY', 'XaaD60l7f9', 'v7oDChlr2d', 'OTADOru55T', 'v9BDStx5ZO', 'XmmDFiL6dk', 'iJ2UjxexDr', 'pktUPoYvNi', 'I5iUVZxdhh'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, DFSrAf4PGsaxQIaFII.cs	High entropy of concatenated method names: 'TpQxF3BGn', 'TdOJ4VlhD', 'WRHBsp79J', 'jf6eu1e0g', 'HJGErfJlJ', 'Yxak1scfo', 'DaiFK6ptkAga7gOh8h', 'TJO11w1QBDcmifeoqJ', 'BJ8U9LEHi', 'FVvtYjgvv'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, IvfphO0H1p6GM1BGgc.cs	High entropy of concatenated method names: 'BZTFni49Uw', 'aHVFci59DJ', 'H46F1d289e', 'ToString', 'Y8hFvu3lNH', 'NEdFjDsTjP', 'PVQoUXdSxFl1awXomch', 'ekvf9HdZuy5ALaMUM5G', 'Xer0NDdFSnOfwavssmM'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, GeeTyhcaukqC48ew3U.cs	High entropy of concatenated method names: 'dHcXTQ1HPI', 'F2iX74yHKS', 'ToString', 'Ri6XCBLg8n', 'gaUXOTNKGs', 'WfxXo3SEG6', 'mOXXSqWgY7', 'USRXFRODlJ', 'ADwXmJU60Q', 'ageXij6KpK'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, u9uJTJ6I33ofmI2o9H.cs	High entropy of concatenated method names: 'L11KmsZR4W', 'tccKic4bG2', 'c9sKTupYTD', 'MnlK7PqGaa', 'UlGKljFr9Y', 'blnK5t87gE', 'HXNkauEjDbIdNksOQ4', 'V8Ux0mrVBe8pP2uWum', 'SgZKKTH3qn', 'O6XKw3v2Uy'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, lvgmbkge7XdgNrcn61.cs	High entropy of concatenated method names: 'CdEQB3dMQwqluIKh2CY', 'lBsTAcdIn4ip1f67y71', 'mZJFUKGhjP', 'pkmFD6QRvV', 'IDZFtWRkNe', 'Lug3GbdhK11sGQpqOsn', 'Qf5MyPdO2WL60JZDFyE'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, kF5OWHV48NRISInv7w.cs	High entropy of concatenated method names: 'rSRU2JVHYZ', 'ENGUgvI6w4', 'yDSUIHC29Q', 'uYbUWqqqC6', 'iavURk1OEZ', 'NgSUGZnnSJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, uGaaEuk9RaLkGvlGjF.cs	High entropy of concatenated method names: 'zvrShdSmFv', 'P84SeH1da9', 'OtXoIEqvT0', 'TWvoWEvVPC', 'EKKoGmSa5V', 'Gfmo0GTakH', 'BlwoZYk8WX', 'y3noyZl1js', 'Q9boNAkRqp', 'TkfoYalf1E'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, IohLxTKwRZmbFlUlDfy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qSwtRmfDDI', 'aHMt906o9b', 'dn4tnOv9HI', 'LW3tc98G8j', 'jJtt184S42', 'qyytvw8Z95', 'bVvtjxUxXH'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, ja00XrikEODt9WNI44.cs	High entropy of concatenated method names: 'VArwaURcZh', 'fEuwC363kj', 'bVPwO97PnS', 'Vgbwowcgny', 'jT7wSNm2Ik', 'nIvwFj261p', 'G1OwmPak6M', 'gLqwiEdYmd', 'AxDwfA7jDp', 'hDmwTIxvfW'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, EugvXbKMS5ALgobGfc0.cs	High entropy of concatenated method names: 'D9SDbsL9Ql', 'yL2Drpnc68', 'g8aDxniJfI', 'bqsDJqBrAT', 'WZQDhYEEp4', 'YaKDBmmDd0', 'kqKDekvUVg', 'r1pDAFFi5U', 'RO8DEiu3tY', 'n4uDkpgvPn'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, XE5EaNK4QbMtF8GGVwo.cs	High entropy of concatenated method names: 'E8GtbVUNWK', 'SZGtrY8XoP', 'j4WtxPGvrA', 'qrjRmZn0kys40EYaa5S', 'lebj5qng6aC3Rm3p8MD', 'oy9VX6nbw92Zs4n7LTQ', 'mID2sIn6NNwmBwKK1yY', 'Xlb5bTnEoHKNBk6vMaY'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, LfpPOSsKSUFq1iX8Nl.cs	High entropy of concatenated method names: 'NVhHAO98ki', 'e0ZHEtnoRh', 'wPIH25joY4', 'AI8Hgiebvl', 'b3iHWZC7DP', 'wLpHGDUIgk', 'QjcHZ5RnSD', 'TU6Hy6SH20', 'lgcHYQFYoA', 'BlkHLOZxXA'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, VLjh24E9supYTDNnlP.cs	High entropy of concatenated method names: 'WJboJQwBC8', 'j8soBNTq7o', 'rcqoAvUQoX', 'LXXoEX8xrw', 'VRiol5HBCW', 'zoNo5belCP', 'wT6oXTGhx8', 'PPqoU1pcUC', 'kbYoDTVBOJ', 'U65otTB1n7'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, UsZR4WAuccc4bG2t0V.cs	High entropy of concatenated method names: 'Ia6ORJvRab', 'CyLO9Wx5WQ', 'thpOnVZs7J', 'bM7OcMyIIx', 'eZKO1aNnwO', 'EurOvcMHeU', 'zTtOjTcGDC', 'NVIOPkPSOA', 'VUtOVUl3G5', 'oVaO8PLPk1'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, OkCM60NmyAtFOQfQUD.cs	High entropy of concatenated method names: 'tbNmbu9pLk', 'wSPmrOju3t', 'E59mx0I7JQ', 'N5OmJE99NZ', 'FxDmhOsHPp', 'dfMmBVWa3E', 'fjMmesLKS5', 'qVDmAa1rea', 'RdMmEBX1h1', 'Hirmk6pLmR'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, wpaG8yRb7t7ykAyuog.cs	High entropy of concatenated method names: 'FIHlYH9tTF', 'yyglpE3LFS', 'j9alRno07T', 'h2fl9dDCvo', 'StPlgRpJhU', 'jHvlIyQc1i', 'xPYlWC7IUh', 'DX6lGnYaoO', 'v27l0V07YH', 'XsFlZl7sIa'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, y9Y4ln2t87gEHOfKCO.cs	High entropy of concatenated method names: 'AxaFa12cKu', 'revFOBLcoO', 'ik6FSCIcIh', 'IMnFm4ESfd', 'VHBFiNWDlt', 'KcRS1U1fy5', 'b11SvD1QSk', 'y0uSjWQSTY', 'w6JSP5KwRh', 'we8SVfDuga'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, UHXnfBPP32NdH6qI90.cs	High entropy of concatenated method names: 'z83UC7ecxL', 'GGhUOyqxBn', 'WkrUouJvcT', 'qSdUS0HlwN', 'SbsUFLoEoh', 'oiwUmJsjBE', 'KifUiS4N2n', 'hsfUf9V5bs', 'm8bUTZGPql', 'kUyU7aKVLp'
Source: 0.2.rUAE_LPO.com.exe.3946a90.4.raw.unpack, T69rpRnjd8kRs2GVQZ.cs	High entropy of concatenated method names: 'ToString', 'uYs5Lvo5cO', 'l635g6I8Kw', 'IVj5If43W2', 'H2q5WQCnFY', 'IVO5GEmHRr', 'i8p50aGxCa', 'TKR5Zt2g06', 'MCo5yif1Ze', 'Tx35NYqmPX'
Source: 0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, WTlNonEqlrS.cs	High entropy of concatenated method names: 'RWIUTDDJGmvVUeD', 'DHwRZvzGtdyaOf', 'NVxhYPkjFbHe', 'QkrTDbktNZMNeeJWG', 'ullDtQBniM', 'uYnSlYOLGcD', 'hTHxBxeTyyhQFG', 'GPwCvvvaQvBVarLM', 'YirdoSqTbqrnwm', 'SPWfuVwfHoJf'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, gBcrXPOXFXIV4tRjmt.cs	High entropy of concatenated method names: 'Dispose', 'rUhKVuZLdR', 'RWp4gdtD7c', 'DTmssul2M2', 'GvHK8XnfBP', 'v2NKzdH6qI', 'ProcessDialogKey', 'R0i4MF5OWH', 'b8N4KRISIn', 'V7w443aXPC'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, rtDxqSZRhmxyxWM1jr.cs	High entropy of concatenated method names: 'DQKmCKFQuB', 'WI1moCipbE', 'BklmFcssjF', 'eCUF8C1SoV', 'ttYFzs8b2s', 'OOamMCW86k', 'Eo3mK9s66C', 'xCqm4RgD1U', 'IupmwhMqg5', 'dqCm6hx8JU'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, vaXPCn83dQ8gY8wOjK.cs	High entropy of concatenated method names: 'pY1DKBRsLF', 'fOWDwFSfdY', 'XaaD60l7f9', 'v7oDChlr2d', 'OTADOru55T', 'v9BDStx5ZO', 'XmmDFiL6dk', 'iJ2UjxexDr', 'pktUPoYvNi', 'I5iUVZxdhh'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, DFSrAf4PGsaxQIaFII.cs	High entropy of concatenated method names: 'TpQxF3BGn', 'TdOJ4VlhD', 'WRHBsp79J', 'jf6eu1e0g', 'HJGErfJlJ', 'Yxak1scfo', 'DaiFK6ptkAga7gOh8h', 'TJO11w1QBDcmifeoqJ', 'BJ8U9LEHi', 'FVvtYjgvv'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, IvfphO0H1p6GM1BGgc.cs	High entropy of concatenated method names: 'BZTFni49Uw', 'aHVFci59DJ', 'H46F1d289e', 'ToString', 'Y8hFvu3lNH', 'NEdFjDsTjP', 'PVQoUXdSxFl1awXomch', 'ekvf9HdZuy5ALaMUM5G', 'Xer0NDdFSnOfwavssmM'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, GeeTyhcaukqC48ew3U.cs	High entropy of concatenated method names: 'dHcXTQ1HPI', 'F2iX74yHKS', 'ToString', 'Ri6XCBLg8n', 'gaUXOTNKGs', 'WfxXo3SEG6', 'mOXXSqWgY7', 'USRXFRODlJ', 'ADwXmJU60Q', 'ageXij6KpK'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, u9uJTJ6I33ofmI2o9H.cs	High entropy of concatenated method names: 'L11KmsZR4W', 'tccKic4bG2', 'c9sKTupYTD', 'MnlK7PqGaa', 'UlGKljFr9Y', 'blnK5t87gE', 'HXNkauEjDbIdNksOQ4', 'V8Ux0mrVBe8pP2uWum', 'SgZKKTH3qn', 'O6XKw3v2Uy'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, lvgmbkge7XdgNrcn61.cs	High entropy of concatenated method names: 'CdEQB3dMQwqluIKh2CY', 'lBsTAcdIn4ip1f67y71', 'mZJFUKGhjP', 'pkmFD6QRvV', 'IDZFtWRkNe', 'Lug3GbdhK11sGQpqOsn', 'Qf5MyPdO2WL60JZDFyE'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, kF5OWHV48NRISInv7w.cs	High entropy of concatenated method names: 'rSRU2JVHYZ', 'ENGUgvI6w4', 'yDSUIHC29Q', 'uYbUWqqqC6', 'iavURk1OEZ', 'NgSUGZnnSJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, uGaaEuk9RaLkGvlGjF.cs	High entropy of concatenated method names: 'zvrShdSmFv', 'P84SeH1da9', 'OtXoIEqvT0', 'TWvoWEvVPC', 'EKKoGmSa5V', 'Gfmo0GTakH', 'BlwoZYk8WX', 'y3noyZl1js', 'Q9boNAkRqp', 'TkfoYalf1E'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, IohLxTKwRZmbFlUlDfy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qSwtRmfDDI', 'aHMt906o9b', 'dn4tnOv9HI', 'LW3tc98G8j', 'jJtt184S42', 'qyytvw8Z95', 'bVvtjxUxXH'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, ja00XrikEODt9WNI44.cs	High entropy of concatenated method names: 'VArwaURcZh', 'fEuwC363kj', 'bVPwO97PnS', 'Vgbwowcgny', 'jT7wSNm2Ik', 'nIvwFj261p', 'G1OwmPak6M', 'gLqwiEdYmd', 'AxDwfA7jDp', 'hDmwTIxvfW'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, EugvXbKMS5ALgobGfc0.cs	High entropy of concatenated method names: 'D9SDbsL9Ql', 'yL2Drpnc68', 'g8aDxniJfI', 'bqsDJqBrAT', 'WZQDhYEEp4', 'YaKDBmmDd0', 'kqKDekvUVg', 'r1pDAFFi5U', 'RO8DEiu3tY', 'n4uDkpgvPn'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, XE5EaNK4QbMtF8GGVwo.cs	High entropy of concatenated method names: 'E8GtbVUNWK', 'SZGtrY8XoP', 'j4WtxPGvrA', 'qrjRmZn0kys40EYaa5S', 'lebj5qng6aC3Rm3p8MD', 'oy9VX6nbw92Zs4n7LTQ', 'mID2sIn6NNwmBwKK1yY', 'Xlb5bTnEoHKNBk6vMaY'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, LfpPOSsKSUFq1iX8Nl.cs	High entropy of concatenated method names: 'NVhHAO98ki', 'e0ZHEtnoRh', 'wPIH25joY4', 'AI8Hgiebvl', 'b3iHWZC7DP', 'wLpHGDUIgk', 'QjcHZ5RnSD', 'TU6Hy6SH20', 'lgcHYQFYoA', 'BlkHLOZxXA'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, VLjh24E9supYTDNnlP.cs	High entropy of concatenated method names: 'WJboJQwBC8', 'j8soBNTq7o', 'rcqoAvUQoX', 'LXXoEX8xrw', 'VRiol5HBCW', 'zoNo5belCP', 'wT6oXTGhx8', 'PPqoU1pcUC', 'kbYoDTVBOJ', 'U65otTB1n7'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, UsZR4WAuccc4bG2t0V.cs	High entropy of concatenated method names: 'Ia6ORJvRab', 'CyLO9Wx5WQ', 'thpOnVZs7J', 'bM7OcMyIIx', 'eZKO1aNnwO', 'EurOvcMHeU', 'zTtOjTcGDC', 'NVIOPkPSOA', 'VUtOVUl3G5', 'oVaO8PLPk1'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, OkCM60NmyAtFOQfQUD.cs	High entropy of concatenated method names: 'tbNmbu9pLk', 'wSPmrOju3t', 'E59mx0I7JQ', 'N5OmJE99NZ', 'FxDmhOsHPp', 'dfMmBVWa3E', 'fjMmesLKS5', 'qVDmAa1rea', 'RdMmEBX1h1', 'Hirmk6pLmR'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, wpaG8yRb7t7ykAyuog.cs	High entropy of concatenated method names: 'FIHlYH9tTF', 'yyglpE3LFS', 'j9alRno07T', 'h2fl9dDCvo', 'StPlgRpJhU', 'jHvlIyQc1i', 'xPYlWC7IUh', 'DX6lGnYaoO', 'v27l0V07YH', 'XsFlZl7sIa'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, y9Y4ln2t87gEHOfKCO.cs	High entropy of concatenated method names: 'AxaFa12cKu', 'revFOBLcoO', 'ik6FSCIcIh', 'IMnFm4ESfd', 'VHBFiNWDlt', 'KcRS1U1fy5', 'b11SvD1QSk', 'y0uSjWQSTY', 'w6JSP5KwRh', 'we8SVfDuga'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, UHXnfBPP32NdH6qI90.cs	High entropy of concatenated method names: 'z83UC7ecxL', 'GGhUOyqxBn', 'WkrUouJvcT', 'qSdUS0HlwN', 'SbsUFLoEoh', 'oiwUmJsjBE', 'KifUiS4N2n', 'hsfUf9V5bs', 'm8bUTZGPql', 'kUyU7aKVLp'
Source: 0.2.rUAE_LPO.com.exe.7320000.6.raw.unpack, T69rpRnjd8kRs2GVQZ.cs	High entropy of concatenated method names: 'ToString', 'uYs5Lvo5cO', 'l635g6I8Kw', 'IVj5If43W2', 'H2q5WQCnFY', 'IVO5GEmHRr', 'i8p50aGxCa', 'TKR5Zt2g06', 'MCo5yif1Ze', 'Tx35NYqmPX'
Source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, WTlNonEqlrS.cs	High entropy of concatenated method names: 'RWIUTDDJGmvVUeD', 'DHwRZvzGtdyaOf', 'NVxhYPkjFbHe', 'QkrTDbktNZMNeeJWG', 'ullDtQBniM', 'uYnSlYOLGcD', 'hTHxBxeTyyhQFG', 'GPwCvvvaQvBVarLM', 'YirdoSqTbqrnwm', 'SPWfuVwfHoJf'
Source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, WTlNonEqlrS.cs	High entropy of concatenated method names: 'RWIUTDDJGmvVUeD', 'DHwRZvzGtdyaOf', 'NVxhYPkjFbHe', 'QkrTDbktNZMNeeJWG', 'ullDtQBniM', 'uYnSlYOLGcD', 'hTHxBxeTyyhQFG', 'GPwCvvvaQvBVarLM', 'YirdoSqTbqrnwm', 'SPWfuVwfHoJf'
Source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, WTlNonEqlrS.cs	High entropy of concatenated method names: 'RWIUTDDJGmvVUeD', 'DHwRZvzGtdyaOf', 'NVxhYPkjFbHe', 'QkrTDbktNZMNeeJWG', 'ullDtQBniM', 'uYnSlYOLGcD', 'hTHxBxeTyyhQFG', 'GPwCvvvaQvBVarLM', 'YirdoSqTbqrnwm', 'SPWfuVwfHoJf'

