Edit tour

Windows Analysis Report
F7Xu8bRnXT.exe

Overview

General Information

Sample name:	F7Xu8bRnXT.exe renamed because original name is a hash value
Original sample name:	75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b.exe
Analysis ID:	1562296
MD5:	d023bb01175d237f56d56467e5806525
SHA1:	bd936a27e63e60361d1191d058d13418084c7d04
SHA256:	75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
Tags:	exeuser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops large PE files

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

F7Xu8bRnXT.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\F7Xu8bRnXT.exe" MD5: D023BB01175D237F56D56467E5806525)

Trading_AIBot.exe (PID: 1628 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 3504 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6396 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5160 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 1720 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: DE61BDDC20CC8EBAC6B7BDC55517BB73)

server01.exe (PID: 2200 cmdline: "C:\Users\user\AppData\Local\Temp\server01.exe" MD5: 0CDBE0CD3CB5C2F0B2CB17E4417D43F5)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
F7Xu8bRnXT.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7E 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\server01.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2245462797.0000000005110000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xff91:$a1: get_encryptedPassword 0x102cd:$a2: get_encryptedUsername 0xfd1e:$a3: get_timePasswordChanged 0xfe3f:$a4: get_passwordField 0xffa7:$a5: set_encryptedPassword 0x11977:$a7: get_logins 0x11628:$a8: GetOutlookPasswords 0x11406:$a9: StartKeylogger 0x118c7:$a10: KeyLoggerEventArgs 0x11463:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28f51:$a1: get_encryptedPassword 0x40f81:$a1: get_encryptedPassword 0x58fa1:$a1: get_encryptedPassword 0x2928d:$a2: get_encryptedUsername 0x412bd:$a2: get_encryptedUsername 0x592dd:$a2: get_encryptedUsername 0x28cde:$a3: get_timePasswordChanged 0x40d0e:$a3: get_timePasswordChanged 0x58d2e:$a3: get_timePasswordChanged 0x28dff:$a4: get_passwordField 0x40e2f:$a4: get_passwordField 0x58e4f:$a4: get_passwordField 0x28f67:$a5: set_encryptedPassword 0x40f97:$a5: set_encryptedPassword 0x58fb7:$a5: set_encryptedPassword 0x2a937:$a7: get_logins 0x42967:$a7: get_logins 0x5a987:$a7: get_logins 0x2a5e8:$a8: GetOutlookPasswords 0x42618:$a8: GetOutlookPasswords 0x5a638:$a8: GetOutlookPasswords
00000003.00000002.3486443994.0000000002944000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F7Xu8bRnXT.exe PID: 7092	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: F7Xu8bRnXT.exe PID: 7092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F7Xu8bRnXT.exe PID: 7092	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: F7Xu8bRnXT.exe PID: 7092	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x815df:$a1: get_encryptedPassword 0x8190c:$a2: get_encryptedUsername 0x81380:$a3: get_timePasswordChanged 0x814a1:$a4: get_passwordField 0x815f5:$a5: set_encryptedPassword 0x82f67:$a7: get_logins 0x82c18:$a8: GetOutlookPasswords 0x829f6:$a9: StartKeylogger 0x82eb7:$a10: KeyLoggerEventArgs 0x82a53:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: server01.exe PID: 2200	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: server01.exe PID: 2200	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: server01.exe PID: 2200	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: server01.exe PID: 2200	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x380f0:$a1: get_encryptedPassword 0x3841d:$a2: get_encryptedUsername 0x37e91:$a3: get_timePasswordChanged 0x37fb2:$a4: get_passwordField 0x38106:$a5: set_encryptedPassword 0x39a78:$a7: get_logins 0x39729:$a8: GetOutlookPasswords 0x39507:$a9: StartKeylogger 0x399c8:$a10: KeyLoggerEventArgs 0x39564:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.F7Xu8bRnXT.exe.34f5570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.3534590.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.4ab0000.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.5110000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.3.F7Xu8bRnXT.exe.5e7398.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.2254106.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.225500e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data
1.2.F7Xu8bRnXT.exe.34f5570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7E 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.0.F7Xu8bRnXT.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7E 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.2254106.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.225500e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.4ab0f08.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
1.3.F7Xu8bRnXT.exe.5e7398.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.4ab0000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.5110000.14.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.34f6478.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.0.server01.exe.4e0000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.0.server01.exe.4e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.server01.exe.4e0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.server01.exe.4e0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
3.0.server01.exe.4e0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data
1.2.F7Xu8bRnXT.exe.35bde10.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35bde10.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
1.2.F7Xu8bRnXT.exe.35bde10.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281c1:$a1: get_encryptedPassword 0x401e1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284fd:$a2: get_encryptedUsername 0x4051d:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f4e:$a3: get_timePasswordChanged 0x3ff6e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2806f:$a4: get_passwordField 0x4008f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281d7:$a5: set_encryptedPassword 0x401f7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29ba7:$a7: get_logins 0x41bc7:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29858:$a8: GetOutlookPasswords 0x41878:$a8: GetOutlookPasswords
1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3d9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x453f9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8d7:$a3: \Google\Chrome\User Data\Default\Login Data 0x448f7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x2cbe5:$a4: \Orbitum\User Data\Default\Login Data 0x44c05:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data 0x2d9dd:$a5: \Kometa\User Data\Default\Login Data 0x459fd:$a5: \Kometa\User Data\Default\Login Data
1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281b1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284ed:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f3e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2805f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281c7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29b97:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29848:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x29626:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x29ae7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler 0x29683:$a11: KeyLoggerEventArgsEventHandler
1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3c9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8c7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x2cbd5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data 0x2d9cd:$a5: \Kometa\User Data\Default\Login Data
Click to see the 50 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1628, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3504, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 1628, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1628, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5160, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1628, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3504, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T13:39:27.754596+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: F7Xu8bRnXT.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\server01.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: F7Xu8bRnXT.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F7Xu8bRnXT.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: F7Xu8bRnXT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49724 version: TLS 1.0

Source:

Binary string: _.pdb source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp, F7Xu8bRnXT.exe, 00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp, F7Xu8bRnXT.exe, 00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp, F7Xu8bRnXT.exe, 00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 01767394h	2_2_01767188
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 017678DCh	2_2_01767688
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	2_2_01767E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 017678DCh	2_2_0176767B
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	2_2_01767FBC
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	2_2_01767E54
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00C29731h	3_2_00C29480
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00C29E5Ah	3_2_00C29A40
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00C29E5Ah	3_2_00C29A71
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00C29E5Ah	3_2_00C29A30
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00C29E5Ah	3_2_00C29D87
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 4x nop then jmp 04DBBCBDh	11_2_04DBBA40

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.000000000285C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: server01.exe, 00000003.00000002.3486443994.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000004.00000002.2335845547.0000000006E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: server01.exe, 00000003.00000002.3486443994.000000000288B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: server01.exe, 00000003.00000002.3486443994.000000000288B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: server01.exe, 00000003.00000002.3486443994.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2317843796.0000000004301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2317843796.0000000004301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2335088323.0000000006E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goAppVClientCmdlets.psm1h
Source: powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75d
Source: server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75l

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: server01.exe.1.dr, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: server01.exe.1.dr, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: F7Xu8bRnXT.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.F7Xu8bRnXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.F7Xu8bRnXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large strings

Source: Trading_AIBot.exe.1.dr, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 1.2.F7Xu8bRnXT.exe.25b9e70.3.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 1.2.F7Xu8bRnXT.exe.25a8a2c.5.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.2.dr 665670656