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

File created: C:\Users\user\AppData\Local\Temp\windowsBook.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'

Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 3652, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rUAE_LPO.com.exe, 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, rUAE_LPO.com.exe, 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, windowsBook.exe, 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 4780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 74B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 84B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 8660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 9660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory allocated: 4730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 4420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 6D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 7D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 7F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 8F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 74C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 84C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 8650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 9650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Window / User API: threadDelayed 6765			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Window / User API: threadDelayed 3086			Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe TID: 1988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe TID: 5356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 2300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 5488	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 3376	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 1372	Thread sleep count: 6765 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 1372	Thread sleep count: 3086 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 6256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: windowsBook.exe, 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: windowsBook.exe, 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(.W
Source: windowsBook.exe, 0000000F.00000002.3258819221.0000000005569000.00000004.00000020.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3258938130.000000000557B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Memory written: C:\Users\user\Desktop\rUAE_LPO.com.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Memory written: C:\Users\user\AppData\Local\Temp\windowsBook.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Users\user\Desktop\rUAE_LPO.com.exe "C:\Users\user\Desktop\rUAE_LPO.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Process created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"	Jump to behavior

Source: windowsBook.exe, 0000000F.00000002.3253071159.0000000003250000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.000000000327F000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.0000000003244000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q
Source: windowsBook.exe, 0000000F.00000002.3253071159.0000000003250000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.000000000327F000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.0000000003244000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: windowsBook.exe, 0000000F.00000002.3253071159.000000000327F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]qT,(
Source: windowsBook.exe, 0000000F.00000002.3253071159.000000000327F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q4.(
Source: windowsBook.exe, 0000000F.00000002.3253071159.0000000003250000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.000000000327F000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.0000000003244000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q%
Source: windowsBook.exe, 0000000F.00000002.3253071159.0000000003244000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q`H$
Source: windowsBook.exe, 0000000F.00000002.3253071159.0000000003244000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q@J$
Source: windowsBook.exe, 0000000F.00000002.3253071159.0000000003250000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.0000000003257000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q
Source: windowsBook.exe, 0000000F.00000002.3253071159.000000000325E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,]q

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Users\user\Desktop\rUAE_LPO.com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Users\user\Desktop\rUAE_LPO.com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rUAE_LPO.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.2436d98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.2796c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.278ad74.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.windowsBook.exe.242aeb4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rUAE_LPO.com.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windowsBook.exe PID: 6516, type: MEMORYSTR

Source: windowsBook.exe, 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\rUAE_LPO.com.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.379e790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.6bd0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2066706772.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058828936.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.379e790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.6bd0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.6bd0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rUAE_LPO.com.exe.379e790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2066706772.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058828936.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	112 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 Scripting	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	112 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rUAE_LPO.com.exe	26%	ReversingLabs	Win32.Dropper.Generic
rUAE_LPO.com.exe	33%	Virustotal		Browse
rUAE_LPO.com.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\windowsBook.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\windowsBook.exe	26%	ReversingLabs	Win32.Dropper.Generic

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
quin.ydns.eu	185.38.142.240	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
quin.ydns.eu	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rUAE_LPO.com.exe, 00000005.00000002.2106829519.000000000287D000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.38.142.240	quin.ydns.eu	Portugal		47674	NETSOLUTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538408
Start date and time:	2024-10-21 08:34:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rUAE_LPO.com.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@27/7@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 153 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.126.163, 2.19.126.137
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target rUAE_LPO.com.exe, PID 4796 because it is empty
Execution Graph export aborted for target windowsBook.exe, PID 5240 because it is empty
Execution Graph export aborted for target windowsBook.exe, PID 6516 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:34:56	API Interceptor	1x Sleep call for process: rUAE_LPO.com.exe modified
02:35:06	API Interceptor	3x Sleep call for process: windowsBook.exe modified
08:35:02	Task Scheduler	Run new task: windowsBook path: "C:\Users\user\AppData\Local\Temp\windowsBook.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETSOLUTIONSNL	A9BripDhRY.lnk	Get hash	malicious	Unknown	Browse	185.38.142.128
	93.123.85.253-bot.armv4l-2024-08-28T17_49_11.elf	Get hash	malicious	Unknown	Browse	188.93.233.79
	a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36_dump.exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	b3u71vBG0u.exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	2MbHBiqXH2.rtf	Get hash	malicious	RedLine	Browse	185.38.142.10
	YPSvIjQCzd.exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc	Get hash	malicious	RedLine	Browse	185.38.142.10
	MSH INV 2024-0117 Secure Payment Invoice for .exe	Get hash	malicious	RedLine	Browse	185.38.142.10
	sclfmLKwR7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103
	3nYvEPuDi1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.38.142.103

Process:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.129285522755915
Encrypted:	false
SSDEEP:	6:kKl89UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:9fDnLNkPlE99SNxAhUe/3
MD5:	5E7C930A7751C6AE8BCD5168A1DA293F
SHA1:	241C8E3E58EB3A719F37EFE6EA824F7BF59F261C
SHA-256:	8C22AFC76C5F954F9F1DE23670754FB6EFE06C6656F8FCE1F7D483FFE4784E59
SHA-512:	D7AEC2C054C5C3ED43578B3DA3EEF3750EE7A6C6128FECD99441ED651518ACCC777DF39256891832486931232055010A48A61873953EBE465216440BF2355448
Malicious:	false
Preview:	p...... ........w!.c.#..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rUAE_LPO.com.exe.log

Download File

Process:	C:\Users\user\Desktop\rUAE_LPO.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windowsBook.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat

Download File

Process:	C:\Users\user\Desktop\rUAE_LPO.com.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	159
Entropy (8bit):	5.037612088974647
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oUkh4E2J5xAIhTsmqRDUkh4E2J5xAInTRINOwZPy:hWKqTtT6923fhTsmq1923fThwk
MD5:	2CE42A745584D48542777717D2380C75
SHA1:	F81B8546DF14802D2CC663DE63183D9D37D6FBC0
SHA-256:	B8DF57F8090C0A30B44404209816046D3BE2127DBD20B3A108EC33BD872A11FD
SHA-512:	DA76D47B4F33E5F3CF3E49C8A2B594D529F3E1C62EBB407C5B4092CD446B78D8BA9D2BC31E7A4B07FC123B41EA86666C354D2424A9C6E0761A110BBF0D342677
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\windowsBook.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpBE0.tmp.bat" /f /q..

C:\Users\user\AppData\Local\Temp\windowsBook.exe

Download File

Process:	C:\Users\user\Desktop\rUAE_LPO.com.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	485888
Entropy (8bit):	7.946911188368196
Encrypted:	false
SSDEEP:	12288:EfA3XkhMOoltiJu9IRWU/5fV1NJrazIY:tkh5oDiJuKRWU3U0
MD5:	A305269DB6286FC4DD1D73AC5D2BF208
SHA1:	B8777B46A2B1AE40B8D6FF32CC79174E1E617983
SHA-256:	14995AB5376DCCBA2F4E91E4EFCF09AB18D5645F262EE8CEF70D4DA8B9317699
SHA-512:	D05EA3EA97DFA9001292B3C56DE44A6173405D1A7ADDC5CC08A34CB8B659CF0492DBF3048D59B9132B050187CD9C200CFB9752F3F37CC74CB9C9860AFADAA10E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..J...........h... ........@.. ....................................@.................................5h..O....................................N..T............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............h..............@..B................ih......H.......xV..\|=......4....................................................0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}....".(.......0..y..........@...%.G...(......~I...%-.&~H.....C...s....%.I...(...+...o.....+ .o........(....r...p(....(.......o....-....,..o ..............A.,m.......0...........(!.............}...

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.946911188368196
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	rUAE_LPO.com.exe
File size:	485'888 bytes
MD5:	a305269db6286fc4dd1d73ac5d2bf208
SHA1:	b8777b46a2b1ae40b8d6ff32cc79174e1e617983
SHA256:	14995ab5376dccba2f4e91e4efcf09ab18d5645f262ee8cef70d4da8b9317699
SHA512:	d05ea3ea97dfa9001292b3c56de44a6173405d1a7addc5cc08a34cb8b659cf0492dbf3048d59b9132b050187cd9c200cfb9752f3f37cc74cb9c9860afadaa10e
SSDEEP:	12288:EfA3XkhMOoltiJu9IRWU/5fV1NJrazIY:tkh5oDiJuKRWU3U0
TLSH:	DCA4121371E81F0ECAFB27FAA132286403F3A4560613E94D5CD2A4EB63B7B495684F57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..J...........h... ........@.. ....................................@................................

File Icon


Icon Hash:	070b2365ecc8682b

Static PE Info

General

Entrypoint:	0x47688a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6715CAA0 [Mon Oct 21 03:29:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 06000000h
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x76835	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x78000	0x1aac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x74ef4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x748b0	0x74a00	1f06a5c222dd9a2bfc0151176c93bd43	False	0.9629199323419079	data	7.958150492671751	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x78000	0x1aac	0x1c00	b4e0f8d91b4cc3f2ebf0dc3ce1fa804f	False	0.8445870535714286	data	7.147413531617353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7a000	0xc	0x200	97d47bd1364f94b077aba682e8dd0c1c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x780c8	0x16a5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9608418147317578
RT_GROUP_ICON	0x79780	0x14	data	1.05
RT_VERSION	0x797a4	0x304	data	0.44689119170984454

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-21T08:35:14.455430+0200	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	185.38.142.240	1962	192.168.2.5	49716	TCP
2024-10-21T08:35:14.455430+0200	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	185.38.142.240	1962	192.168.2.5	49716	TCP
2024-10-21T08:35:14.455430+0200	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	185.38.142.240	1962	192.168.2.5	49716	TCP
2024-10-21T08:35:14.455430+0200	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	185.38.142.240	1962	192.168.2.5	49716	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 08:35:13.603147984 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:13.608052015 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:13.608117104 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:13.618658066 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:13.623486042 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:14.443073988 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:14.443087101 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:14.443161011 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:14.450552940 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:14.455430031 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:14.691627026 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:14.767100096 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:16.374180079 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:16.379071951 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:16.379144907 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:16.383971930 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:26.597493887 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:26.602421999 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:26.602511883 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:26.607391119 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:26.842559099 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:26.892237902 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:26.959393024 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:26.966125011 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:26.971041918 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:26.971112013 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:26.976473093 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:36.619249105 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:36.673500061 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:36.736126900 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:36.782783031 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:36.830113888 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:36.835045099 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:36.835103989 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:36.840009928 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:37.078279018 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:37.126542091 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:37.195297956 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:37.196702957 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:37.201602936 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:37.201684952 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:37.206487894 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:47.066082001 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:47.070899963 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:47.070950985 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:47.075766087 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:47.311606884 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:47.360918045 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:47.428508997 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:47.429743052 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:47.434890985 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:47.434946060 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:47.439944983 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:57.299015045 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:57.303901911 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:57.303987026 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:57.308830023 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:57.543961048 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:57.595304966 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:57.660720110 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:57.662271023 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:57.667077065 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:35:57.667130947 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:35:57.671860933 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:06.618539095 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:06.673444033 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:06.735410929 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:06.782809019 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:07.543499947 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:07.548394918 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:07.548449993 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:07.553348064 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:07.788669109 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:07.829722881 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:07.905510902 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:07.907149076 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:07.912103891 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:07.912283897 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:07.917248011 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:17.857688904 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:17.862807035 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:17.862869978 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:17.867729902 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:18.104320049 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:18.157908916 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:18.220969915 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:18.223416090 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:18.228355885 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:18.228450060 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:18.233406067 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:28.041980982 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:28.047224045 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:28.047280073 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:28.052233934 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:28.287336111 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:28.329732895 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:28.404623032 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:28.454772949 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:28.609172106 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:28.613996029 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:28.614044905 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:28.618885040 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:36.619856119 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:36.673485994 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:36.736953974 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:36.782876968 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.269442081 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.274312019 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:38.274400949 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.279431105 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:38.514569998 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:38.564141989 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.631417990 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:38.674129009 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.697904110 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.702833891 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:38.702888012 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:38.707755089 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:48.502553940 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:48.507584095 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:48.507687092 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:48.512443066 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:48.747617006 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:48.798535109 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:48.864598036 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:48.866786003 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:48.871694088 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:48.871787071 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:48.876681089 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:58.157629013 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:58.162617922 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:58.167232037 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:58.175193071 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:58.407535076 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:58.454870939 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:58.524323940 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:58.525156021 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:58.530071020 CEST	1962	49716	185.38.142.240	192.168.2.5
Oct 21, 2024 08:36:58.530194044 CEST	49716	1962	192.168.2.5	185.38.142.240
Oct 21, 2024 08:36:58.535104036 CEST	1962	49716	185.38.142.240	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 08:35:13.585401058 CEST	64837	53	192.168.2.5	1.1.1.1
Oct 21, 2024 08:35:13.600521088 CEST	53	64837	1.1.1.1	192.168.2.5
Oct 21, 2024 08:35:26.283344030 CEST	57330	53	192.168.2.5	1.1.1.1
Oct 21, 2024 08:35:26.302964926 CEST	53	57330	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2024 08:35:13.585401058 CEST	192.168.2.5	1.1.1.1	0x26ef	Standard query (0)	quin.ydns.eu	A (IP address)	IN (0x0001)	false
Oct 21, 2024 08:35:26.283344030 CEST	192.168.2.5	1.1.1.1	0xf232	Standard query (0)	quin.ydns.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 21, 2024 08:35:13.600521088 CEST	1.1.1.1	192.168.2.5	0x26ef	No error (0)	quin.ydns.eu		185.38.142.240	A (IP address)	IN (0x0001)	false
Oct 21, 2024 08:35:26.302964926 CEST	1.1.1.1	192.168.2.5	0xf232	No error (0)	quin.ydns.eu		185.38.142.240	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:34:52
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\rUAE_LPO.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rUAE_LPO.com.exe"
Imagebase:	0x380000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2066706772.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2058313931.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2058828936.0000000003781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:34:56
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\rUAE_LPO.com.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rUAE_LPO.com.exe"
Imagebase:	0x220000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:34:56
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\rUAE_LPO.com.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rUAE_LPO.com.exe"
Imagebase:	0xd0000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:34:56
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\rUAE_LPO.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rUAE_LPO.com.exe"
Imagebase:	0x540000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2106829519.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2109979474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.2105635275.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:35:01
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:35:01
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:35:01
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:35:01
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:35:02
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'
Imagebase:	0x380000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:35:02
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x580000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:35:02
Start date:	21/10/2024
Path:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
Imagebase:	0x110000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000C.00000002.2159242218.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:35:05
Start date:	21/10/2024
Path:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Imagebase:	0x970000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:35:07
Start date:	21/10/2024
Path:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Imagebase:	0x3d0000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:35:07
Start date:	21/10/2024
Path:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Imagebase:	0xce0000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.3250885449.0000000001258000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.3253071159.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:35:09
Start date:	21/10/2024
Path:	C:\Users\user\AppData\Local\Temp\windowsBook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
Imagebase:	0x7a0000
File size:	485'888 bytes
MD5 hash:	A305269DB6286FC4DD1D73AC5D2BF208
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000011.00000002.2229647139.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000011.00000002.2232027757.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.3%
Total number of Nodes:	209
Total number of Limit Nodes:	9

Executed Functions

Function 06F1A698 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07e6d03d4447fe6558ec3a25816f6f65521a95dbc0195585ef1d09705048d7e
Instruction ID: ad67360bc36ce6d45be6e9bd56f2aaa9ec333afb0481ddcbecddc1027478426b
Opcode Fuzzy Hash: f07e6d03d4447fe6558ec3a25816f6f65521a95dbc0195585ef1d09705048d7e
Instruction Fuzzy Hash: 17511871D45219CFEB68CF66C800BE9F7B6BF89300F14C1AAD40DAA255EB705A85CF80

Function 06F1A693 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5dffd210be88dde1feff078b5bc55275dc1c3bd833ed4be04c17d9efa88d07
Instruction ID: 206bab4687686c21c5ef471e2d87e085c5a19b5318f55acbbae80aedfa76f8de
Opcode Fuzzy Hash: bc5dffd210be88dde1feff078b5bc55275dc1c3bd833ed4be04c17d9efa88d07
Instruction Fuzzy Hash: DA512A71D45619CFEB68CF66CC00BE9F7B6BF89300F14C1AAD409AA255EB705A85CF40

Function 00A0D370 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A0D3FE
GetCurrentThread.KERNEL32 ref: 00A0D43B
GetCurrentProcess.KERNEL32 ref: 00A0D478
GetCurrentThreadId.KERNEL32 ref: 00A0D4D1

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 63b3fd66afe6f3446b1ef4c4a7ff84f8a30cdf68be5357cc8e57cb7b4692bab5
Instruction ID: 8354d7efdc9bea0e4797fa8d93a325b039e694d6e0c2012f7100b8c13bb4bd40
Opcode Fuzzy Hash: 63b3fd66afe6f3446b1ef4c4a7ff84f8a30cdf68be5357cc8e57cb7b4692bab5
Instruction Fuzzy Hash: 635168B09003498FDB14DFA9D548B9EBFF1EF89304F248459D409B73A1CB755948CB65

Function 00A0D380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A0D3FE
GetCurrentThread.KERNEL32 ref: 00A0D43B
GetCurrentProcess.KERNEL32 ref: 00A0D478
GetCurrentThreadId.KERNEL32 ref: 00A0D4D1

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4af41b7bfa75a69a06ad1e2cd70833d2c6da71d366b8bacad45191f1934a68e6
Instruction ID: cf0029f50389d833b01beb9570541ccedb73daad410a699e1aef0f21f7bfec55
Opcode Fuzzy Hash: 4af41b7bfa75a69a06ad1e2cd70833d2c6da71d366b8bacad45191f1934a68e6
Instruction Fuzzy Hash: 415158B09003098FDB14DFAAD548B9EBBF1EF88304F20C459E509B73A1DB75A944CB65

Function 00A044B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A059C9

Strings

Xl, xrefs: 00A044B0

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: Create
String ID: Xl
API String ID: 2289755597-3414348151
Opcode ID: f544b9a11f8f7ef5af1589569b83d7c1186544b7404f107663e0708bd242fdb6
Instruction ID: 6dc23c3f646878c94774fdad16671a89d2defa514765f830c26bc0c9200f4835
Opcode Fuzzy Hash: f544b9a11f8f7ef5af1589569b83d7c1186544b7404f107663e0708bd242fdb6
Instruction Fuzzy Hash: 9A41E3B0D0071DCBDB24DFA9C848B9EBBF5BF49304F20856AD408AB295DB756945CF90

Function 06F194FF Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F1973E

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 52d34d9ec705b4c09a40cc7837147847f64edd95853589efac4f4af55ced4730
Instruction ID: 6d6d9a2eda1f977c35099d5200d3adf81725a6dd5eb0ca8f3a361adfc009596f
Opcode Fuzzy Hash: 52d34d9ec705b4c09a40cc7837147847f64edd95853589efac4f4af55ced4730
Instruction Fuzzy Hash: F7A17D71D00219CFEB54CF68C8517EEBBF2BF45350F1485AAD809AB290DBB49985CF91

Function 06F19508 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F1973E

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1f802fd8ad1a97c2f3fb0e47e7f6715f519eba556d64c3d6c37d9bff0768e740
Instruction ID: 1edb6265cb1f050a0579a2d7ec4ea90ef8e9b59d8c4599567faf2f2232b9356a
Opcode Fuzzy Hash: 1f802fd8ad1a97c2f3fb0e47e7f6715f519eba556d64c3d6c37d9bff0768e740
Instruction Fuzzy Hash: 97916D71D00219CFEB54CF68C8517EEBBF2BF49354F14856AD809AB280DBB49985CF91

Function 00A0B0E8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A0B33E

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 373e661a3198d7e45093ec015dbc1df723dc4202640b27088b36e4470d562835
Instruction ID: 76a77c7c927993b29bd701c6e862f1a4fda46b462131d3b570afe1330d29c4a1
Opcode Fuzzy Hash: 373e661a3198d7e45093ec015dbc1df723dc4202640b27088b36e4470d562835
Instruction Fuzzy Hash: 15814670A10B098FD724DF69E65579ABBF1FF88300F108A2DD44AD7A90D734E949CBA1

Function 00A0590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A059C9

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2db783f3749ad9a3faaa4e50cda0e7c76dfd9d9f00d80fa7e187571437498d4f
Instruction ID: 453721661c587cd98a113d9b47a735e3411a07d10d9da4ead8d0172b94ad55a5
Opcode Fuzzy Hash: 2db783f3749ad9a3faaa4e50cda0e7c76dfd9d9f00d80fa7e187571437498d4f
Instruction Fuzzy Hash: 3741F4B0D0071DCBDB24DFA9C888B8EBBB5BF49304F20856AD408AB295D7756949CF90

Function 06F1927B Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F19310

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 724472cfcfe024a82a5b4c3292a22c118a390c4ff8ac992cb49c64a2185b6158
Instruction ID: b6ad26ddcabe5cac35cc39eb7759c36dd1b652a0c50b1ffbc905cf19557bdfda
Opcode Fuzzy Hash: 724472cfcfe024a82a5b4c3292a22c118a390c4ff8ac992cb49c64a2185b6158
Instruction Fuzzy Hash: C52126B5D003499FCB10DFA9C885BEEBBF5FF48310F10842AE959A7250C7789955DBA0

Function 06F19280 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F19310

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 47f2c374364fb8ccde90bac57b9770472944a4e9e82288925ea3c40a05bb2f20
Instruction ID: 6967e46f8025df6cb1b31480789daf0af80eaabb3c6a05675d438970d042d53b
Opcode Fuzzy Hash: 47f2c374364fb8ccde90bac57b9770472944a4e9e82288925ea3c40a05bb2f20
Instruction Fuzzy Hash: D7212AB5D003499FCB10DFAAC885BEEBBF5FF48310F10842AE919A7250C7789955DBA4

Function 06F19368 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F193F0

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 20c650a10cf96944b1c47cd5960fd52585910daa4ce69e6c9577ff021c5b3897
Instruction ID: a7b70e21ad3c9d3cc0fb8e3a161ef3985b55b1ce88d098b59239a5cc210d121a
Opcode Fuzzy Hash: 20c650a10cf96944b1c47cd5960fd52585910daa4ce69e6c9577ff021c5b3897
Instruction Fuzzy Hash: C62148B1C002499FCB14DFAAC881AEEFBF5FF48350F10842AE519A7250C7789941DFA0

Function 06F190E3 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F19166

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8d72a5a569c7e87c031c8b27c570efbd1512080af3f7b275d3311f50c528a16b
Instruction ID: 1adf4d97d666a86dfe99d93184bf83bf19a95f6418d29cfabe0eaa2d1478105c
Opcode Fuzzy Hash: 8d72a5a569c7e87c031c8b27c570efbd1512080af3f7b275d3311f50c528a16b
Instruction Fuzzy Hash: 022137B1D002098FDB14DFAAC8857EEBBF4EF89350F10842AD419A7241C7789985CFA1

Function 06F19370 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F193F0

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 439bc88912dbd5826eb6f6f3e3eb7f95ba50c519f0bc2abefee9ea58fba099c0
Instruction ID: 315a78c13d4ae37087f44c8ebb8f3f79612e39a00fdff0b1bc9f0f2e01a37b6a
Opcode Fuzzy Hash: 439bc88912dbd5826eb6f6f3e3eb7f95ba50c519f0bc2abefee9ea58fba099c0
Instruction Fuzzy Hash: FB2118B1C003599FCB10DFAAC885AEEFBF5FF48310F50842AE519A7250C7799945CBA5

Function 06F190E8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F19166

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 07ee3d32e0b8a5e088768ef680e7cbbde0caf9ec6530ff5cde1e26a47ecef8d4
Instruction ID: 0a2ef53252ecbcf65e283a9d1e94e9644adf26482b5fd4f14301f2c3f0ad506a
Opcode Fuzzy Hash: 07ee3d32e0b8a5e088768ef680e7cbbde0caf9ec6530ff5cde1e26a47ecef8d4
Instruction Fuzzy Hash: 632149B1D003098FDB10DFAAC8857EEBBF4EF49350F108429D519A7240CB789985CFA1

Function 00A0D5C4 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0D64F

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8821d0134ec3e4e7ca53929f1605c3b9618b380ff1c9d1254a3670575fb9d675
Instruction ID: 4e50125b9b696b1506a595e4c636b0b39ae5655ad9a28b72b4abe1b40cbe176a
Opcode Fuzzy Hash: 8821d0134ec3e4e7ca53929f1605c3b9618b380ff1c9d1254a3670575fb9d675
Instruction Fuzzy Hash: 6021E2B59002499FDB10CFAAD984AEEFBF4FB48310F14841AE918A3350D379A950CFA4

Function 00A0D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0D64F

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5c46e08735881fd4b55093570e16667c6bc12b127cbd71a7403d16ca3125143c
Instruction ID: 336b5b4c487e4d4aa16ff811ad1036428fc34cc2fd907a8157254ee2d0320044
Opcode Fuzzy Hash: 5c46e08735881fd4b55093570e16667c6bc12b127cbd71a7403d16ca3125143c
Instruction Fuzzy Hash: 9F21C2B59002499FDB10CFAAD984ADEBBF9FB48310F14841AE918A3350D379A954CFA5

Function 06F191BB Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F1922E

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 679062a68d71d34ee6960c35b9a44cf8b91baa974c26bd98ba5f91f8e4cdfbcf
Instruction ID: 7ec1ee882164cebefe35ca0410868046b8d33ac875da39c709037dd79c114c13
Opcode Fuzzy Hash: 679062a68d71d34ee6960c35b9a44cf8b91baa974c26bd98ba5f91f8e4cdfbcf
Instruction Fuzzy Hash: 581126B58002499FDB10DFAAD845AEFBFF5EF88310F248819E519A7250C7799945CFA0

Function 06F191C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F1922E

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83924112581393a090b09264814681744f1d5e7e98cefff1ccae227a0f973684
Instruction ID: 6eda761d40276a76579ba9ef43fcabff8bceb4965246974ccc213e4c1be79284
Opcode Fuzzy Hash: 83924112581393a090b09264814681744f1d5e7e98cefff1ccae227a0f973684
Instruction Fuzzy Hash: 7F1137758002499FCB10DFAAC844AEFBFF5EF48310F108419E519A7250C779A940CFA0

Function 06F18BFB Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F18C62

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 23808cece6948829458bcc1b75181b35db0c744fcff198a73698ecdd66c28699
Instruction ID: d808719ae6a6ef7efb8f94a54e9ec718620b489c9a5bf5087bb57cef90dc06f5
Opcode Fuzzy Hash: 23808cece6948829458bcc1b75181b35db0c744fcff198a73698ecdd66c28699
Instruction Fuzzy Hash: 011137B1C002498ECB10DFA9C5456EFFBF5AF89314F24841AD419A7250C6399544CBA0

Function 06F18C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F18C62

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 520772b135a8662ac55ec67c08cbb4b0150c052f7812d99007859ffd068a3913
Instruction ID: f9b818fe55008b1e73952c473d3600b0a7513d67218c4eb87e0fd6bb6f721ea6
Opcode Fuzzy Hash: 520772b135a8662ac55ec67c08cbb4b0150c052f7812d99007859ffd068a3913
Instruction Fuzzy Hash: 431125B1D002498FCB20DFAAC9457AFFBF5EF88324F208419D519A7240CB79A944CBA4

Function 00A0B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A0B33E

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f0567580210471ff9ca64eb9985b443b279b88febcceaaf4cfe6bae870d0bd0
Instruction ID: fe216d055a56a2c89d088b2f14d9797612e1cd624eb19de5742fbfdca9a372d0
Opcode Fuzzy Hash: 4f0567580210471ff9ca64eb9985b443b279b88febcceaaf4cfe6bae870d0bd0
Instruction Fuzzy Hash: E11110B6C002498FCB14DF9AD544ADEFBF4EF88310F20841AD529A7640C379A545CFA1

Function 06F17A18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F1B905

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3c2fb0cdbf1ab70d8f0bb642bc5d79ce42b48aadaabadc8dabed7e4691c449e7
Instruction ID: 441277d4236b256e7b94567cbc098a669ebdfb95edcbc0cb812a3331d26c6571
Opcode Fuzzy Hash: 3c2fb0cdbf1ab70d8f0bb642bc5d79ce42b48aadaabadc8dabed7e4691c449e7
Instruction Fuzzy Hash: 8111F5B5800349DFDB10DF9AC845BDEBBF8EB48724F108459E518A7210C379A944CFA1