Jump to dropped file

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_0040DC11	1_2_0040DC11
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00407C3F	1_2_00407C3F
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00418CCC	1_2_00418CCC
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00406CA0	1_2_00406CA0
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_004028B0	1_2_004028B0
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_0041A4BE	1_2_0041A4BE
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00418244	1_2_00418244
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00401650	1_2_00401650
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00402F20	1_2_00402F20
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_004193C4	1_2_004193C4
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00418788	1_2_00418788
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00402F89	1_2_00402F89
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00402B90	1_2_00402B90
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_004073A0	1_2_004073A0
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_02181030	1_2_02181030
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_02181020	1_2_02181020
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C2C530	3_2_00C2C530
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C29480	3_2_00C29480
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C2C521	3_2_00C2C521
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C2946F	3_2_00C2946F
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C2DFD1	3_2_00C2DFD1
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C2DFB1	3_2_00C2DFB1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_041FB490	4_2_041FB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_041FB470	4_2_041FB470
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DBDAAC	11_2_04DBDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB1B94	11_2_04DB1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB25B8	11_2_04DB25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB25A8	11_2_04DB25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB255F	11_2_04DB255F
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB2563	11_2_04DB2563
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DBE621	11_2_04DBE621
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB4174	11_2_04DB4174
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB1D20	11_2_04DB1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_04DB1B88	11_2_04DB1B88
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_05BE3360	11_2_05BE3360

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\server01.exe 7F73743991E06E23B0A1FEC66A8FA5F194D49FBE15C58473D10798758C856D31

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Code function: String function: 0040E1D8 appears 44 times

Source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000003.2221472933.0000000000636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNova-BTC.e vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000003.2218776122.0000000000653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2244331248.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2244331248.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2244331248.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2244331248.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000003.2228551459.0000000000625000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245631475.000000000571C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2245462797.0000000005110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe, 00000001.00000003.2218871674.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs F7Xu8bRnXT.exe
Source: F7Xu8bRnXT.exe	Binary or memory string: OriginalFilenameNova-BTC.exe4 vs F7Xu8bRnXT.exe

Source: F7Xu8bRnXT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: F7Xu8bRnXT.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.F7Xu8bRnXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.F7Xu8bRnXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: F7Xu8bRnXT.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9951311383928572

Source: server01.exe.1.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: server01.exe.1.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/10@2/2

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

1_2_004019F0

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

1_2_004019F0

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F7Xu8bRnXT.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_03

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Command line argument: 08A

1_2_00413780

Source: F7Xu8bRnXT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: server01.exe, 00000003.00000002.3497845086.000000000381D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.00000000028CE000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.000000000290D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.00000000028DE000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.0000000002900000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: F7Xu8bRnXT.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\F7Xu8bRnXT.exe "C:\Users\user\Desktop\F7Xu8bRnXT.exe"
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: F7Xu8bRnXT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Trading_AIBot.exe.1.dr

Static PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

1_2_004019F0

Source: F7Xu8bRnXT.exe	Static PE information: real checksum: 0x23bfb should be: 0x60b09
Source: Trading_AIBot.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x16b30
Source: server01.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x25aa6

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_0040E21D push ecx; ret	1_2_0040E230
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_02184F57 push edx; ret	1_2_02184F63
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_0218474F pushad ; retf	1_2_02184755
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 3_2_00C2AFA9 pushad ; iretd	3_2_00C2AFAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_041F632D push eax; ret	4_2_041F6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_070C2270 pushad ; retf	4_2_070C2289
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 11_2_00CAF2F0 push eax; ret	11_2_00CAF2F1

Source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Fe9bVredX5jtW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Fe9bVredX5jtW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Fe9bVredX5jtW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	File created: C:\Users\user\AppData\Local\Temp\server01.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Memory allocated: 2180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 6930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2E930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

1_2_004019F0

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6232	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3427	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 5373	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 4418	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_1-14092

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 6232 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6972	Thread sleep count: 3427 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3524	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 6616	Thread sleep time: -322380000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 6616	Thread sleep time: -265080000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: server01.exe, 00000003.00000002.3476964338.0000000000A22000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_0040CE09

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

1_2_004019F0

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

1_2_004019F0

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Code function: 1_2_0040ADB0 GetProcessHeap,HeapFree,

1_2_0040ADB0

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040CE09
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040E61C
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00416F6A
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Code function: 1_2_004123F1 SetUnhandledExceptionFilter,	1_2_004123F1

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: server01.exe.1.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: server01.exe.1.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: server01.exe.1.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Code function: GetLocaleInfoA,

1_2_00417A20

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server01.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Code function: 1_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00412A15

Source: C:\Users\user\Desktop\F7Xu8bRnXT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.3534590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.5110000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.F7Xu8bRnXT.exe.5e7398.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.2254106.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.225500e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.2254106.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.225500e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.F7Xu8bRnXT.exe.5e7398.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.5110000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245462797.0000000005110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\server01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3486443994.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.3534590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.5110000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.F7Xu8bRnXT.exe.5e7398.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.2254106.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.225500e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.2254106.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.225500e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0f08.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.F7Xu8bRnXT.exe.5e7398.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.4ab0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.5110000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.34f6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.3534590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245462797.0000000005110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.server01.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35bde10.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.358ddc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F7Xu8bRnXT.exe.35a5df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7Xu8bRnXT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	131 Security Software Discovery	Distributed Component Object Model	1 Email Collection	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
F7Xu8bRnXT.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Dopping
F7Xu8bRnXT.exe	100%	Avira	HEUR/AGEN.1329567
F7Xu8bRnXT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\server01.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server01.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\server01.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.Mintluks

Source	Detection	Scanner	Label	Link
https://goAppVClientCmdlets.psm1h	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	server01.exe, 00000003.00000002.3486443994.000000000288B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goAppVClientCmdlets.psm1h	powershell.exe, 00000004.00000002.2335088323.0000000006E4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000002.3486443994.000000000285C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.75l	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000004.00000002.2335845547.0000000006E97000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2317843796.0000000004301000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.75d	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2317843796.0000000004456000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2323102165.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	server01.exe, 00000003.00000002.3486443994.000000000288B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	server01.exe, 00000003.00000002.3486443994.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2317843796.0000000004301000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp	false		high
https://reallyfreegeoip.org/xml/	F7Xu8bRnXT.exe, 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, server01.exe, 00000003.00000002.3486443994.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562296
Start date and time:	2024-11-25 13:38:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F7Xu8bRnXT.exe renamed because original name is a hash value
Original Sample Name:	75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@14/10@2/2
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 97% Number of executed functions: 178 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Trading_AIBot.exe, PID 1628 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3504 because it is empty
Execution Graph export aborted for target server01.exe, PID 2200 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: F7Xu8bRnXT.exe

Simulations

Behavior and APIs

Time	Type	Description
07:39:25	API Interceptor	33x Sleep call for process: powershell.exe modified
07:40:02	API Interceptor	22106x Sleep call for process: apihost.exe modified
13:39:26	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
13:39:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPO_1079021908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	168.139.6.21
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	https://go.jrwcap.com/e/955053/230645595232154/6xyvj/710994189/h/-dwcgo8Jrn520ILsDDgocWZSKLzmmTijUb6c_giV2KA	Get hash	malicious	Phisher	Browse	104.22.72.81
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	Unknown	Browse	104.21.88.250
	Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msg	Get hash	malicious	HTMLPhisher	Browse	172.67.206.110
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.145.234
	http://www.kalenderpedia.de	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://protect-us.mimecast.com/s/N4SFCv2zvkHW7wOAuzlFYe	Get hash	malicious	Unknown	Browse	104.19.230.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
C:\Users\user\AppData\Local\Temp\server01.exe	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
C:\Users\user\AppData\Local\Temp\server01.exe	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F7Xu8bRnXT.exe.log