Function 06F1B8A3 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F1B905

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f087e05bb1bdf9fdd335ace7ce01d05d1659961844590e3649deb928790404f7
Instruction ID: cae2a11c8777c8ab6f4dc1caca455a3b393f3f452f0cea8c22df70c3ed026026
Opcode Fuzzy Hash: f087e05bb1bdf9fdd335ace7ce01d05d1659961844590e3649deb928790404f7
Instruction Fuzzy Hash: 7911F5B5800349DFCB10DF99D845BDEBFF8EB49324F10845AD559A7250C379A544CFA1

Function 06F1E7F8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06F1E850

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8bb745cfe43dcff997bd0dc033865b55f3d155e0c68424bc8a1be8dfee5073e2
Instruction ID: 3c59dfe89107e4728952cef2eb6013ef419839cff72b69862c0395df8dad15a8
Opcode Fuzzy Hash: 8bb745cfe43dcff997bd0dc033865b55f3d155e0c68424bc8a1be8dfee5073e2
Instruction Fuzzy Hash: C31103B5C002498FCB20DF9AC545BDEBBF4EF48320F10846AD958A7340D738AA44CFA5

Function 009AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056282581.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72aa2850dbc2d7bf10ee45348999028f8df91b6c19af87faea0bfc9edec586e8
Instruction ID: 7c7f7859851a0d983f187f23ac3dec9d57547cceb6a5bb005d91c03405458d4e
Opcode Fuzzy Hash: 72aa2850dbc2d7bf10ee45348999028f8df91b6c19af87faea0bfc9edec586e8
Instruction Fuzzy Hash: 84210671500204DFDB05DF14D9C4B26BFA9FB99314F20C569D90A0B6A6C33AE856D6E2

Function 009BD0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056423298.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a527e53309e99778ca067d7fd32b338e345a6c7e5b7fdc2bc3cf0df585f4d164
Instruction ID: b3e9a4c44126d6d6eb3b033f459660a5f8d638ed3fb7a299c299e706d4b1d511
Opcode Fuzzy Hash: a527e53309e99778ca067d7fd32b338e345a6c7e5b7fdc2bc3cf0df585f4d164
Instruction Fuzzy Hash: 94210775509204DFDB08DF18DAC4B56BF69FB84324F20C96DD9094B356D33BD846CA61

Function 009BD0C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056423298.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d77bd486632b0fe167bdf555e19d2213ac85900b2d04f533719396a9e803aa3
Instruction ID: 3f78f5c2b02499afdd49c8c789308f3c7c456a06df20085cdf7c12a1c82bcbba
Opcode Fuzzy Hash: 8d77bd486632b0fe167bdf555e19d2213ac85900b2d04f533719396a9e803aa3
Instruction Fuzzy Hash: F721C2711083809FDB06CF14D984711BFB5FB45324F24C5AAD8498B266D33A980ACB61

Function 009AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056282581.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 55138a505314da3b2524ae27c4a925fb40b7e580f9ee91a6443ae933b4f1517d
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 46112976404240CFDB02CF00D5C4B16BFB1FB99314F24C6A9D90A0B666C33AD456CBE1

Non-executed Functions

Function 06F1CF98 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0077d157c200b16fe798f02ae8217d9fcf1ec532d14ca596ca088b23f6829084
Instruction ID: 0a4a7e2c4020570890e23b8c89cf6393125de279a4d79b7c230ee983640571bc
Opcode Fuzzy Hash: 0077d157c200b16fe798f02ae8217d9fcf1ec532d14ca596ca088b23f6829084
Instruction Fuzzy Hash: 8FC1A931B007048FDB69DB75C960B6EB7FAAF89740F14446DE1569F2A0CB39E902CB52

Function 06F164C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb0b2d2c46b6c59804c89b8c84247de573050ba65174dbc8a96de6fee5323d3
Instruction ID: db8f1f813355f261537bb6c26e4602a91984b78edddb3eda5eceac54c332210b
Opcode Fuzzy Hash: 3fb0b2d2c46b6c59804c89b8c84247de573050ba65174dbc8a96de6fee5323d3
Instruction Fuzzy Hash: 8AE1F8B4E001598FCB14DFA9C580AAEFBB2FF89305F24C169D814AB35AD731A941CF61

Function 06F183D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8eacac43aa9610329bb1dee04e97ee4dc579b4fcc0a6dc1bcf9f16b36ca03cb
Instruction ID: cdd8df8d8d470b7c9602913e744d1ab02941084793d5f8d81cd6775f44bc7ede
Opcode Fuzzy Hash: d8eacac43aa9610329bb1dee04e97ee4dc579b4fcc0a6dc1bcf9f16b36ca03cb
Instruction Fuzzy Hash: E7E118B4E001598FCB14DFA9C580AAEFBB2FF89345F24C169D815AB356D730A941CFA1

Function 06F18CB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e025df69e0bf7b743e3a527a86ee84ee0f8b2bc79e812632ca0ea61c40684a2f
Instruction ID: bd04488050734a722530516d886d57dc8ee528705a1007c2db2672d38e64ed35
Opcode Fuzzy Hash: e025df69e0bf7b743e3a527a86ee84ee0f8b2bc79e812632ca0ea61c40684a2f
Instruction Fuzzy Hash: 76E12974E002598FCB14DFA9C5809AEFBB2FF89345F24C269D814AB356D731A941CFA1

Function 06F16D30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9604013ba7d31cf2b1dbc47e19237b507608220bf223fdc33142c320da9f9b0
Instruction ID: 4aa6a85388ee62839675a5502127c40605eaaeed9ef898d2e4cebafa69b48626
Opcode Fuzzy Hash: c9604013ba7d31cf2b1dbc47e19237b507608220bf223fdc33142c320da9f9b0
Instruction Fuzzy Hash: F6E1FA74E002598FCB14DFA9C9809AEFBB2FF89305F24C269D418AB356D731A941CF61

Function 06F168F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066950331.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164650ca03dd00db2c0325dde739b298490051909c042818e152e329f100b692
Instruction ID: 9e87528f89b3d4ff85ae2457833f53d23028cc4a98523b52a264715415c56b24
Opcode Fuzzy Hash: 164650ca03dd00db2c0325dde739b298490051909c042818e152e329f100b692
Instruction Fuzzy Hash: 60E1F8B4E001598FDB14DFA9C580AAEFBB2FF89305F24C169D814AB356D731A941CFA1

Function 00A0DE8C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057133732.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b50c609c42dd41e0f179289bd79f29022a99b27804f623daf697eea8e2e297
Instruction ID: 7ee1bc13db8536be8b8c037c3f923b8b1d3447ca32c98fdcc1c4c3bbabd21b88
Opcode Fuzzy Hash: 60b50c609c42dd41e0f179289bd79f29022a99b27804f623daf697eea8e2e297
Instruction Fuzzy Hash: 1EA15C32E002198FCF19DFB5D94459EB7B2FF88300B25857AE806BB2A5DB35E955CB40

Analysis Process: rUAE_LPO.com.exePID: 4796, Parent PID: 6368COMMON

Executed Functions

Function 00AB0EBC Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

(aq, xrefs: 00AB1192
Te]q, xrefs: 00AB0EED

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID: (aq$Te]q
API String ID: 0-2961548996
Opcode ID: be52e8cb0672826a610552cf0f2f99b148c947f4853720850c23648f26f508fe
Instruction ID: e8005ecd25d2f10f5f86b7c0c0cfb0e99e214dbdf0c248f95fad3a95bddcbcef
Opcode Fuzzy Hash: be52e8cb0672826a610552cf0f2f99b148c947f4853720850c23648f26f508fe
Instruction Fuzzy Hash: EB518D35B001149FCB54DF6DC458A9EBBF6FF89700F2581A9E806DB3A6CA75DC028B80

Function 00AB0D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00AB0D5B
Haq, xrefs: 00AB0E40

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID: Haq$dLcq
API String ID: 0-1713614415
Opcode ID: 54d55606955079237628ff7de1d2c7339409365908a040276c5f1b964f112d6b
Instruction ID: 3d5009b6475b28d17431181591b2fdc74d7b056ce95f780181573e9384de7f1e
Opcode Fuzzy Hash: 54d55606955079237628ff7de1d2c7339409365908a040276c5f1b964f112d6b
Instruction Fuzzy Hash: 8041DF35A042448FDB19DF78D494A9EBFF6BF89300F1489AAE405DB3A2CA75DC05CB91

Function 00AB1339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00AB138B

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: d900679b3c3f3b30a9cef5934cc8852f4385cb3e25c0f6ff66ff70c50aac5d3f
Instruction ID: 922ddba7e9a2272ee632ba6104bc8a34c5197fd08851be4b0cf7fb6b3327a693
Opcode Fuzzy Hash: d900679b3c3f3b30a9cef5934cc8852f4385cb3e25c0f6ff66ff70c50aac5d3f
Instruction Fuzzy Hash: C031F334F002558FDB549B7894659AE7BF6EFC9310B14416DD50ADB396EE348C028792

Function 00AB0D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00AB0D5B

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID: dLcq
API String ID: 0-2236789282
Opcode ID: 403e008b9e0133c91974ec925c4c7b2002e27e4d854aa6b6c7e225802b755f0a
Instruction ID: c3924f53033fa5ab3d6a3f4fe8fe0634b01ecf6bb0e8df9fae95adc3c9bd7a67
Opcode Fuzzy Hash: 403e008b9e0133c91974ec925c4c7b2002e27e4d854aa6b6c7e225802b755f0a
Instruction Fuzzy Hash: B8317E35A002048FDB19DF69C598BAEBBF6BF88300F148569D402AB7A1CB75ED45CB91

Function 00AB0E3F Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Haq, xrefs: 00AB0E40

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 819fc75fa7f5639d3ad74cc62482ccd258d65d23b4ac75ae1c4650f68cf0ada7
Instruction ID: b9a7fa64490ef7eb7baff9bfa23203cec57fda3f9c62d6658cef921a4dd336dd
Opcode Fuzzy Hash: 819fc75fa7f5639d3ad74cc62482ccd258d65d23b4ac75ae1c4650f68cf0ada7
Instruction Fuzzy Hash: 4E01F42570C2900FC756973D586586E2FE7AFCA21031A48FAD549CB3A3CD288C0B8352

Function 00AB1C94 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcce1b07dc7a131691580433d21906c4181fbd136dfaf857bd90832cddffea53
Instruction ID: 9c40720514a3feb8ec59b2a94d19e632b7547b1693013b76554b679280db624a
Opcode Fuzzy Hash: bcce1b07dc7a131691580433d21906c4181fbd136dfaf857bd90832cddffea53
Instruction Fuzzy Hash: E7C12A347002048FCB48EF78D594AAD77F6EF88715F218569E8069B3A6CB75DC42CB51

Function 00AB1EAC Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d284fc29fc01c6acefc0ff685f6edffd25d511e641af67ef6e62fba07622fca7
Instruction ID: e5d0a58eaddebb8c424e6753c56c25b085bc3e3e51634e0de17fa650a3eb0553
Opcode Fuzzy Hash: d284fc29fc01c6acefc0ff685f6edffd25d511e641af67ef6e62fba07622fca7
Instruction Fuzzy Hash: 226129347002018FCB48EF68D594AAD77F6EF88715B218469E90ADB3B6CB75EC42CB51

Function 00AB0AA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0de95a6383da9f160027ba656c97742b022ae7d79385fde355ca6da6a65312c
Instruction ID: a4e35b887a3ca573d6e96137eba3e35ccf583a7334843cbefbabfe593248c0c8
Opcode Fuzzy Hash: d0de95a6383da9f160027ba656c97742b022ae7d79385fde355ca6da6a65312c
Instruction Fuzzy Hash: 2051D738600201CFE72BEF78F9489497776FF8430A750C669D4068B26DEB79A946CF80

Function 00AB11D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c18ac3c19df3a24ddce0ab4cf9de942bff7a79210b764470d3135fdb27ec6ed
Instruction ID: 150afdcbdcef337c83c700229cbbba578a0cd045399b6d2fa70180335bf78b2c
Opcode Fuzzy Hash: 0c18ac3c19df3a24ddce0ab4cf9de942bff7a79210b764470d3135fdb27ec6ed
Instruction Fuzzy Hash: 6E418F71E00209AFCB04EFB995546AEFFFAEFC8300F248569D449D7346EA3499428B91

Function 00AB1030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a3ad0a2f1bfc60c54448ee968bac66fb98d2b9d91712b1524a9fc27ad0e7d1
Instruction ID: c58be350061c718bf6fd2eed15425212adbecee7ebbd09e9d300c39e2b220cee
Opcode Fuzzy Hash: 70a3ad0a2f1bfc60c54448ee968bac66fb98d2b9d91712b1524a9fc27ad0e7d1
Instruction Fuzzy Hash: FB212D35B001049FD714DFA8C5A5BAE7BF6BF88710F248554E505AB3A6DB719D41CB80

Function 00AB0998 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cea9366778c70607e3eeff1b673d268b10b50a2fa73874d8dc63455a8655fc
Instruction ID: fc5c92b24cef801c5d4b2e8bd91b6262cbe98dd10d3454093c0c1c771edf19cd
Opcode Fuzzy Hash: a0cea9366778c70607e3eeff1b673d268b10b50a2fa73874d8dc63455a8655fc
Instruction Fuzzy Hash: DA215030B043029FEB64ABB5D958AAF7BB9AF14382B15882DD407C2193EB70C941DB51

Function 00AB09A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a78598ebf881939a9b9b6080ee888475c9d9768f82fe204d0559f37ad4198b2
Instruction ID: 7aa9b0aea13c5ae6553d623772c467f772c3f279b86957ec26cd73fc46a2f068
Opcode Fuzzy Hash: 6a78598ebf881939a9b9b6080ee888475c9d9768f82fe204d0559f37ad4198b2
Instruction Fuzzy Hash: CF218130B003039FEB64ABB5E918AAF7ABCAF10781B10482DD407C6193EE70C942DB52

Function 00AB1431 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c755babbf46440a62ce7a43943088bc01aaa514a289eba35af1347b02bb408df
Instruction ID: 157a2c57cf2dd99af00aaad3f723012496a69255907476cb45193aedf9d90562
Opcode Fuzzy Hash: c755babbf46440a62ce7a43943088bc01aaa514a289eba35af1347b02bb408df
Instruction Fuzzy Hash: 4111ACB4A00245DFCB65EBB8D5145AA7FFABF8930531188B9D409CB355EA349C52CB81

Function 00AB1440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9118db646b8e49b5cf12a710a119bbbad93230573eb434340e1da1e8ce8ab441
Instruction ID: 4a1e89a313a3a3459568ad2170385ef2150dffa0ba31ba0f729cf017fbf6c46e
Opcode Fuzzy Hash: 9118db646b8e49b5cf12a710a119bbbad93230573eb434340e1da1e8ce8ab441
Instruction Fuzzy Hash: 4E11ADB0B00205DFCB54EBB9D41466A7BFAFF8830676048B8D40ACB355EA34DC42CB90

Function 00AB2200 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2750fdb3cb7ec4d70d2c85b8035a32665b012f6a2cbaccbbb46891a77f083b
Instruction ID: b4d7c79bd8922d662c0730389921aae0e90a67d4e64dc18abfc1dd3ffac94e67
Opcode Fuzzy Hash: 6d2750fdb3cb7ec4d70d2c85b8035a32665b012f6a2cbaccbbb46891a77f083b
Instruction Fuzzy Hash: 45E0923570869A0FD7169678A911B5E3FD15FC7204F5500ADD841CF6E3CA658C054792