Download File

Process:	C:\Users\user\Desktop\F7Xu8bRnXT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:tLHyIFKL3IZ2KRH9Oug8s
MD5:	AE33CC731D64A142DFCC6A541D0708FC
SHA1:	31B0ECD28CA8892C3EF4B42D1CB1F56BECD14BEA
SHA-256:	776FC4031835093845318CEABF43AB13C51EC6CA69B985C45049EAE2EB6AF623
SHA-512:	5282E64561D28CB77C92089BEAF27D83EC55B2A673BEF6EAB4DFC49BE61A0F6653E73F07A45AFBF93C407546D04BB50D9690CCBF553227A4E6CFE4F98389C211
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Users\user\Desktop\F7Xu8bRnXT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, Detection: malicious, Browse Filename: PO #09465610_GQ 003745_SO-242000846.exe, Detection: malicious, Browse Filename: IBKB.vbs, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcme4mpd.5jk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzpxpq3b.sty.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwhchn5x.agd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4m412ps.3p5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\server01.exe

Download File

Process:	C:\Users\user\Desktop\F7Xu8bRnXT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.678429468734117
Encrypted:	false
SSDEEP:	1536:kwa4JHA8xaqWUiRzGJVeygdqcyxCVf1UMR7pfpPYlM:M4JgqWUi5GJVey2qcyi+MDfpPr
MD5:	0CDBE0CD3CB5C2F0B2CB17E4417D43F5
SHA1:	E3AA6201E5A42ADFA1BFB4506D6852DE22E07494
SHA-256:	7F73743991E06E23B0A1FEC66A8FA5F194D49FBE15C58473D10798758C856D31
SHA-512:	3D125DAE61F960D7E32C0EB4D301EFA3322AB8201E83FB7343EF4C28ED6B788B1906E09106F8A3052630DD880FD278623F7887ED472D7C2552DB96CB3F1C8986
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, Detection: malicious, Browse Filename: PO #09465610_GQ 003745_SO-242000846.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................P..v..........^.... ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text...du... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B................@.......H.......t...........Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.999999345077284
Encrypted:	true
SSDEEP:
MD5:	DE61BDDC20CC8EBAC6B7BDC55517BB73
SHA1:	C20FB1AF89C4C1F7A1848BB22A978430EEEA247E
SHA-256:	2401372F9821847068BF952F3F1C85781F5969EB4591F5067F9840C5F7D091DC
SHA-512:	1F54692A210854A7E40626D1422AA4A8C11D15341C92F0065F91C8CCD5559E967FCC7B8C75658FAF096ADD0563E4831DCD386E07071DBD270FF72E6D8FB30AD2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
Category:	dropped
Size (bytes):	1820
Entropy (8bit):	2.4170562931013335
Encrypted:	false
SSDEEP:	12:8PsXU1e/tz0/CSL4WWeMNDyWlT9KBQ17+AUvO4Zv7L1Q17+ANCNfBf4t2YZ/elFR:80vWLqeMNmG9KmR+O4ZvPqRMjqy
MD5:	6F855ED56D27EB1076AF8E6BCB1CF43D
SHA1:	F051846AF399F2FC3A9A4DB8FCCF3E608B0614F7
SHA-256:	463C757C60408A5879898FFC4E201BFBE6087ED567E7DAED1B5C454AFBDD62BA
SHA-512:	6EC6DCB51FF117F2FEB40E358AB7D493792046783D5CF30384D8EF18AE1D8332F31FFFA5D05F3C52A2564A943E087A41A119AACAF0FFB39F5BB8FFB0AE707F8F
Malicious:	false
Preview:	L..................F.@......................................................5....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.4.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe...............................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.704531027076301
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	F7Xu8bRnXT.exe
File size:	354'304 bytes
MD5:	d023bb01175d237f56d56467e5806525
SHA1:	bd936a27e63e60361d1191d058d13418084c7d04
SHA256:	75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
SHA512:	2a1d38ae823bea20a30229ea96d4e72a56bf1ed963cc4641e16a36dc1b5dacd96b8c0d6b05b47b527acddf7ccb3efdf562902757a84e8169787a9fb3960ce7ce
SSDEEP:	6144:dDKW1Lgbdl0TBBvjc/7kNVMWCGtJ3kmGz3R9/GP54i7hPTCml3eJrG:Vh1Lk70TnvjcwNAGtJ8r/GBR74w66
TLSH:	C874E02470D1C2B2C47B117084EACB769A397032577A92D7BBDD1B7AAF103E5A3361C9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................,.?g....PE..L...t..P..........#........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cd2f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf5a4aa99e5b160f8521cadd6bfe73b8

Entrypoint Preview

Instruction
call 00007FB69882AF46h
jmp 00007FB698825109h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0041F058h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007FB69882526Eh
test byte ptr [eax], 00000008h
je 00007FB698825269h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0041B000h]
leave
retn 0008h
ret
mov eax, 00413563h
mov dword ptr [004228E4h], eax
mov dword ptr [004228E8h], 00412C4Ah
mov dword ptr [004228ECh], 00412BFEh
mov dword ptr [004228F0h], 00412C37h
mov dword ptr [004228F4h], 00412BA0h
mov dword ptr [004228F8h], eax
mov dword ptr [004228FCh], 004134DBh
mov dword ptr [00422900h], 00412BBCh
mov dword ptr [00422904h], 00412B1Eh
mov dword ptr [00422908h], 00412AABh
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FB6988251FBh
call 00007FB69882BA80h
cmp dword ptr [ebp+00h], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x215b4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x34690	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b1c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20da0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19718	0x19800	6413732e7b06745a190ef2aab74145e1	False	0.5789483762254902	data	6.748608897608133	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x6db4	0x6e00	5826801f33fc1b607aa8e942aa92e9fa	False	0.5467329545454546	data	6.442956247632331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c0	0x1600	2fe51a72ede820cd7cf55a77ba59b1f4	False	0.3126775568181818	data	3.2625868398009703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x34690	0x34800	629b28f255d8a5b591e5e806b1aa217c	False	0.9951311383928572	data	7.998003635666281	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x26124	0x34073	data	1.0003331659682695
RT_RCDATA	0x5a198	0x20	data	1.28125
RT_VERSION	0x5a1b8	0x24c	data	0.467687074829932
RT_MANIFEST	0x5a404	0x28c	XML 1.0 document, ASCII text	0.46319018404907975