Function 00AB0E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7790b546d89ed092fec611ae14a078de04742e6e529e6777ad38f94fae550dc
Instruction ID: e5afb7107da15fe71a1f804b1567f7412c2badb1c71174bbe6eac472a3c25acf
Opcode Fuzzy Hash: c7790b546d89ed092fec611ae14a078de04742e6e529e6777ad38f94fae550dc
Instruction Fuzzy Hash: 22E08C313001005F83449A7EA88885AB7EBEBC822531544BAE10EC7321CE61DC024790

Function 00AB2195 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6b5452852823a080bceb0568f15d946c81fbaf2d11e0c52946318f0ce3d482
Instruction ID: 8e41c19fc624ba3ebb34cb003c7333f2aaa5dd405ed8745e3f4a54181a559bc5
Opcode Fuzzy Hash: 5e6b5452852823a080bceb0568f15d946c81fbaf2d11e0c52946318f0ce3d482
Instruction Fuzzy Hash: EBE09B306447918EDB35D278D0153DE7FE29F81314F00096DD18657582CBBBB50583A2

Function 00AB2210 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106140917.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab0000_rUAE_LPO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecb41ed4254af85df79de8e1c733a984600825731397d1edde63e832915f4cf
Instruction ID: ac68c7b9052bd0d2513d985597f1e22929ab49ff9a7d24a49466f2968aec2b21
Opcode Fuzzy Hash: fecb41ed4254af85df79de8e1c733a984600825731397d1edde63e832915f4cf
Instruction Fuzzy Hash: CFD0A9327000249FCA04BAFDE4058AE37DAAFCAA107A000A9E109DF3A9CE25EC0113C6

Analysis Process: windowsBook.exePID: 3292, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	77
Total number of Limit Nodes:	4

Executed Functions

Function 00AAD370 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AAD3FE
GetCurrentThread.KERNEL32 ref: 00AAD43B
GetCurrentProcess.KERNEL32 ref: 00AAD478
GetCurrentThreadId.KERNEL32 ref: 00AAD4D1

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5b19b5632d66fff13657aabf21766538e67f979dbe39684dc8122e6a562772c9
Instruction ID: d030d351ab7a01ffa332952d25250dc60de635d28e1f37abb362a4f6b2f3a7c4
Opcode Fuzzy Hash: 5b19b5632d66fff13657aabf21766538e67f979dbe39684dc8122e6a562772c9
Instruction Fuzzy Hash: 135146B09003498FDB14DFA9D548BAEBBF1FF49304F208469D059A7391D778A984CF65

Function 00AAD380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AAD3FE
GetCurrentThread.KERNEL32 ref: 00AAD43B
GetCurrentProcess.KERNEL32 ref: 00AAD478
GetCurrentThreadId.KERNEL32 ref: 00AAD4D1

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a39449cc1c170282a4995e3d7354ae61f46539302b6de9d5219ea244cdb94b14
Instruction ID: c76e9d6a6acc9ec59b3a41f9d9ac9b4997bf56aebdd29ba0f08808a90f0a1b01
Opcode Fuzzy Hash: a39449cc1c170282a4995e3d7354ae61f46539302b6de9d5219ea244cdb94b14
Instruction Fuzzy Hash: 625145B09003098FDB14EFA9D548BAEBBF1EF49304F20846DE049A7390D779A944CB65

Function 00AAB0E8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00AAB33E

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 143391e43f1498701e755614a3b315305f4d925e64d0842dcf45677599e04315
Instruction ID: c5bf0776e61ae3f6f550293b7550d61e02f2f1b5e337cad15502df1a78186907
Opcode Fuzzy Hash: 143391e43f1498701e755614a3b315305f4d925e64d0842dcf45677599e04315
Instruction Fuzzy Hash: 3E815870A00B058FDB64DF69D55579ABBF1FF89300F008A2DD48AD7A91D735E849CBA0

Function 00AA590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AA59C9

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 59f519f99a1753696540a4a43933820723a275008ca66e81ca238b465eb237a2
Instruction ID: fb5d8205cb99190546f98fb68915994ccea75ab0797a0fe6cc8ed9b55c1b2e85
Opcode Fuzzy Hash: 59f519f99a1753696540a4a43933820723a275008ca66e81ca238b465eb237a2
Instruction Fuzzy Hash: FF41E2B0D00719CBDB24DFA9C885BDEBBF1BF49304F20816AD408AB255DB75694ACF90

Function 00AA44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AA59C9

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0f20a1cc8ae7c11964876af4c6e99b09822432f521f9024c107281a0845e5950
Instruction ID: 136e2b99bf9561446b9f968dfc65bd9db9817e28a0c696935a863ea575023f80
Opcode Fuzzy Hash: 0f20a1cc8ae7c11964876af4c6e99b09822432f521f9024c107281a0845e5950
Instruction Fuzzy Hash: 8641F2B0C0071DCBDB24DFA9C888B9EBBF5BF49304F20806AD408AB251DB756946CF90

Function 00AAD5C2 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AAD64F

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89fb99cc5c821655dc150defd4ccd3702c0c2bcb28a20de122f4a8ae948044bc
Instruction ID: aa3fd6ef102eeceff54017647c9ce0798cd5a5c67b30a66cdba796a73a02ca0f
Opcode Fuzzy Hash: 89fb99cc5c821655dc150defd4ccd3702c0c2bcb28a20de122f4a8ae948044bc
Instruction Fuzzy Hash: 5F21E2B5900248AFDB10CFAAD584ADEFBF4FB48320F14841AE958A7350D378A940CFA5

Function 00AAD5C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AAD64F

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ec5c8d75fdfeaec7768d8d1b27687e45c09186ef152d1b47f367e864fa0f5c5
Instruction ID: e3c6df26eeebcc6381e84e201b6bcc30438f429573ed51b923b8b14fd954f46a
Opcode Fuzzy Hash: 8ec5c8d75fdfeaec7768d8d1b27687e45c09186ef152d1b47f367e864fa0f5c5
Instruction Fuzzy Hash: 7121D3B59002489FDB10CFAAD984ADEFFF9FB48310F14841AE959A3350D378A954CFA5

Function 00AAB2D8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00AAB33E

Memory Dump Source

Source File: 0000000C.00000002.2158769259.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aa0000_windowsBook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dd7fef8b078907ea562d501de8883435c2751442d65c1e3f7ccd79b20f9e2a78
Instruction ID: 9ec76f22a3507b60fb79967a0f6573f2b15b13abbe5feccff74cd9313d4b5e26
Opcode Fuzzy Hash: dd7fef8b078907ea562d501de8883435c2751442d65c1e3f7ccd79b20f9e2a78
Instruction Fuzzy Hash: 26111DB6C002498FCB10CF9AC444BDEFBF8EF89320F10842AD929A7640C379A545CFA1

Function 0093D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2158526115.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_93d000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909753e0ac574f38fbbdd04a873ab2259b9865737d98e5e9a9dbb830a0c83538
Instruction ID: e57fce72f4f93dcf95c765e9eee3c68d621bfda1d645b4f387196bdce4b0dc8a
Opcode Fuzzy Hash: 909753e0ac574f38fbbdd04a873ab2259b9865737d98e5e9a9dbb830a0c83538
Instruction Fuzzy Hash: FB21FF72504200DFDB05DF54E9D0B2BBFA9FB88310F20C5A9E9190A256C33AD816DBA2

Function 0094D0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2158574972.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_94d000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fe5b98a8d824755a48390fac560fefdddec67dd16fcfb267a0c9e50af36513
Instruction ID: 8e7178a6b893313ee3d33c05d4da5199711e65617ed51f06a9dc791dd38094b4
Opcode Fuzzy Hash: f0fe5b98a8d824755a48390fac560fefdddec67dd16fcfb267a0c9e50af36513
Instruction Fuzzy Hash: C9210479508204DFDB09DF24D9C4F26BB69FB88314F20C96DED094B396C33AD846CAA1

Function 0094D0C3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2158574972.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_94d000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25405ef5bfa473fcd003cebc1a6624bb567b28c9a4be7a6028d39182d45d88cf
Instruction ID: 4c86a0726b5a4d6ba937dc65a82416363b52fc12ea8a45340cf5758d0dbb80c9
Opcode Fuzzy Hash: 25405ef5bfa473fcd003cebc1a6624bb567b28c9a4be7a6028d39182d45d88cf
Instruction Fuzzy Hash: 3221B075408380DFDB06CF24D984B11BFB5FB4A314F24C5EAD8498F266C33A9816CB62

Function 0093D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2158526115.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_93d000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: bb016b08e225314baf0323bf654d689597fceaceb199c3cfd70271817c70f2ab
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 81219D76504240DFDB06CF50D9C4B16BF72FB88314F24C5A9DD490A656C33AD82ACFA2

Analysis Process: windowsBook.exePID: 3652, Parent PID: 6616COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	12

Executed Functions

Function 0111D370 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0111D3FE
GetCurrentThread.KERNEL32 ref: 0111D43B
GetCurrentProcess.KERNEL32 ref: 0111D478
GetCurrentThreadId.KERNEL32 ref: 0111D4D1

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cce8aa37b8519967a765e1f2ec4efbe6722b77830bd52d6612eb1f82268674ac
Instruction ID: cfcffa13c3a33976c50e637df5a9e71732215e1d6e360843b7fb18ded4d4be82
Opcode Fuzzy Hash: cce8aa37b8519967a765e1f2ec4efbe6722b77830bd52d6612eb1f82268674ac
Instruction Fuzzy Hash: 0B5165B09006498FDB18DFA9D588BEEBBF1EF48304F20C569E019A7790D738A944CF65

Function 0111D380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0111D3FE
GetCurrentThread.KERNEL32 ref: 0111D43B
GetCurrentProcess.KERNEL32 ref: 0111D478
GetCurrentThreadId.KERNEL32 ref: 0111D4D1

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 79396497bef45ad11b506c51ff8b856a6d9a23c110a6dd97a269905ef25e511a
Instruction ID: 39058368311e058ba660c996461ea635b3a4045d5d2cd37bf683bb60957e9e37
Opcode Fuzzy Hash: 79396497bef45ad11b506c51ff8b856a6d9a23c110a6dd97a269905ef25e511a
Instruction Fuzzy Hash: 465167B09006498FDB18DFAAD588BEEBBF1EF48304F20C569D109A7794D738A944CF65

Function 073294FF Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0732973E

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b1e92dcdd7f216a23f9463b8e3a88b3d36c64a49d9425c00965f3ce659a2de32
Instruction ID: 25334cfe76c3e6dafb5d8a55c8766d29ca472f96a62c76f8f617a7a7df748823
Opcode Fuzzy Hash: b1e92dcdd7f216a23f9463b8e3a88b3d36c64a49d9425c00965f3ce659a2de32
Instruction Fuzzy Hash: 99A129B1D0022ACFEB14DF68C8417EDBBB2BF44314F1485AAD819B7250DB74A986DF91

Function 07329508 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0732973E

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5b19ab28e95034a627f173c9f8a6616b728a52ddc74fa05d60ae71ed549970e6
Instruction ID: 318ef98c5075313925dd1a7420f6c2f358f757531bdb699f6a3f9dcad22d938d
Opcode Fuzzy Hash: 5b19ab28e95034a627f173c9f8a6616b728a52ddc74fa05d60ae71ed549970e6
Instruction Fuzzy Hash: 0F912AB1D0022ACFEB14DF68C8417EDBBB2BF44314F1485A9D819B7250DB74A986DF91

Function 0111B0E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0111B33E

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76ebe84f8045535849a87802772534f5759fc092f1a39f6c9407e624b3b364d9
Instruction ID: 010e0b98eee034555033b49af2f69be7e7920d200aa4fe16fa3a9628df58b4ae
Opcode Fuzzy Hash: 76ebe84f8045535849a87802772534f5759fc092f1a39f6c9407e624b3b364d9
Instruction Fuzzy Hash: 22714570A04B458FDB28DF6AE44479ABBF1FF88304F008A2DD48AD7A54D734E849CB94

Function 01115A84 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234f2beb07767398775f80ca676e9c9c8afaca330d64ac7c13700453f6fc4b75
Instruction ID: abe37c30a29aca45a6bfc4cce064ffc979ada6376e2941646e336c07d0f93100
Opcode Fuzzy Hash: 234f2beb07767398775f80ca676e9c9c8afaca330d64ac7c13700453f6fc4b75
Instruction Fuzzy Hash: A341227180474DCEDB5ACFA8C8446ADFFB2EF87314F14429AC055AB29AD7355846CB42

Function 011144B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011159C9

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e7b3b3e09f3c5e776af9c0856113c0965c724a26a7c35452432748182b397ffe
Instruction ID: 8172e3fc6fa92606e8a5360993795114d1f5079c8e0e63fb547c5274509b9b82
Opcode Fuzzy Hash: e7b3b3e09f3c5e776af9c0856113c0965c724a26a7c35452432748182b397ffe
Instruction Fuzzy Hash: 0F41D2B1C0071DCBDB28DFA9C884B9DBBB6BF89304F20806AD409AB255DB756945CF91

Function 0111590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011159C9

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94ca43973cef7a69eb4fc73bdfa12829195eb7567ac77895e86feba38abd64b4
Instruction ID: b6c613366cceb847b4db496b453dd5d639185d1e825a2129ba9e732ad21303d7
Opcode Fuzzy Hash: 94ca43973cef7a69eb4fc73bdfa12829195eb7567ac77895e86feba38abd64b4
Instruction Fuzzy Hash: 9141F4B1C00719CBDB28CFA9C884B9DBBF6BF49304F24806AD409AB255D7756946CF91

Function 07329278 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07329310

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 649318e8a9de19ef44b4cc251667d6c170f602fd258e3eeed5357c668d713c2a
Instruction ID: 2d5eeceecd602f49dc3c3636d217ba268998a18706575d1464d88537b0a3e59b
Opcode Fuzzy Hash: 649318e8a9de19ef44b4cc251667d6c170f602fd258e3eeed5357c668d713c2a
Instruction Fuzzy Hash: E02157B19003599FCB10CFA9C881BEEBFF1FF48310F10842AE959A7241C7789945CBA0

Function 07329280 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07329310

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4145c509f496156d679c83527ea9ae38ebf48e0eada7776fe48d7fc8a32760cb
Instruction ID: d6e5c0d79c7b728f23d210fd053d001e150882eb2bb98f4adc3775cf84304ea8
Opcode Fuzzy Hash: 4145c509f496156d679c83527ea9ae38ebf48e0eada7776fe48d7fc8a32760cb
Instruction Fuzzy Hash: 2A213BB5D003599FDB10DFA9C885BDEBBF5FF48314F108429E919A7240C778A945DBA0

Function 07329368 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073293F0

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 11ab15342bb2d6c7cefe101d37cf1eb1064352e91efd3801e69d507643cbc0eb
Instruction ID: 46266a46e3f17397a9dea400f6c8a774ab25596dbd9807f7382b9d8ca88e9f19
Opcode Fuzzy Hash: 11ab15342bb2d6c7cefe101d37cf1eb1064352e91efd3801e69d507643cbc0eb
Instruction Fuzzy Hash: 012136B1C00259DFCB10DFAAC881AEEBBF5FF88310F10842AE959A7250C7399545DFA0