Imports

DLL	Import
KERNEL32.dll	RaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
ole32.dll	OleInitialize
OLEAUT32.dll	SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T13:39:27.754596+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49721	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 13:39:25.827698946 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:39:25.947834015 CET	80	49721	158.101.44.242	192.168.2.5
Nov 25, 2024 13:39:25.947932005 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:39:25.948187113 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:39:26.068057060 CET	80	49721	158.101.44.242	192.168.2.5
Nov 25, 2024 13:39:27.274657011 CET	80	49721	158.101.44.242	192.168.2.5
Nov 25, 2024 13:39:27.310360909 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:39:27.430525064 CET	80	49721	158.101.44.242	192.168.2.5
Nov 25, 2024 13:39:27.709492922 CET	80	49721	158.101.44.242	192.168.2.5
Nov 25, 2024 13:39:27.754595995 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:39:28.590810061 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:28.590861082 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:28.590920925 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:28.647546053 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:28.647577047 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:29.875833988 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:29.875956059 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:29.891925097 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:29.891943932 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:29.892358065 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:30.026913881 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:30.071336031 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:30.357765913 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:30.357893944 CET	443	49724	172.67.177.134	192.168.2.5
Nov 25, 2024 13:39:30.357952118 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:39:30.431936979 CET	49724	443	192.168.2.5	172.67.177.134
Nov 25, 2024 13:40:32.709333897 CET	80	49721	158.101.44.242	192.168.2.5
Nov 25, 2024 13:40:32.709388971 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:41:07.723992109 CET	49721	80	192.168.2.5	158.101.44.242
Nov 25, 2024 13:41:07.845007896 CET	80	49721	158.101.44.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 13:39:25.632941961 CET	59114	53	192.168.2.5	1.1.1.1
Nov 25, 2024 13:39:25.772130966 CET	53	59114	1.1.1.1	192.168.2.5
Nov 25, 2024 13:39:28.097711086 CET	50540	53	192.168.2.5	1.1.1.1
Nov 25, 2024 13:39:28.589934111 CET	53	50540	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 13:39:25.632941961 CET	192.168.2.5	1.1.1.1	0x4076	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:28.097711086 CET	192.168.2.5	1.1.1.1	0x35cc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 13:39:25.772130966 CET	1.1.1.1	192.168.2.5	0x4076	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 13:39:25.772130966 CET	1.1.1.1	192.168.2.5	0x4076	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:25.772130966 CET	1.1.1.1	192.168.2.5	0x4076	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:25.772130966 CET	1.1.1.1	192.168.2.5	0x4076	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:25.772130966 CET	1.1.1.1	192.168.2.5	0x4076	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:25.772130966 CET	1.1.1.1	192.168.2.5	0x4076	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:28.589934111 CET	1.1.1.1	192.168.2.5	0x35cc	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:39:28.589934111 CET	1.1.1.1	192.168.2.5	0x35cc	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49721	158.101.44.242	80	2200	C:\Users\user\AppData\Local\Temp\server01.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 13:39:25.948187113 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 13:39:27.274657011 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 12:39:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ab50409a75eda3ee0577838cee641c4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 13:39:27.310360909 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 13:39:27.709492922 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 12:39:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ddd266514e2e60fbea15b6718d94289b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49724	172.67.177.134	443	2200	C:\Users\user\AppData\Local\Temp\server01.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 12:39:30 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 12:39:30 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 12:39:30 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 502279 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=quvUg76WeW2Ppn1irLt49XwSIKLNdic72bmcZg26b49%2Fx3BOAfKz9C7RHc%2BSvE7M91meBksLBd2dUoxmOYYeUZZa2LBvS8tA0AHfc78eW3pP38X6gMPatwzjYHGYloNqSEDPC%2Faa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e81b3adaf750c8e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1738095&cwnd=181&unsent_bytes=0&cid=e6013bf929d7f9c8&ts=497&x=0"
2024-11-25 12:39:30 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	1
Start time:	07:39:19
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\F7Xu8bRnXT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F7Xu8bRnXT.exe"
Imagebase:	0x400000
File size:	354'304 bytes
MD5 hash:	D023BB01175D237F56D56467E5806525
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2245104085.00000000034F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2245341110.0000000004AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2244099849.0000000002214000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.2221472933.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2245462797.0000000005110000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2245104085.0000000003575000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:39:22
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0xf10000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:39:22
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server01.exe"
Imagebase:	0x4e0000
File size:	98'304 bytes
MD5 hash:	0CDBE0CD3CB5C2F0B2CB17E4417D43F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000000.2240972319.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3486443994.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:39:24
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xbb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:39:24
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:39:24
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 07:44 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x850000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:39:25
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:39:28
Start date:	25/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:40:00
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0x410000
File size:	665'670'656 bytes
MD5 hash:	DE61BDDC20CC8EBAC6B7BDC55517BB73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	5.2%
Total number of Nodes:	1237
Total number of Limit Nodes:	46

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

v, xrefs: 0040206A
*, xrefs: 004020E1
5, xrefs: 00402109
v, xrefs: 00401E4B
", xrefs: 00401B0F
[, xrefs: 00401B37
V, xrefs: 00401E19
v, xrefs: 0040212C
!, xrefs: 00401B1E
{, xrefs: 00401E3C
_._, xrefs: 00402257
0, xrefs: 00401BBD
E, xrefs: 00401E0F
{, xrefs: 00401B4B
D, xrefs: 00401DFB
!, xrefs: 0040201A
4, xrefs: 00402074
*, xrefs: 00401A1F
___, xrefs: 0040227D
x, xrefs: 0040214A
[, xrefs: 00402047
), xrefs: 0040202E
x, xrefs: 00401B78
8, xrefs: 00401BA9
h, xrefs: 00401A6F
V, xrefs: 00402038
6, xrefs: 004020C5
{, xrefs: 0040211D
o, xrefs: 00402097
W, xrefs: 00401B23
4, xrefs: 00401B64
o, xrefs: 00401B8D
v, xrefs: 00401B5A
!, xrefs: 004020CF
W, xrefs: 004020E6
%, xrefs: 004020FA
:, xrefs: 00401B28
', xrefs: 00401AF6
o, xrefs: 00402159
U, xrefs: 004020F5
W, xrefs: 00402033
', xrefs: 00402006
., xrefs: 00401B0A
x, xrefs: 00401E69
W, xrefs: 00401B14
4, xrefs: 00402136
x, xrefs: 00402088
., xrefs: 0040201F
{, xrefs: 0040205B

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 021896D0 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02189744

Memory Dump Source

Source File: 00000001.00000002.2243972291.0000000002180000.00000040.00000800.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2180000_F7Xu8bRnXT.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9c533b52095138890283eacbba88c16ddb5df5754ce6f28fb7b29f926724dfd4
Instruction ID: 2bc2d9ad376a7ae7c4fd6fc932827d80cc5b66891de572192dc0075fb0d5efbb
Opcode Fuzzy Hash: 9c533b52095138890283eacbba88c16ddb5df5754ce6f28fb7b29f926724dfd4
Instruction Fuzzy Hash: E51106B1D002499FDB10DFAAC584AEEFBF4FF48314F10842AE519A7250CB78A944CFA1

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 021898A8 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 0218990A

Memory Dump Source

Source File: 00000001.00000002.2243972291.0000000002180000.00000040.00000800.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2180000_F7Xu8bRnXT.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a7ff730021746a0007e3e2fdab0606df4afa8e9e4142ba8b3862276311e0782c
Instruction ID: 072f9eb29781d8e77041eeb929fb65184f350a4107798c668a1dd4390e03983c
Opcode Fuzzy Hash: a7ff730021746a0007e3e2fdab0606df4afa8e9e4142ba8b3862276311e0782c
Instruction Fuzzy Hash: B01128B1D002488BDB10DFAAC5457AEFBF4EF88314F208459D519A7240CB78A944CFA4

Function 020DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2243668441.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20dd000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447cb5ca443e7933b2e79b4f3120818651eed6d0f8695520a4381f940d0cc533
Instruction ID: fc1c2c0b8b28833d2cc9779ba778b6c02a9dfd18bdf727e7e85686a9c9ca50ea
Opcode Fuzzy Hash: 447cb5ca443e7933b2e79b4f3120818651eed6d0f8695520a4381f940d0cc533
Instruction Fuzzy Hash: DA012B724063049AE7218B15CD84B67BFDCEFC5324F18C529ED480B246C3799801D6B1

Function 020DD006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2243668441.00000000020DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20dd000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635450b18eecb864511b0cd2115ab9ee63335e01c4fd074144892011a3c9c3b5
Instruction ID: 95e0da24335165430dbce5dd3ec92b99b1ce4b53a8f8761b9a3d71c985457bf4
Opcode Fuzzy Hash: 635450b18eecb864511b0cd2115ab9ee63335e01c4fd074144892011a3c9c3b5
Instruction Fuzzy Hash: 83015E7240E3C09ED7128B258894B52BFB8EF53224F1985DBD9888F297C2699845D772

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

Strings

@, xrefs: 00408D03
PA, xrefs: 00408E3D
@, xrefs: 00409092

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID: @$@$PA
API String ID: 0-3039612711
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 02181020 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

4']q, xrefs: 021810EA

Memory Dump Source

Source File: 00000001.00000002.2243972291.0000000002180000.00000040.00000800.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2180000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 9978263b112a46f0132ed03a15e762d5194cc2aabab92b88a31391e09d8dd0d3
Instruction ID: 1b44f3a2d35e4e8a123c44545d33226c36a23012d664cd53a38a89b49b33e6bc
Opcode Fuzzy Hash: 9978263b112a46f0132ed03a15e762d5194cc2aabab92b88a31391e09d8dd0d3
Instruction Fuzzy Hash: 76512F70E402058FD709EF7AE99069ABBE7FBC5300F08C969C004AB368DB756515CF61

Function 02181030 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

4']q, xrefs: 021810EA

Memory Dump Source

Source File: 00000001.00000002.2243972291.0000000002180000.00000040.00000800.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2180000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 61a6b344d7b2f1e7248583d722826b1622e4ee5bd58055d174b969efa0de6a67
Instruction ID: c915fe41b0f7ed2de5cf27109d007780fbe91c335046805d795941aff13a8216
Opcode Fuzzy Hash: 61a6b344d7b2f1e7248583d722826b1622e4ee5bd58055d174b969efa0de6a67
Instruction Fuzzy Hash: 95510D70E416058FD709EF6BE99069ABBE7FBC9300F08C96AC004AB26CDB756515CF61

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,021318D0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(02131670), ref: 00414050

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

`$B, xrefs: 0040FACC
P$B, xrefs: 0040FAAA

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0041470C

Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A

___removelocaleref.LIBCMT ref: 00414717

Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1

___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B
API String ID: 467427115-470711618
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000001.00000002.2242371364.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2242354161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242394241.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2242414215.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_F7Xu8bRnXT.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Analysis Process: Trading_AIBot.exePID: 1628, Parent PID: 7092COMMON

Executed Functions

Function 0176767B Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bcb84aa74e238b0102dab3b654f2e13fa6bed084be673585974cce40d68a50
Instruction ID: ae611e720dbe19827ae902617aa7ec37b7230737bc44e3b1c01e03fd4bf46a20
Opcode Fuzzy Hash: 89bcb84aa74e238b0102dab3b654f2e13fa6bed084be673585974cce40d68a50
Instruction Fuzzy Hash: 19610370D00219CFCB14DFA5D994AADBBB6FF89304F609169D809BB264DB346D8ACF40

Function 01767688 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f6a719dffa833122a84e71c277b17cc66941d5225fec19ba67f13b6996e913
Instruction ID: 3153fa2b6aa5f5e3c9d288ff796114e2b4145b11cca280610ffbc06ade5510a3
Opcode Fuzzy Hash: e9f6a719dffa833122a84e71c277b17cc66941d5225fec19ba67f13b6996e913
Instruction Fuzzy Hash: 2B610270D00219CFCB14DFA5D994AADBBB6FF89304F6091A9D8097B264DB346D8ACF40

Function 01767188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf21a38fe510b20f55d592859fcb4b2e751eecb9a95ef716c94a71aeac0c3a8b
Instruction ID: 894456f985b90b466e36ebeb0ad4f9a35f238a181c3339764cbcbb14c81e7d2d
Opcode Fuzzy Hash: cf21a38fe510b20f55d592859fcb4b2e751eecb9a95ef716c94a71aeac0c3a8b
Instruction Fuzzy Hash: 5C61B174A00248CFCB44DFA9D5949ADBBB6FF8D310F10916AE905AB365DB31AC46CF14

Function 01767E54 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cabea58596bf8d633b0b131b7a9549adc10c502629051f71523a9879aa29eef
Instruction ID: dc34abd440f328d2fb3d03e3176acdbeb5716fcb90a15a0a1c139b59246373d8
Opcode Fuzzy Hash: 0cabea58596bf8d633b0b131b7a9549adc10c502629051f71523a9879aa29eef
Instruction Fuzzy Hash: 6B41BBB1D002489FDB14DFEAC984ADEFFB5AF49314F24802AE859AB254D7349946CF44

Function 01767E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d702af85a38a1009e9a8ff5d4f76310ac5b55ee01c14360f7820093799e2182
Instruction ID: 07aa43d88b8cd1d770e07f29ba7501cf2bfcf888fbff7320815075d556a27456
Opcode Fuzzy Hash: 9d702af85a38a1009e9a8ff5d4f76310ac5b55ee01c14360f7820093799e2182
Instruction Fuzzy Hash: 3141BCB0D002489FDB14DFEAC984ADEFFB9BF49314F14802AE819AB254D7349946CF54

Function 017674F3 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Jdq, xrefs: 01767611

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 648c82ca400459ee2d708958b11d65955af57eb6111fe02d689857582120a2b9
Instruction ID: 2e177485d5bf157cc73423083ec6ffbf8a5f1c2bfd0456c2ab7fee3f37546ab8
Opcode Fuzzy Hash: 648c82ca400459ee2d708958b11d65955af57eb6111fe02d689857582120a2b9
Instruction Fuzzy Hash: 3241F474E002088FDB14DFA8D494AEEBBB2EF88301F109069E915A72A4DB349D45CF64

Function 01767500 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

Jdq, xrefs: 01767611

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: ea02a57f7d457922d4e2caa8e8bf1db8119d8a9ca702ef4c862605861aac1f78
Instruction ID: 9a6b9d4fbbcda804923e8a6caf19a2fd1d1c486854142c4603a2fe8da318b1b6
Opcode Fuzzy Hash: ea02a57f7d457922d4e2caa8e8bf1db8119d8a9ca702ef4c862605861aac1f78
Instruction Fuzzy Hash: 2A41E374E002088FDB18DFA9D494AEEBBB2FF88311F109069E915B72A4DB349D45CF64

Function 01767643 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

Jdq, xrefs: 01767611

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 3e94f253b7a7e3959e2351c37f5e5883a044b71ac4848fa1ec4627e01e342031
Instruction ID: f303ba48292b9650b2cae2759de529a3313e1334dbe14732bd93370a1843be1d
Opcode Fuzzy Hash: 3e94f253b7a7e3959e2351c37f5e5883a044b71ac4848fa1ec4627e01e342031
Instruction Fuzzy Hash: 07111C34A002089FD724DFA5E495BADBBB5FF49322F209054E905A7365DB35AC41CF64

Function 01765348 Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f824253af38ce9a9f948390d9cca4e08ddd04866c851397f7e4ed7f86f7884b7
Instruction ID: c5d0abc4bab86e9d8348d73574e2580152cced602e2483805c434319fd038aa4
Opcode Fuzzy Hash: f824253af38ce9a9f948390d9cca4e08ddd04866c851397f7e4ed7f86f7884b7
Instruction Fuzzy Hash: A5B28170901229CFCB69DF65C898AADB7B6FB89304F5081EAD40DA7264DB359EC1CF41