Function 073290E0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07329166

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0bbcf268055fb25c1aa84bfb971b70da476c2242abf7bd414120c4d1460aabaa
Instruction ID: d4c466085aefcb3273271be9ffc40ae699f98cfe2b6eff33fa0691a4f27c345e
Opcode Fuzzy Hash: 0bbcf268055fb25c1aa84bfb971b70da476c2242abf7bd414120c4d1460aabaa
Instruction Fuzzy Hash: 5F2125B1D002198FDB10DFAAC8857EEBFF4EF89314F14842AD459A7241C778A945CFA0

Function 0111D5C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D64F

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a8ea402082a223e794a12bb9c42d9179a5c5643128da865372292622aa0702a
Instruction ID: 68bea3f977d2ab2c3b6553c8ad152ca4d704fb781e156a5a0b3c7e454b34557c
Opcode Fuzzy Hash: 6a8ea402082a223e794a12bb9c42d9179a5c5643128da865372292622aa0702a
Instruction Fuzzy Hash: 8121E3B59002489FDB10CFAAD984AEEFFF5EB48310F14845AE918A3210D378A944CF60

Function 07329370 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073293F0

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d7cc07935ae7f047c9e5ef15382d7f6c5108e47f2e073d28f60666479ee87ff6
Instruction ID: df9f556d7aa35935dfc38fdb9485b64e367f5169e374d2f047966c9c174d72df
Opcode Fuzzy Hash: d7cc07935ae7f047c9e5ef15382d7f6c5108e47f2e073d28f60666479ee87ff6
Instruction Fuzzy Hash: 9A2137B1C003599FDB10DFAAC884AEEFBF5FF48310F10842AE519A7240C738A945DBA0

Function 073290E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07329166

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e66578b65c470808e78e1c8a8f98d23c02c73644ebee654aebd233e22bcadf02
Instruction ID: 00b930a1b2b8425c5c4fa3370d97e8a98ac0f1c285441f377a2cdddf3c76329b
Opcode Fuzzy Hash: e66578b65c470808e78e1c8a8f98d23c02c73644ebee654aebd233e22bcadf02
Instruction Fuzzy Hash: 1F2115B1D002198FDB10DFAAC885BEEBBF4EF49314F14842AD519A7240DB78A945CFA1

Function 0111D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D64F

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 051911c6c543e4dfc72e7495b098a1def0525058bf55dbd2ee98a643a4dfae2c
Instruction ID: 3c892471a7aa256bf392b426c07f8739ccb08ded5e4b0a0164eb984a6063b5e8
Opcode Fuzzy Hash: 051911c6c543e4dfc72e7495b098a1def0525058bf55dbd2ee98a643a4dfae2c
Instruction Fuzzy Hash: 7021F3B59002489FDB10CFAAD984ADEFFF8FB48310F14841AE918A3310D378A944CFA4

Function 073291B8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0732922E

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ae60368dc52faa78f3e8d1c6a66729e957c92c3979d8fad0525cca37a050a606
Instruction ID: 3d477f8fd78ed048ab029b467df476dc38392ab0b4fbc52d206fb7a3fa68f66f
Opcode Fuzzy Hash: ae60368dc52faa78f3e8d1c6a66729e957c92c3979d8fad0525cca37a050a606
Instruction Fuzzy Hash: 231159B18002499FDB10DFA9C844BEEBFF5EF88314F24881AE519A7250C779A545CFA0

Function 073291C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0732922E

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 023351364fb685bb798b6900119e222b05d989aa5dcfe333519d6aa8c84b3445
Instruction ID: cbcd09c9d23468fb2295d2f443269acb11d0a26c428d495589869b90015c2fb8
Opcode Fuzzy Hash: 023351364fb685bb798b6900119e222b05d989aa5dcfe333519d6aa8c84b3445
Instruction Fuzzy Hash: 071137B58002499FDB10DFAAC844BEEBFF5EF48314F108819E519A7250C779A545CFA0

Function 07328BF8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07328C62

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b976c36420356c25d8d69a68336dd07f3ffa6ad1e9daefd54bef8c3a189f7b4a
Instruction ID: 5d403ada71d3e93761b84fd4ab0a71de504a013b8587bb6fca65c24eef1504fd
Opcode Fuzzy Hash: b976c36420356c25d8d69a68336dd07f3ffa6ad1e9daefd54bef8c3a189f7b4a
Instruction Fuzzy Hash: 671146B1C003598EDB20DFAAC4457EEFFF5EF89314F24845AC45AA7250CB39A945CBA0

Function 07328C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07328C62

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 61d5573539b68ab7bd253ae62d1f22521f42cc4aa5278b94d93612c1442694ab
Instruction ID: f9d5f268a4dbc094919fe70ab15d7e247d1e2bec54ed66b25874b2143288c660
Opcode Fuzzy Hash: 61d5573539b68ab7bd253ae62d1f22521f42cc4aa5278b94d93612c1442694ab
Instruction Fuzzy Hash: 021128B19003598FDB10DFAAC4457EEFBF5EF88314F208419D519A7250CB79A545CBA4

Function 0111B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0111B33E

Memory Dump Source

Source File: 0000000D.00000002.2187754155.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1110000_windowsBook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d6798380d8fc951796d21a901a54ee1c3bae4318ec231d7ca791e1c813c3460e
Instruction ID: 2cf5917a316a25bb26ed171d390f825b88e8b837373e9be4c5594bfa8436d308
Opcode Fuzzy Hash: d6798380d8fc951796d21a901a54ee1c3bae4318ec231d7ca791e1c813c3460e
Instruction Fuzzy Hash: 511110B6C042498FDB14CF9AD444ADEFBF4EF88314F10846AD919A7200C379A545CFA5

Function 0732B7A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0732B805

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 24a71b07f90e8a7fc7f068d7db52976c726e9a8422a77ea7332e9447f2b22cdd
Instruction ID: c4db0e64ed606be47bc2aa71078fe2e2350db1f75a74dd8d01de5de786ce83bf
Opcode Fuzzy Hash: 24a71b07f90e8a7fc7f068d7db52976c726e9a8422a77ea7332e9447f2b22cdd
Instruction Fuzzy Hash: 7D1113B58003999FDB10CF99C884BDEFFF8EB49324F20845AD458A7250C379A544CFA1

Function 07327988 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0732B805

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 178e09da4d2278dc09c0e02ff327248e97fcf8e7f0f9b61531fa08637f956501
Instruction ID: 9a23c65cb59685df22fa51fdfe451bd5cb9348c066c7025076b85c44c395e685
Opcode Fuzzy Hash: 178e09da4d2278dc09c0e02ff327248e97fcf8e7f0f9b61531fa08637f956501
Instruction Fuzzy Hash: 7011F2B58003599FDB10DF9AC888BDEFBF8EB48714F108859E518A7600D379A944CFA1

Function 0732E288 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0732E2E0

Memory Dump Source

Source File: 0000000D.00000002.2195308593.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7320000_windowsBook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 14029e5a9fb1fd800d136a7de262af1a6584b6bcbc636c7286c23947451b54e1
Instruction ID: a4fcf4fa9e16382e4afbea78f39076f7e61cfe31f794f4dc8b7bd599179369b5
Opcode Fuzzy Hash: 14029e5a9fb1fd800d136a7de262af1a6584b6bcbc636c7286c23947451b54e1
Instruction Fuzzy Hash: 4E1133B68003598FDB20DF9AC449BDEBBF4EB48320F20845AD959A7240D738A544CFA5

Function 00FBD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2186661774.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fbd000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242dad83448913a0f481b2f7f9314a13fc174f8823af3351ef68eccffdeea501
Instruction ID: a3e0176586a03851d0ae218658fbdb654bd32e4aca24b0317244302c77bd57c1
Opcode Fuzzy Hash: 242dad83448913a0f481b2f7f9314a13fc174f8823af3351ef68eccffdeea501
Instruction Fuzzy Hash: BD210376904280DFCB05DF55D9C0B66BF65FB88320F20C569ED090B256D33AD816EFA2

Function 010CD0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2187538590.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10cd000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114b1c459b1329dfb2fb54c8a5f41fe3997ff320e0d4102c216a813e5876c132
Instruction ID: 93be55e90ade7a471ed8106343fad9a09a465b7e984f56c48b00fe84052af0fa
Opcode Fuzzy Hash: 114b1c459b1329dfb2fb54c8a5f41fe3997ff320e0d4102c216a813e5876c132
Instruction Fuzzy Hash: 0521D371504204AFDB05DF58D980B1ABBA5EB84714F24C5BDED494B256C33AD446CBA1

Function 010CD0C3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2187538590.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10cd000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25405ef5bfa473fcd003cebc1a6624bb567b28c9a4be7a6028d39182d45d88cf
Instruction ID: b99bbd2fe6ba09eda623140ab464daeeae0b9306d262b22ae9b5c00be775a469
Opcode Fuzzy Hash: 25405ef5bfa473fcd003cebc1a6624bb567b28c9a4be7a6028d39182d45d88cf
Instruction Fuzzy Hash: FE21A1754083809FDB02CF54D984715BFB1FB86214F24C5EAD8498F267C33A9816CBA2

Function 00FBD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2186661774.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fbd000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: db019bba9ca5ed0c1f483c84729dcbc0ea21a616db9d93fb605f0e5979fae70e
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 20219076904280DFDB06CF50D9C4B56BF61FB84324F24C5A9DD490A656C336D416DFA2

Analysis Process: windowsBook.exePID: 6516, Parent PID: 3292COMMON

Executed Functions

Function 017563D8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c55236b6befd8aeacd49ecb0738e9011069437207ecea5ac42c3bc3de817f45
Instruction ID: 484508507650fd179bc1150a716f283e2c8e1fbbe1ae6ad1fc144ba59bdf0f8f
Opcode Fuzzy Hash: 5c55236b6befd8aeacd49ecb0738e9011069437207ecea5ac42c3bc3de817f45
Instruction Fuzzy Hash: 10B16D70E00209CFDF50CFA9C98579DFBF2AF88314F548529E819A7294EBB49946CF91

Function 01756CA8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0db2d47c7178568f63fa25e54fa1abb6aeeea61724534d808dfda3e8842e528
Instruction ID: 94721ddf15413a588507442c8e5894c1c3d6f5232dcfe42f8219c45df9619f4b
Opcode Fuzzy Hash: a0db2d47c7178568f63fa25e54fa1abb6aeeea61724534d808dfda3e8842e528
Instruction Fuzzy Hash: 27B14D70E002098FDF50CFA9C98579DFBF2BF88714F548529E815AB294EBB49885CB81

Function 0175236F Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

a]q, xrefs: 01752984
xaq, xrefs: 017529BE
a]q, xrefs: 01752927
,, xrefs: 017524B8

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: a]q$ a]q$,$xaq
API String ID: 0-452644037
Opcode ID: bed9a008737f10a1ba0129b7d931439c833ede74825ad3398c5be2aacdb48f1b
Instruction ID: 7966ac483a8ca3fef26b01c71b81ae755653ca3b090510f9b2caafdae19dea8c
Opcode Fuzzy Hash: bed9a008737f10a1ba0129b7d931439c833ede74825ad3398c5be2aacdb48f1b
Instruction Fuzzy Hash: 2D029C30700205DFC715DF29D594B29BBE2FF94314F108A68D8169B3A6DFB5AD86CB81

Function 017525AA Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

a]q, xrefs: 01752984
xaq, xrefs: 017529BE
a]q, xrefs: 01752927

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: a]q$ a]q$xaq
API String ID: 0-315583803
Opcode ID: d02175c87dde71e5edd8e6ceb6950bbabaa7c97a224a2661b4bac27f02868714
Instruction ID: 6922674b859bd113a179c5fbb75e7531bb72060c37cedcf2f801294535f9a44d
Opcode Fuzzy Hash: d02175c87dde71e5edd8e6ceb6950bbabaa7c97a224a2661b4bac27f02868714
Instruction Fuzzy Hash: C5619E707402049FC715EF29E448B6ABBE2FF94714F108A68D9069F3A5DFB5AD46CB80

Function 01750EBC Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

(aq, xrefs: 01751192
Te]q, xrefs: 01750EED

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: (aq$Te]q
API String ID: 0-2961548996
Opcode ID: 62e79c8d53e1c35adb1a85fc6cf8dd6b65ba21ece1677784a6e82f428b2204ee
Instruction ID: 82b3bdbaaabbe9c5049e47344e1c6ef5e02f43af410c4f7590d29be7c04e02b4
Opcode Fuzzy Hash: 62e79c8d53e1c35adb1a85fc6cf8dd6b65ba21ece1677784a6e82f428b2204ee
Instruction Fuzzy Hash: 5E516930B102148FCB54DF69C458A6EBBF2FF89710F2581A9E806DB3A5DA75DC028B90

Function 01750D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

dLcq, xrefs: 01750D5B
Haq, xrefs: 01750E40

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Haq$dLcq
API String ID: 0-1713614415
Opcode ID: f9d4c54b1c5ed8bb2af355e56c0f0413fdd38a722fdd077493ffef60681b1ec0
Instruction ID: 8bd38e3c6d74d3e327bfb83ceeb3888375888de7abe366e7345ce902b4df965e
Opcode Fuzzy Hash: f9d4c54b1c5ed8bb2af355e56c0f0413fdd38a722fdd077493ffef60681b1ec0
Instruction Fuzzy Hash: 4841BD317002048FDB19DF69D454AAEBBF6EF89300F2484AAE505DB3A1CB75DD05CB90

Function 01759958 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$]q, xrefs: 01759997
$]q, xrefs: 0175998D

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 69fd141c1f566c86d9995dd72113d5cb48afbcac211c31b7817bcfc9c73d6a47
Instruction ID: bcfe7fb3b039de2e0fadd5ab6d90c7585a1469d4b28f98a540769074e9afac6a
Opcode Fuzzy Hash: 69fd141c1f566c86d9995dd72113d5cb48afbcac211c31b7817bcfc9c73d6a47
Instruction Fuzzy Hash: AE416B70708401DBDB986F699098429FBB7FFC47097388894F6468B359CF729D12CBA2

Function 0175A1B8 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

xaq, xrefs: 0175A4FE

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: c07cc5a60580f3700e7f1b33747472c40876e9f7023e5ca757f0dfd4c5499c05
Instruction ID: 97aa2e5fb97655846384979c31f876718bc2a122e541aab5b3c18ebc642420bb
Opcode Fuzzy Hash: c07cc5a60580f3700e7f1b33747472c40876e9f7023e5ca757f0dfd4c5499c05
Instruction Fuzzy Hash: 28917EB0A00281DFD765EF29F40CB147BA1F7B5B18F144639C8188BA99DFF49A45CB92

Function 01759E90 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01759F2E

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 34f6f783b83c161d6eb1e5074cc2d236226b1419da77460f1f5b1a01d8016fd8
Instruction ID: 251b2d557f64aef014a219598bf979beea9b1bf0b41cc3cedfe6f67688718a68
Opcode Fuzzy Hash: 34f6f783b83c161d6eb1e5074cc2d236226b1419da77460f1f5b1a01d8016fd8
Instruction Fuzzy Hash: 33516A70640605DFE754DF6AC858B69BBB1FF88714F204269E912AB3F1CBB5AC81CB40

Function 01751339 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0175138B

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 0aaf0551df552735d5f0c134eed46fa7fd90393486b03c7e2ccf01b64759f30b
Instruction ID: 4e4435f31ac7bd0274041bf13482cd0760ef5e4ae9fcd8df13dbc537bb3e0ba5
Opcode Fuzzy Hash: 0aaf0551df552735d5f0c134eed46fa7fd90393486b03c7e2ccf01b64759f30b
Instruction Fuzzy Hash: 3E412334F002068FCB45DB7C946066EBBF6EFC9215B1405A9D90ADB3A6DE74CC02C781