Function 01765358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd54b684b2dd95c9212e48ee95cc5036525ac338e1f5a421c09549b9734c19b4
Instruction ID: f3f79b13d01c499b619a80479656238cc5d9642861eb7186686fe4fd4fc796db
Opcode Fuzzy Hash: fd54b684b2dd95c9212e48ee95cc5036525ac338e1f5a421c09549b9734c19b4
Instruction Fuzzy Hash: D8B27170901229CFCB69DF65C898AADB7B6FB89304F5081EAD40DA7264DB359EC1CF41

Function 01760839 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad03d411207137ec644d96e5f7720e767d24449686125da1fd35e5149eebaf3
Instruction ID: 803d2f1c003ea36c050f11f4dafcc330744743dd2fae3240bee53bf2030e9eed
Opcode Fuzzy Hash: 4ad03d411207137ec644d96e5f7720e767d24449686125da1fd35e5149eebaf3
Instruction Fuzzy Hash: B262CE74901219CFCB65DF64D898BAEBBB2FF49300F1081EAD50AA7264DB349E85CF41

Function 01760848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9015d4527e299880146c261c50294352081d001a87a0c846250f6bdefd1c7e72
Instruction ID: be8c745dab4a9933e9820d0186bcaf4cd52b3aa5a535e418677a851d17ebdbab
Opcode Fuzzy Hash: 9015d4527e299880146c261c50294352081d001a87a0c846250f6bdefd1c7e72
Instruction Fuzzy Hash: BE62CE74901219CFCB65DF64D998BAEBBB2FB49300F1081EAD50AA7364DB349E85CF41

Function 01767A79 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6ee5f29d2baaa8a1020ec1a7ffefd7e2486cb26a4d5795ca3bec0fb07edc47
Instruction ID: f24c14cdb4308affdf26547c3925e31cc74bf8a3531b955becaa805870bad11a
Opcode Fuzzy Hash: 4b6ee5f29d2baaa8a1020ec1a7ffefd7e2486cb26a4d5795ca3bec0fb07edc47
Instruction Fuzzy Hash: F041F0B0D04288DFDB15DFEAC984A9EFFF9AF49304F14846AE848AB254CB345885CF50

Function 017667F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d3823285d72108c6f06384644368c0059e406fc814b1e69597201958cdcf82
Instruction ID: b67ae7de6120d44b05592d902065dea3845e6173b8665b1f1fdc79ea1fb0afac
Opcode Fuzzy Hash: f7d3823285d72108c6f06384644368c0059e406fc814b1e69597201958cdcf82
Instruction Fuzzy Hash: E6B1DD74A012298FDB64DF68C994B9DBBB6FB49304F1085EAD80DA7250DB30AE85CF51

Function 01767178 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e63b37a73a7e64faf69b1f9c02b8bf43820e002aa4a70dfe7d768d3408eb77a
Instruction ID: f9e7a09b999b73de64bd0c45436a8593a5ebcd65bb2f48c6c2f0f57f1080c334
Opcode Fuzzy Hash: 2e63b37a73a7e64faf69b1f9c02b8bf43820e002aa4a70dfe7d768d3408eb77a
Instruction Fuzzy Hash: FC51D174A00248CFCB48DFA9D594AADBBB6FF89314F10916AE905AB365DB31AC45CF10

Function 017665C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fde8aa298cf20857a86db546030a59bd8660d2ee5045ddb7e9caa7d0352d0e
Instruction ID: d192dc0da9a921c506107483a29191a8e5121fcb917b54ac98c17aefc2004760
Opcode Fuzzy Hash: 73fde8aa298cf20857a86db546030a59bd8660d2ee5045ddb7e9caa7d0352d0e
Instruction Fuzzy Hash: 5041B274D00208CFDB44DFA9E4986EDFBF9AB49300F50916AE819AB350EB385D46CF51

Function 01767D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6b1f969b135dbd44d9b70c9ed8e6ea4e26393299e1cb3f3362c33bce36de0a
Instruction ID: dd1dc0f7ea39a1752484f4a4df4a579ecce5ca1f273045399183b2148e79d486
Opcode Fuzzy Hash: 9c6b1f969b135dbd44d9b70c9ed8e6ea4e26393299e1cb3f3362c33bce36de0a
Instruction Fuzzy Hash: 8E41BEB0D002489FDB14DFEAC984A9EFFF9AF48314F14842AE818AB254DB749985CF50

Function 017673A0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42940af6c9911f4410c9e71e6a702fd9ce7e1430a9ba6bd3724e1b21af388785
Instruction ID: 0b6416c39a5ad384a00e6f7581b6e23c1dcc881538097ec03c192b9a8b3388b2
Opcode Fuzzy Hash: 42940af6c9911f4410c9e71e6a702fd9ce7e1430a9ba6bd3724e1b21af388785
Instruction Fuzzy Hash: 1D31F274E012098FCB08DFB9D454AEEBBB2EF89304F6095AAD80577390CB366D41CB65

Function 017673B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4458fe5471b4d11ef86c1bf2f042f6224ea45d5d6ecc55756d25cb31eafff3fd
Instruction ID: 0674af086dd01a91c5286ec69d0f0200ae90ed9374bda18b02fca48236095d2e
Opcode Fuzzy Hash: 4458fe5471b4d11ef86c1bf2f042f6224ea45d5d6ecc55756d25cb31eafff3fd
Instruction Fuzzy Hash: 2D21C074E012098FCB08DFA9D494AEEB7B6EF89300F6094AAD415B7394CB366D41CB65

Function 017651F7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b354d0d477fecac423b240fcfcd9f1d63b882118ff4977c200bbaf2bada93
Instruction ID: 1bd2a491cf14584c2eeb8705f1791b35aaaec9c13c1e840f47357fb1c1f9e92b
Opcode Fuzzy Hash: 378b354d0d477fecac423b240fcfcd9f1d63b882118ff4977c200bbaf2bada93
Instruction Fuzzy Hash: DF218970C093499FDB00EFB895593AEBFB0EB02315F0458AAC841A31A2D7784648DB91

Function 01765238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd22796a8a186e9f7ea394dd46ad1bf81cd0f392d35bb58dfc7bd40aee53c39
Instruction ID: c03a6ae62fce3e4809c278d52bac9d3934de4eb2a8081b92f983012f04d81331
Opcode Fuzzy Hash: 0dd22796a8a186e9f7ea394dd46ad1bf81cd0f392d35bb58dfc7bd40aee53c39
Instruction Fuzzy Hash: 62017CB4C04209DFDB04EFB9C41D7AEBFB0EB05312F4498A99816A3290DB780A44DF91

Function 01766C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f457c8ec1b8dd7797d17e0873dcd43435ba98262703df2e82ee4d725146d8ff
Instruction ID: 18bb964be7d6f7f8ddf54289af16402decc9b6dcf186c965137acc4d8b391c08
Opcode Fuzzy Hash: 9f457c8ec1b8dd7797d17e0873dcd43435ba98262703df2e82ee4d725146d8ff
Instruction Fuzzy Hash: 63F0F874D00255CFCB64DFA9D4596ACFBB4EB4A312F0465A6E809A3260EB34A985CF24

Function 01767499 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3253f5b50bcab4fa4937abe5f49eac5d1471e846f98cc7bc69100e69ede305b4
Instruction ID: cee1fa55470e1e1975c10a349b36b82e7cb485263815ad5dc0079a1a4bdadae8
Opcode Fuzzy Hash: 3253f5b50bcab4fa4937abe5f49eac5d1471e846f98cc7bc69100e69ede305b4
Instruction Fuzzy Hash: 15F08C74911208DFC304DF68E644B28BFB4FB09311F10429AED0493362EB309945CB40