Function 01759941 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

$]q, xrefs: 0175998D

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: fa798d203f1c47b687a27e64d284eb8bc6c134df5db24e8adb1e2e0d2f83ae17
Instruction ID: ab93a37e802c988eddfdb6cb629d7d2e6542adafe15b235de7fa08bf6a193f0c
Opcode Fuzzy Hash: fa798d203f1c47b687a27e64d284eb8bc6c134df5db24e8adb1e2e0d2f83ae17
Instruction Fuzzy Hash: 1241DD70608541DBCB895F699098029FB77FFC470973C8899E6428B35ACF729D13CBA2

Function 01750D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLcq, xrefs: 01750D5B

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: dLcq
API String ID: 0-2236789282
Opcode ID: 76d1a1ba5f4ff6725aa2f3dda1f8e2d654f58fc93440d35f24af4b5c5189a31a
Instruction ID: 2eee704a4ecff60321af582a3bb664150b17c9a56b37d65c55132638fc51caa9
Opcode Fuzzy Hash: 76d1a1ba5f4ff6725aa2f3dda1f8e2d654f58fc93440d35f24af4b5c5189a31a
Instruction Fuzzy Hash: A4318F71A002058FDB15DF69C458BAEBBF6FF88300F1485A9E901AB361CBB5ED45CB90

Function 01759870 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0175988A

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 09e03a415573e5319fac0fdc1065dee5a88efc8a66233bebf995b8829d4e9608
Instruction ID: 335435544d804a0f07438ef421c2a14c8fc2172343b27bc5330c74ed0c1cc521
Opcode Fuzzy Hash: 09e03a415573e5319fac0fdc1065dee5a88efc8a66233bebf995b8829d4e9608
Instruction Fuzzy Hash: F0216D30710115CFDB549F68D468BAEBBF6BF88B14F244159EA02EB3A5CFB19C018B91

Function 01753A08 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 01753A68

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 772b216732c8974372e01cb2c761094932d0720e157856bcbff456b29ff349c8
Instruction ID: ead4e9d378c7a982cf35cacef4deba36be0c929e10635a1678f0abeef9600568
Opcode Fuzzy Hash: 772b216732c8974372e01cb2c761094932d0720e157856bcbff456b29ff349c8
Instruction Fuzzy Hash: 5B218C75F002159FCB54DF788814B6DBBF1BF48744F1088A9EA4AD73A0DA799901CB81

Function 01759D77 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01759DA3

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 97c2b5722fc5de7c2d01120a799a0393ff997035c2c077ffc29b79f5bf0d2e42
Instruction ID: 8af0cfe24e848a26e4175a88927f1b61f16fc44d372240b1899228810cb6115f
Opcode Fuzzy Hash: 97c2b5722fc5de7c2d01120a799a0393ff997035c2c077ffc29b79f5bf0d2e42
Instruction Fuzzy Hash: 6E117F70B54105DFDB149F29C899BAEBBE6AF88710F244459E902AB3E5CAB19C05CB90

Function 01759D88 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01759DA3

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 30549dd0b8cd6bc8931cda580eec25e02b851ea9c8adb08531995ad6906f046f
Instruction ID: 1d1316f2402d627ffd452b8eed04718b0bae1a46b53c1e6c9b4f036f4b9de093
Opcode Fuzzy Hash: 30549dd0b8cd6bc8931cda580eec25e02b851ea9c8adb08531995ad6906f046f
Instruction Fuzzy Hash: 14118F70B40105DFDB149F69C899BAEBBE6AF8C710F144059EA02AB3A5CBB19C05CB90

Function 0175AD80 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0175ADAD

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 3de62ab69174f04782b2e6cd173a5cb4662e93447c298572dc8ef70f664043f5
Instruction ID: 5a0ebd6c591167277a538ea1cef04c5ac82965331c4de094a4e5440911305042
Opcode Fuzzy Hash: 3de62ab69174f04782b2e6cd173a5cb4662e93447c298572dc8ef70f664043f5
Instruction Fuzzy Hash: 1611A3757101049FDB149F28C969BAEBBF6EF8C701F2400A8E502EB3A1CBB55C06CB91

Function 01750E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Haq, xrefs: 01750E40

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 357ac325429e608d5d2f2bf94a2b5a14574e3264fd953b90f668bdd63ad5a221
Instruction ID: 35d5c1276dd86045d22bc67d8e481a778edcb3eea99beab9dd049dab93cdda9b
Opcode Fuzzy Hash: 357ac325429e608d5d2f2bf94a2b5a14574e3264fd953b90f668bdd63ad5a221
Instruction Fuzzy Hash: 35F028303182401FC346AB3D681443E7FEBEFDA22132544FAE549CB396CE298C068391

Function 017593A8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

LR]q, xrefs: 017593CD

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 623e4f0d520a370108e481581ea751ae2ac87592c16481a6e0bcd6e4a69d39fd
Instruction ID: 00bb76acfc8aa9a9f466478df5edbf7ddac41952c23fddaf8128d95aa4311b66
Opcode Fuzzy Hash: 623e4f0d520a370108e481581ea751ae2ac87592c16481a6e0bcd6e4a69d39fd
Instruction Fuzzy Hash: 9B018470B102159FCB85DF7894526FF7BF1EF59604F10419DD946D7291E6B04D018782

Function 017593B8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR]q, xrefs: 017593CD

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 7f1d13a9928da6518331d5a3819fdf6bf50ac16ac566382b23f027a642f01b90
Instruction ID: 074a042ea0cf777dc270ac27950d2c8293f5c7b7d6347beb5f70f5899c9dd94b
Opcode Fuzzy Hash: 7f1d13a9928da6518331d5a3819fdf6bf50ac16ac566382b23f027a642f01b90
Instruction Fuzzy Hash: C9016271B00115DFCB84EB69D9416AEB7F5FB48604F1041A9EA0ADB295EBB19D0187C2

Function 01753AE0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcef0bc848d0a9ad38c17bab251be36a4939aa946ff3b797b25671ef14fe930f
Instruction ID: 4dc69ea4c6cf9fc9ac3d9596073dcf1bf8ae6f22a7abf978f8d4a241a0736fb6
Opcode Fuzzy Hash: fcef0bc848d0a9ad38c17bab251be36a4939aa946ff3b797b25671ef14fe930f
Instruction Fuzzy Hash: BBC1F72195E3E15FD7036B3859704A67FB5AE9326570A04EBC0D0CF1B7D99C888DC3AA

Function 01751DC0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d33b80e4f0c4704e739015befd4c56c4828b2c8f3c6b9fd2b52813efa84dbb
Instruction ID: 83e007f80d6655f2974e44b78822740da3df5c8eebb93e9fd0fdaa153ceb0f14
Opcode Fuzzy Hash: a8d33b80e4f0c4704e739015befd4c56c4828b2c8f3c6b9fd2b52813efa84dbb
Instruction Fuzzy Hash: EAC13A74700205CFCB48DF79D598A6DB7F6EF88714B2144A8E8069B3A5CB76EC42CB51

Function 017563CE Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e851152fac9b362e82ff97260d1822fd360bcffb7f0834c5de5ab3aead03b5
Instruction ID: a8c16d445723416a6c2102d39cd65ab5d01b0ee8f09d783255a1362f9380ca06
Opcode Fuzzy Hash: 25e851152fac9b362e82ff97260d1822fd360bcffb7f0834c5de5ab3aead03b5
Instruction Fuzzy Hash: C1B16D70E002098FDB50CFA8C98579DFFF2FF88314F548529E819A7294EBB49946CB91

Function 01756C9C Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faeeaf9d21678a70eb539addaca2c2ea974f860761565016128353404309b8f9
Instruction ID: 3cdf83a5ec71bd780045bf6aca1ea4f1e9d35f18014dc23cc1945f8cb0ed7b24
Opcode Fuzzy Hash: faeeaf9d21678a70eb539addaca2c2ea974f860761565016128353404309b8f9
Instruction Fuzzy Hash: ACB15C70E002098FDF50CFA8C98579DFFF2BF48714F948529E815AB294EBB49885CB91

Function 0175A9B8 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c914eacab33956802ab06523972bb0ce161e738614c27d29643d5fd392f6c5c
Instruction ID: b5774d211e5d572beeed3f98db6f122bc7adfb0bc8227e279633bcbaf084e0b0
Opcode Fuzzy Hash: 5c914eacab33956802ab06523972bb0ce161e738614c27d29643d5fd392f6c5c
Instruction Fuzzy Hash: 16A19070B002019FCB59EF35E05465DB7A2FF88304B148669D8069B359EFB5EC8BCB91

Function 01753269 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe2e02c1fc936899182261f91515251c063a4cd2d3024106d60a8b6a7f44ee8
Instruction ID: 87824e6be24559cf45ca202573f0a2eea8ac74a857c15b5fb65bd7c7eb897b35
Opcode Fuzzy Hash: ffe2e02c1fc936899182261f91515251c063a4cd2d3024106d60a8b6a7f44ee8
Instruction Fuzzy Hash: C9A17DB46002418FDB09DF31E558A5E7BB6FF88314B2086A9D4068B359DB799D8BCFC1

Function 01753278 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049dd801177a995120d2e6fa05f3a8a476a5eeacfc6eb93b04d6ddf2244bca41
Instruction ID: a63581e66cc0f4f0fee4703a9250c04fc6f34020667b971030a167e828d6ff12
Opcode Fuzzy Hash: 049dd801177a995120d2e6fa05f3a8a476a5eeacfc6eb93b04d6ddf2244bca41
Instruction Fuzzy Hash: 17A17CB46002018FCB09EF31E55895E7BB6FF88314B208669D5068B359DB39AD8BCFC1

Function 01759B08 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c165ba03b2b94407e20da8520dfddb0c480cff53fb483335f715bf7c03d44a0b
Instruction ID: c0eff1812758496ecac27deb615fcc1affd680e447dcfef713aaa050062c7522
Opcode Fuzzy Hash: c165ba03b2b94407e20da8520dfddb0c480cff53fb483335f715bf7c03d44a0b
Instruction Fuzzy Hash: CC61BA34600205DFDB05DF68C884A6AFBF2FF85315F5580A9E946AB3A6C771EC41CBA0

Function 017596D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a72e597a98744ac9220a2806b0702f5feb042e246807cecc6219127bd06e092
Instruction ID: 2539e732490f259d1a683deae2fcf92d5f7a159de2c8033036372b0e3020c26a
Opcode Fuzzy Hash: 9a72e597a98744ac9220a2806b0702f5feb042e246807cecc6219127bd06e092
Instruction Fuzzy Hash: 30511134A00208CFDB55DF68D8587EDFBB2EF59318F108469DA05AB361DBB59C4ACB60

Function 01750AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c6a92c049f3f05e22e47831e9c40c9ea68b4570d4c821d784f5f6ccd0ac490
Instruction ID: 3a4360863028a8ed33fe2fdf689a5ccce230e4032d8aeec951dac90d7bfbcf67
Opcode Fuzzy Hash: c9c6a92c049f3f05e22e47831e9c40c9ea68b4570d4c821d784f5f6ccd0ac490
Instruction Fuzzy Hash: 5351D370211209DFCB19EF29F5889597766FFC530575086A8D812CB279EB39AD8BCF80

Function 017511D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8c7e637d6a6d9079aa4396daa253051fd73046cf8b3b963d72c02dd6e05017
Instruction ID: 387c22ce8dd71b9c5d0e8f4b87c8cc509250e68dcf7eb047481902f1c4180bee
Opcode Fuzzy Hash: 0e8c7e637d6a6d9079aa4396daa253051fd73046cf8b3b963d72c02dd6e05017
Instruction Fuzzy Hash: 7341A0B0B00209AFCB44EFB9C55466EFBFAFF89301F208569D849D7346DA349D428B91

Function 017548EC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e53c31f1a37a014ed77a7cafb7e31ae4a95d990cf34bd1b771fd11cb979f0e7
Instruction ID: 70b3a7b7540e680e44f684f8260b51987d45ceb91650489ddb33fee91ff565ab
Opcode Fuzzy Hash: 7e53c31f1a37a014ed77a7cafb7e31ae4a95d990cf34bd1b771fd11cb979f0e7
Instruction Fuzzy Hash: C641F1B0D0034C9FDB14DFA9C485ADEBFF5EF48304F248429E80AAB254DB75A985CB90

Function 017548F8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e2aef490145264999b133c43c13844f868aedf63fce6d9c38e4c38422ba90b
Instruction ID: 984d54cdb311483dcdf516eda6bec3fac2d8a709ebe34c93e1f646c46e185e77
Opcode Fuzzy Hash: 18e2aef490145264999b133c43c13844f868aedf63fce6d9c38e4c38422ba90b
Instruction Fuzzy Hash: 9841E1B0D003499FDB14DF99C484ADEBFF5FF48314F148029E81AAB254DB75A985CB90

Function 0175A9A8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614e674514007637a8959f35b68cb28e1bad10ffa0d916956adea625b360c574
Instruction ID: c5be90886e39b49fa2ca860d9992509b2670c857856ae904c5825b1295ffdf3d
Opcode Fuzzy Hash: 614e674514007637a8959f35b68cb28e1bad10ffa0d916956adea625b360c574
Instruction Fuzzy Hash: 542177307002009BCB06EB79E5505AEB7AAEB84214B104669CC098B34AEF76AD4BC7D2

Function 01750998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cec362422c3b2e9fa3579728b996966d6216ae5b87de30e8bfbe9f9980d36b
Instruction ID: caf9333e9dc3f45113b56017ddd8fa17cbab5f3fc09d5bf1e86d41b0362e3fbf
Opcode Fuzzy Hash: 25cec362422c3b2e9fa3579728b996966d6216ae5b87de30e8bfbe9f9980d36b
Instruction Fuzzy Hash: 3221B0306102069FDBA89B79E40866ABBA4EF55301B0046ADFC07C2155EFB49A41CB51

Function 0120D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3250762196.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_120d000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd52c49110704279d20e00c7b196e4714ebb6ca948c5c16fc57c7b5dcae4a8d
Instruction ID: 5971dd2d59ba7ccaf608efcec7f912eafdec442fede18d392596ab98b4d19c90
Opcode Fuzzy Hash: 4cd52c49110704279d20e00c7b196e4714ebb6ca948c5c16fc57c7b5dcae4a8d
Instruction Fuzzy Hash: BD210671514209DFDB16DF98E9C0B26BF65FB88318F20C669EE090A297C37AD415C7A2

Function 017509A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7883a844aa767dc320aaf26ea9d9f5e3002e000bdb7bd1c32c541f8e01e79267
Instruction ID: d2e2814d11fe4525e93d8e868846d0d34dbcfcd7a85f2707db0b883239097188
Opcode Fuzzy Hash: 7883a844aa767dc320aaf26ea9d9f5e3002e000bdb7bd1c32c541f8e01e79267
Instruction Fuzzy Hash: 5B2181307002079FDFE8AB79F55C66EBAA4AF55301B04467DBD07C2145EFB49641CB92

Function 0175A0D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00643d87401b693ae4c806ed19356c48c7503b5261a35bb9e59cd01f1fa232ee
Instruction ID: 7c28620c9e18d04761e2bb03aec34fa27a08f7bb02398f6160febd497985d11f
Opcode Fuzzy Hash: 00643d87401b693ae4c806ed19356c48c7503b5261a35bb9e59cd01f1fa232ee
Instruction Fuzzy Hash: 9F1124705002428FCB45EF78D4006AEBBF2EF80354B20466DC8058B295EBB6994BCBC1