Function 01766757 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19fa99bcef8a9862809b737213f7c5951d65f69da2132377ed345e87a5dd683
Instruction ID: 950ab1c89f87b5a7e2e931b107d1eafa74cb5072ee824d0065cd35d9dfa9b730
Opcode Fuzzy Hash: a19fa99bcef8a9862809b737213f7c5951d65f69da2132377ed345e87a5dd683
Instruction Fuzzy Hash: DAE0AB30502348DFC701DFB4EA0069CBF78EB45201F40409EDC0493111EB341E04DB40

Function 017674A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ad074d3acb2ba19a71422fd699134f0f7919fc37805a320151d98a477d3220
Instruction ID: 9d35477700ff827c1fc084ea4b408ae44214fd6731dded4a065ee5bf1f60bd56
Opcode Fuzzy Hash: 88ad074d3acb2ba19a71422fd699134f0f7919fc37805a320151d98a477d3220
Instruction Fuzzy Hash: C5E01AB4910208DFC744EF68E558A69BFB8FB09311F5042AADD08A3361EB30ED85CF91

Function 01766768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9a3db1f95aebe4c8930da7dcb72ed347a73df538e19b471f14e6bf9bfa039e
Instruction ID: c7108c124ef4409dd2893ae7043294e32682cfc139fc2d80f1d3776063222f29
Opcode Fuzzy Hash: 8b9a3db1f95aebe4c8930da7dcb72ed347a73df538e19b471f14e6bf9bfa039e
Instruction Fuzzy Hash: 4FE08670601108DFDB01DFB9E645A5DFBBDEB44301F908569DD0593224EB355E04DB90

Function 01766D40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccf1549057f300ed3edee46e900a1340fee2829015804d362e318040484b552
Instruction ID: 9b1696add73cf1a9ab01061bfb436633a2abec057219c337b72f521676388cbc
Opcode Fuzzy Hash: 8ccf1549057f300ed3edee46e900a1340fee2829015804d362e318040484b552
Instruction Fuzzy Hash: 7BD0A7718053895BD351DBB5A90A754FF7CE712316F88429CEE14A3103EB294480DBA5

Function 01767650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32f4d58f2a72c4d247acce618b091f34139ccd225921f8d3f85d3cf2a301eff
Instruction ID: d3911095a069c0ec70dc00f46ced898b3c8f3942ba33246e00520b42794c9ced
Opcode Fuzzy Hash: b32f4d58f2a72c4d247acce618b091f34139ccd225921f8d3f85d3cf2a301eff
Instruction Fuzzy Hash: 26C080708113089FD314DFBCA406B65FF7CE702356F404159ED0853201DB755450DBA6

Function 01766D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1402110988dc7a3a030e994b74a05dbb8dfe299d2426804b7fa672cd5f127f65
Instruction ID: 30cb00eade6815c85129c31e78f00a9528acf941592e2d4924bd95273e951e4f
Opcode Fuzzy Hash: 1402110988dc7a3a030e994b74a05dbb8dfe299d2426804b7fa672cd5f127f65
Instruction Fuzzy Hash: 23C0807081130C9FC714DFA9A405B55FF7CE702312F800258FE0853105EB715490D7B5

Non-executed Functions

Function 01767FBC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2621325924.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1760000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10dd8881bb42b16b0b775d6f942e2277ff91f10517496ae5d136ed73d799cd
Instruction ID: 04dd21b7ea3c2f82c8580badc94020f6eb6b2fa8d73d43ea2dd87db33bac32af
Opcode Fuzzy Hash: 0a10dd8881bb42b16b0b775d6f942e2277ff91f10517496ae5d136ed73d799cd
Instruction Fuzzy Hash: 77410FB0D002489FDB14DFE9C984AEEFBF9AF48300F20842AE815BB254DB759946CF54

Analysis Process: server01.exePID: 2200, Parent PID: 7092COMMON

Executed Functions

Function 00C2C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00C2F910

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: f226151702c352a0db1cea48c052f95a03bd0d3dfb0311d4a72a0f23da8618b7
Instruction ID: 34d26a589b1b918e4b3141b0024dafcf65e7c3e3e84faeb5bce74066c36de760
Opcode Fuzzy Hash: f226151702c352a0db1cea48c052f95a03bd0d3dfb0311d4a72a0f23da8618b7
Instruction Fuzzy Hash: 9773E531C1075A8ECB11EF68C854AADFBB1FF99300F51D69AE44967221EB70AAD4CF41

Function 00C29480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c9b5b0c5a63c31caf5528169e56a0f4899ca4f4c1b44497e322c01347bc878
Instruction ID: 09676609d0b3a774da0210036d1d3734a49e40b315d9b9dab39cbbd8b142d66b
Opcode Fuzzy Hash: 51c9b5b0c5a63c31caf5528169e56a0f4899ca4f4c1b44497e322c01347bc878
Instruction Fuzzy Hash: 90C1AE78E01218CFDB14DFA5D994B9DBBB2FF88301F2081A9D809A7365DB359A85CF10

Function 00C29A71 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05efb591b3591e4783df1671fab723ce8952144ad00fd813f9930468cec7e8f
Instruction ID: 3a9d4540cab1a942979128d0b0bf0f0e5b1a1f1cf209fb2c46e2ddc712a0ad9c
Opcode Fuzzy Hash: c05efb591b3591e4783df1671fab723ce8952144ad00fd813f9930468cec7e8f
Instruction Fuzzy Hash: 00A11670D00218CFDB14DFA9D994BDDBBB1FF88305F209269E408AB292DB759985CF50

Function 00C2C521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8188cc17cc52a2aed59a61dda4de327d9c598dc118b77036a8bfb8a1297e9af2
Instruction ID: aaf1cb57ffe9d277b774ee8a6bd33341f28468e206d6ff8e037a25150252d67f
Opcode Fuzzy Hash: 8188cc17cc52a2aed59a61dda4de327d9c598dc118b77036a8bfb8a1297e9af2
Instruction Fuzzy Hash: 12A1F571D116198EDB14EFA9C8946EDFBB1FF89300F10C6AAE41867261EB709A85CF41

Function 00C29A30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016aeee5d29a640cdd3fe948539b926248814b0a00dfb24435cc6bb1dcf43924
Instruction ID: d532b258f6c125d1f61d6caffe677a4e24ea379e2bb61e0c755e0d919a736b75
Opcode Fuzzy Hash: 016aeee5d29a640cdd3fe948539b926248814b0a00dfb24435cc6bb1dcf43924
Instruction Fuzzy Hash: 44A12670D00218CFEB14DFA9D994BDDBBB1FF88301F248269E409AB2A5DB759985CF50

Function 00C29A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a4fb1032eea0d837abb93cfbe2416323356a9bb312f58ccee0b140e8c8f645
Instruction ID: 5eb29ba581b6d2889df97a0ad42c469e7395a75a7eb0ae3895167293049e92da
Opcode Fuzzy Hash: 31a4fb1032eea0d837abb93cfbe2416323356a9bb312f58ccee0b140e8c8f645
Instruction Fuzzy Hash: D8A11670D00218CFEB24DFA9D954BDDBBB1FF88301F208269E419AB2A1DB759985CF50

Function 00C29D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eefebc40bc7e63073e5adb1dfc248447ca2b25f62930d1a4bfc73a2474d9019
Instruction ID: 1ace570ddd4acef226a3ed59f48b8f12ab4ae9edf93d61e5948b43c7d1602fcf
Opcode Fuzzy Hash: 7eefebc40bc7e63073e5adb1dfc248447ca2b25f62930d1a4bfc73a2474d9019
Instruction Fuzzy Hash: D9910470D00218CFEB20DFA9D988BDCBBB1FF49311F208269E419AB291DB759985CF54

Function 00C2946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d83ac8677031e7ca0f6fabb55e4daa18029d65920cc18c05b534a536338649b
Instruction ID: d162337c06b554f7bb1809303c9a273dac592ddadb77f2454b6ffcaee3e3ed4b
Opcode Fuzzy Hash: 5d83ac8677031e7ca0f6fabb55e4daa18029d65920cc18c05b534a536338649b
Instruction Fuzzy Hash: A941E374D012188FEB18DFAAD9546DDBBB2FF89300F24C12AD819AB255DB355905CF40

Function 00C2B500 Relevance: 6.6, Strings: 5, Instructions: 386COMMON

Download Yara Rule

Strings

8bq, xrefs: 00C2B941
Haq, xrefs: 00C2B6EA
Haq, xrefs: 00C2B749
Haq, xrefs: 00C2B54E
TJbq, xrefs: 00C2B97A

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: 8bq$Haq$Haq$Haq$TJbq
API String ID: 0-1597716666
Opcode ID: a985f2aeb77d162f82f3e811335f04a1e6b8b960f17af3d8c9734af823df36ab
Instruction ID: 283db487ab81d7aa759fc51f4a563b55fb8f6b43f82a77f7e0206d530969ef7b
Opcode Fuzzy Hash: a985f2aeb77d162f82f3e811335f04a1e6b8b960f17af3d8c9734af823df36ab
Instruction Fuzzy Hash: ACD10430B042148FDB14DF68E891AAEBBF6EF89320F244465E506EB7A1CB75DD41CB91

Function 00C219B8 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00C21B2F
Xaq, xrefs: 00C21A76
Xaq, xrefs: 00C21B7C
Xaq, xrefs: 00C21AB0

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 409eaf04cde3cde34cbffe1be5ae0dd96825daaeda55dd551144e21466a73c62
Instruction ID: ce7e1e8e3a5595104071278e031e90d6bbad9e6c4cd114c21e3b1bbe76aae08c
Opcode Fuzzy Hash: 409eaf04cde3cde34cbffe1be5ae0dd96825daaeda55dd551144e21466a73c62
Instruction Fuzzy Hash: 4C71C471E0022A8FCF15DFA998503EEBBB6FF94310F144066D819B3651EB308E45CB91

Function 00C2AFCF Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

Haq, xrefs: 00C2B206
Haq, xrefs: 00C2B239
Haq, xrefs: 00C2B1D3
, xrefs: 00C2B065

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 45116ad4bb5146b2c84af742083e5f083055fa23b0d3c3ea5180deb4234fab90
Instruction ID: 1c522c488b87ca4f75eb4fa0815d0482d75c93beb925f9b74afc69431573b746
Opcode Fuzzy Hash: 45116ad4bb5146b2c84af742083e5f083055fa23b0d3c3ea5180deb4234fab90
Instruction Fuzzy Hash: AB514D347045249BEF262B78681467E7B93EFD5320F644619FA32873D0CF7A9E029391

Function 00C2AFF9 Relevance: 5.2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00C2B015
Haq, xrefs: 00C2B206
Haq, xrefs: 00C2B239
Haq, xrefs: 00C2B1D3

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 8d16b3f8bd5fe9d072eae3df2095620c5167a95e60561d6803013ee17aa3a260
Instruction ID: 36a3c71eaebd75e187e3c5af34de1bae18b151c851f64a3d607b7e905fa2de00
Opcode Fuzzy Hash: 8d16b3f8bd5fe9d072eae3df2095620c5167a95e60561d6803013ee17aa3a260
Instruction Fuzzy Hash: 475108347041249BEF156F74A8543BE3B92EF95321F648519EA368B3C1CF799E02C781

Function 00C23F78 Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C240F2
PH]q, xrefs: 00C240E1

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: cb82defb7cb771c3309000ab386bff70400bd9add79e6b34d62c78a17d895799
Instruction ID: 90acf2072d40c59b5057400447c80b490ade972af66bdc277915165c55032b91
Opcode Fuzzy Hash: cb82defb7cb771c3309000ab386bff70400bd9add79e6b34d62c78a17d895799
Instruction Fuzzy Hash: 5551D374E00258DFDB08DFA9E994A9DBBF2FF89300F10846AE815AB364DB349945CF10

Function 00C22C78 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00C22CBE
Xaq, xrefs: 00C22C95

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: 0f59c2e2e7e2d30b5434e490c4990e1d529fba542cb6b2bb5b6f885cd4141eb9
Instruction ID: 8dadd0b91e31a2212e9c72b3df946364768f2e52ef85c3d8049cc49740b01e12
Opcode Fuzzy Hash: 0f59c2e2e7e2d30b5434e490c4990e1d529fba542cb6b2bb5b6f885cd4141eb9
Instruction Fuzzy Hash: 67310535B042359BEF1C5A6AA99427EA6EAFFC4310F14403AD812D3B94DF78CD46C291

Function 00C2B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8bq, xrefs: 00C2B941
TJbq, xrefs: 00C2B97A

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 654404d19b0a9e3e85f14e040038ce12fa5eac14dc45b480c26ae94a18a51504
Instruction ID: b0d3aa601fb524e2d4abe75167297123958130b7ac2405731c47e23d05570650
Opcode Fuzzy Hash: 654404d19b0a9e3e85f14e040038ce12fa5eac14dc45b480c26ae94a18a51504
Instruction Fuzzy Hash: BF312635B001198FCB04EFA8D581E9DBBB6EF88320F195454E505AB365CB71ED85CB91

Function 00C2B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8bq, xrefs: 00C2B941
TJbq, xrefs: 00C2B97A

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: fce9ab95dca6bbc48818e402d2d3fb03b744fcfc75906b705c06d59c300e7c7b
Instruction ID: 61a51045ebaf56959ffb62d7eba242274a5e546daa29d0afa6bb5edda7148d31
Opcode Fuzzy Hash: fce9ab95dca6bbc48818e402d2d3fb03b744fcfc75906b705c06d59c300e7c7b
Instruction Fuzzy Hash: EA313535B001198FCB44EFA8D980E9EBBB6EF88320F195454E505AB376CB71ED85CB91

Function 00C20B20 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00C20B62

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 4886f814d886db0b659eba9d3dae84597f07aa255342bbbc66d3a8ed75148317
Instruction ID: 54fa609315f7e4153b2098c2a86e4e76a5ddc16b22ace630ae683973944c308a
Opcode Fuzzy Hash: 4886f814d886db0b659eba9d3dae84597f07aa255342bbbc66d3a8ed75148317
Instruction Fuzzy Hash: 59A1E1B8A01209CFDF05EFB8E98599DBBB5FF88305B108529D415AB369DB346D46CF80

Function 00C20B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00C20B62

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 43be138a9b0ecfdee2c202a35753e2e803094afd06879f27255ff19a8969a745
Instruction ID: 45571e77575cb29c2f7beca8582f8cfb0a6569e28e29d0fcbd5d40933a6a19c5
Opcode Fuzzy Hash: 43be138a9b0ecfdee2c202a35753e2e803094afd06879f27255ff19a8969a745
Instruction Fuzzy Hash: 94