Function 0120D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3250762196.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_120d000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5131023f52ab4768012f03872b8816eb71fc540d7a3ce1a9b6a4b3ad56d5f8e3
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: C611CD72404244CFDB12CF88E5C4B16BF61FB84324F2486A9DE090A257C336D45ACBA2

Function 01751431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0ac83a1734faa915ca5a1fb0727e8cc90a8c09ac78ada114537ea54d6007ed
Instruction ID: 1509a0edcf4c25e0f2e3b4575f2b85d3faeab1040a507dfeed16d1c037e12d42
Opcode Fuzzy Hash: 1b0ac83a1734faa915ca5a1fb0727e8cc90a8c09ac78ada114537ea54d6007ed
Instruction Fuzzy Hash: 50117070A01205DFCB94EBB9D40466A7BF6EF8931671004B9D909DB361EB359D42CB91

Function 01753AD1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f554dd6b5c1d1a69fd8f1136551faa822ae4d6a2eb1b45a825d4613e2e3c84e4
Instruction ID: e065df8252a8cf13da9e9e5932370492193af93430f90f27b3cc6a1d09f052e2
Opcode Fuzzy Hash: f554dd6b5c1d1a69fd8f1136551faa822ae4d6a2eb1b45a825d4613e2e3c84e4
Instruction Fuzzy Hash: 0101F5313042408FC726AB3899A457DB7E7EFD6255308487DD44ACB752CE75CC0AC790

Function 0175A0E8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcc47bfec561e450677a83e27e4b3f1d60b48f783bcc784183045f7aa387292
Instruction ID: 81d39a8b226110d6a7e87550e8b97673792a746e42f19cb9c6d605c59980aecd
Opcode Fuzzy Hash: ebcc47bfec561e450677a83e27e4b3f1d60b48f783bcc784183045f7aa387292
Instruction Fuzzy Hash: 1311C4706002068FCB45EF78E404A5EBBB6EF94354F108769C5058B295EBB6994BCBD1

Function 01751440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab26c232967c1b512ce5dea0fddb9a5df37e43229b38a15620eac0b43174a4e4
Instruction ID: 6ecfb9f49dbb401e8cbddf113f379e14bf74e72073e41a9d727d9b07e669e46d
Opcode Fuzzy Hash: ab26c232967c1b512ce5dea0fddb9a5df37e43229b38a15620eac0b43174a4e4
Instruction Fuzzy Hash: 0B11AD70B00209DFCB94EBBED40466ABBE6FF8820575008B8D90ADB354EA35DC42CB90

Function 017535E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04c58e0feb484dfe3682060aa6ff24f277ca7dbc0f303cf42d0459d0caffc2d
Instruction ID: 53f7f976e4ad1ab2f21780c6c45c5202d8b2de6d5c7d057e450efee1f64d3cb4
Opcode Fuzzy Hash: e04c58e0feb484dfe3682060aa6ff24f277ca7dbc0f303cf42d0459d0caffc2d
Instruction Fuzzy Hash: DCF08CB06052848FDF06CF25F4685897F36EB8522973085DAC4418B266DB398A8BCB95

Function 0175A143 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e77963f82d02653f4f58563f4599a476c1007c26020acbfe4ee01c50da31be
Instruction ID: c38154c75a02032a95c884aebc15d205c37292b2b9bf013197a81cc9e0c11805
Opcode Fuzzy Hash: 76e77963f82d02653f4f58563f4599a476c1007c26020acbfe4ee01c50da31be
Instruction Fuzzy Hash: 0FF02771604242DBCB01BB70E40858DF7229BA13A4F104367C9050B196EBF5990BC382

Function 01759367 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7412f640730fc30293febe056b29fdd360642be1d8e87bf10b14f42418ca4a2f
Instruction ID: d41950e64ad9ee4c06c27f3e02f81b63569e7c72c45750931f4345f676191c9d
Opcode Fuzzy Hash: 7412f640730fc30293febe056b29fdd360642be1d8e87bf10b14f42418ca4a2f
Instruction Fuzzy Hash: A9E026323162516FC302ABF898148BA3FEEEF8B10435400DAE180CF3A7CE29CC064395

Function 0175A02E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a6cf5e10bc68b2321335ada7a4f0c6d75d84420660e54eeba5d92b664f6344
Instruction ID: 423e527175ebb2cef38557ba7b36ae4a07e70b93b7fb4af6694c981e8c701c21
Opcode Fuzzy Hash: 54a6cf5e10bc68b2321335ada7a4f0c6d75d84420660e54eeba5d92b664f6344
Instruction Fuzzy Hash: 38F0A7B5E542459FDB919F11C454AADBBB0BF15244F0402B6DC1ADB162E6F58941CB10

Function 01759479 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08359ede49ee6b0d726f8a293e2f0127a399af38ea30783a77d210f0c09d5969
Instruction ID: 2cef5cffd89aa8a3eee13c99ae8462807fcb2b46127015659504602793879959
Opcode Fuzzy Hash: 08359ede49ee6b0d726f8a293e2f0127a399af38ea30783a77d210f0c09d5969
Instruction Fuzzy Hash: 46F0F4B5900609CFDB10DF99D44479EFBF0FF49328F208459D619A7250C379A844CFA1

Function 01752204 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7d78a9264331af891ffe2f207a130acc8a29e40fb3d441467ddd93fbb69769
Instruction ID: 59a720962499413c9aef856a6dc3f80a28032eb776d5c6c4265a16399a173496
Opcode Fuzzy Hash: ef7d78a9264331af891ffe2f207a130acc8a29e40fb3d441467ddd93fbb69769
Instruction Fuzzy Hash: F1E0EC71C5430A9FC781EFF844013B9B7F9FB09205F5041ADC80CD6204FA7546128B92

Function 01752E38 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9363df2b12d159360bfe6f2d885979e7cea619237d1ca6bb2c713c2034c8b74
Instruction ID: 75fc0c2dfa53a91ecdc0f4969fcacd0664f1b8175c78fb770671d77e1b6ce527
Opcode Fuzzy Hash: b9363df2b12d159360bfe6f2d885979e7cea619237d1ca6bb2c713c2034c8b74
Instruction Fuzzy Hash: 4FD0C9715147098FE3429A6AD564A6277ACEF6AA0570100AAE841CB772EB65FC01CA21

Function 01750A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebc7112cb58d2fda5183eb63d81209e38aefe6dd6b9a5181e1dafaddc29df3f
Instruction ID: 165fd2b1571029fdf5cb5132689a7b0d5ec070fbf56fb0ea2ceb16dfcc3dc19d
Opcode Fuzzy Hash: 2ebc7112cb58d2fda5183eb63d81209e38aefe6dd6b9a5181e1dafaddc29df3f
Instruction Fuzzy Hash: 5BC08C2110428ACED7B0A374F90CAACBE20ABA2301F0006E6BC03040AACEF80600871B

Function 01750A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c144c793ba3fc06906b8c40004fe26497268c5e49e87a91843fb1fa62cc91a
Instruction ID: 255a5655b087eb39804cdf6b0ce2c0634b82c75966557b183bcd9d33819c0d8b
Opcode Fuzzy Hash: 08c144c793ba3fc06906b8c40004fe26497268c5e49e87a91843fb1fa62cc91a
Instruction Fuzzy Hash: 43C08C2110424BCED3B0A3B4F90CAACBD20ABA2301F0006E2BC03040AACEF80600831B

Function 01752E48 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3252391904.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1750000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee677d758531af410ffeb48d545b286b1719ac5ff66bb5ddf3e28f20308cf1dd
Instruction ID: 896b213b150aef14d648bd48042cbf125e017ad09b5ca972915d7c632156c8f7
Opcode Fuzzy Hash: ee677d758531af410ffeb48d545b286b1719ac5ff66bb5ddf3e28f20308cf1dd
Instruction Fuzzy Hash: DAC09235260208CFC344EF9AE588C12B7ECFF98B003410099E9018B732CB21FC11DB61

Analysis Process: windowsBook.exePID: 5240, Parent PID: 3652COMMON

Executed Functions

Function 01190EBC Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

(aq, xrefs: 01191192
Te]q, xrefs: 01190EED

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID: (aq$Te]q
API String ID: 0-2961548996
Opcode ID: 0f51c2c47409b98e683fe2c09056390c8a761f96bb08ee97f7389b2782e9834a
Instruction ID: 773cf0bf4bfceaf366706af6520a5a0e8a65e38806b62f0edca0446204c653b8
Opcode Fuzzy Hash: 0f51c2c47409b98e683fe2c09056390c8a761f96bb08ee97f7389b2782e9834a
Instruction Fuzzy Hash: 3351AF30B001049FCB48DF69C458AADBBF2FF89710F2581A9E902EB3A5CB75DD418B90

Function 01190D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Haq, xrefs: 01190E40
dLcq, xrefs: 01190D5B

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID: Haq$dLcq
API String ID: 0-1713614415
Opcode ID: 718adc1ac2c0949cf8d1e286c72212e3eab47db49164ad80c17b601823b7b81c
Instruction ID: 4f01d1d118eefec2714a92748d36cc11f2c21fd67efc571ba68565e2f4d2df00
Opcode Fuzzy Hash: 718adc1ac2c0949cf8d1e286c72212e3eab47db49164ad80c17b601823b7b81c
Instruction Fuzzy Hash: FF41F4307042448FCB09DF69C458AAEBFF6AF89304F1444AAE505EB3A2CB75DC05CB91

Function 01191339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0119138B

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: bf6dd2b98df127f257539216c5766dd03e615f49f9220196a0514c8c83e62089
Instruction ID: 45b6e992a703344124dba4418fc53ca9f5fc54f404c4c183e92ec8c85541cf59
Opcode Fuzzy Hash: bf6dd2b98df127f257539216c5766dd03e615f49f9220196a0514c8c83e62089
Instruction Fuzzy Hash: A1414334F042169FCB09AB7C845466E7BF6EFC5224B1405A9D51ADB395EB30CD42C782

Function 01190D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLcq, xrefs: 01190D5B

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID: dLcq
API String ID: 0-2236789282
Opcode ID: b6b306dd8c7dfdcdbd927e1d589f607ea4ccc44dac948cefe331f4ff8077337d
Instruction ID: 817d5f72fc84a91024b10f3246bf38d1b375b55c6a391840661c80fa43f92645
Opcode Fuzzy Hash: b6b306dd8c7dfdcdbd927e1d589f607ea4ccc44dac948cefe331f4ff8077337d
Instruction Fuzzy Hash: 4B318F31A002048FDB19DF69C448BAEBBF6BF4C304F1985AAE511AB361CB75ED44CB91

Function 01190E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Haq, xrefs: 01190E40

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 6998ae248c8f6df26a907054c26972ce86aaa956121f8bde069c04170b1bf8bc
Instruction ID: be1e0931c640353895efad37dbf6b126fb5136404b06a57469a1a682482c14c7
Opcode Fuzzy Hash: 6998ae248c8f6df26a907054c26972ce86aaa956121f8bde069c04170b1bf8bc
Instruction Fuzzy Hash: B7F0C8307093901FC34B973D586446E7FEBAFCB11431944EAE549DB397DD258D068391

Function 01190AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df592a527ac2846f471b9af4d1b83185a237ec28d5deed397d88f7af8206b85
Instruction ID: a81946fcf62858c7b768526f5841a3261d08af126fa011ddfcb4c3b42d17263b
Opcode Fuzzy Hash: 3df592a527ac2846f471b9af4d1b83185a237ec28d5deed397d88f7af8206b85
Instruction Fuzzy Hash: CF51C1385002818FC75BFF24E598B497767FF84389790A568D401EB26DEB75AD86CF80

Function 011911D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4a4a04b0b4101cf387151167e9665543c8adf197d3b0f70cde14fb1d6e588c
Instruction ID: 3be78c19e7fce410f29f79c999231b7c974aa13ff5783fb45beeee80ff9e24de
Opcode Fuzzy Hash: ee4a4a04b0b4101cf387151167e9665543c8adf197d3b0f70cde14fb1d6e588c
Instruction Fuzzy Hash: 0941B470E00209AFCB48EFB9854466EBFFAEF89310F208569D459D7345DB3499428B91

Function 01190998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fc827d0e61abd91fff31be1848d9614960f35a6b3e5e6a68850d855168af09
Instruction ID: 585b2dfd4475af13bc1f2384d18d249d1ebd719c4b3442d56764f5c75f5654a3
Opcode Fuzzy Hash: 34fc827d0e61abd91fff31be1848d9614960f35a6b3e5e6a68850d855168af09
Instruction Fuzzy Hash: 2A21A430A00342DFDFAEAB78D45872E3BA9AF09245705463DF527D6155EB788980CBD2

Function 00FED4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230364352.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fed000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dbd9fbfaa71b9655adce801e85dd9a07bdaafc057d4a8cd6f2e2a7ed91aebe
Instruction ID: a7dd322758130cc01c65c4bd643134be184a893a2fb5584e52d0b29125d402cf
Opcode Fuzzy Hash: 15dbd9fbfaa71b9655adce801e85dd9a07bdaafc057d4a8cd6f2e2a7ed91aebe
Instruction Fuzzy Hash: A9214872900384DFDB05DF14D9C0F26BF65FB98324F24C569D9090B656C33AD815EBA2

Function 011909A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4129451d32270ead6157f84f25911af315a66863db93aa4036833498105819f
Instruction ID: 45fd1d4cbebb4655ad942d0da1f79f0dcf5c0302b43f58d5678fc129ce221c46
Opcode Fuzzy Hash: a4129451d32270ead6157f84f25911af315a66863db93aa4036833498105819f
Instruction Fuzzy Hash: 56216230B002038FDFAEBB79A55872E7BADAF08245B01463DB527D1145EB748980CBD2

Function 01191431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522e398530caf4cd47699f84ceba8b5d127df9c5e7242587043f760a77692c82
Instruction ID: 1c52443af57ca3b1e601a2ff089e9f663515569dbe787a4169a4262dee76428a
Opcode Fuzzy Hash: 522e398530caf4cd47699f84ceba8b5d127df9c5e7242587043f760a77692c82
Instruction Fuzzy Hash: 8211A070A01386DFCB5AEF78D40466A7BF6EF8921971408BDD405DB316EB318D92CB81

Function 00FED49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230364352.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fed000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 3769eaf2ffa00e4069d1a8640a9938893308298a36df5e53b6195357c98474c3
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: D3110376804380CFCB02CF04D5C4B16BF71FB94324F28C5A9D9090B656C336D85ADBA2

Function 01191440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2230813385.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1190000_windowsBook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a987693d1317f163445aab0819546a80f5ea360509be1791b27f37398bdc0d64
Instruction ID: 2ae39c4f1ec1ba0c4fae32e96d939ecfc25d8ce42d1e7de87fe279c79093e405
Opcode Fuzzy Hash: a987693d1317f163445aab0819546a80f5ea360509be1791b27f37398bdc0d64
Instruction Fuzzy Hash: 5D118B74B00206DFCB59EFB9D40462A7BEAFF8821575008B8D50ADB354EB30DC81CB91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rUAE_LPO.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rUAE_LPO.com.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windowsBook.exe.log

C:\Users\user\AppData\Local\Temp\tmpBE0.tmp.bat

C:\Users\user\AppData\Local\Temp\windowsBook.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
rUAE_LPO.com.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre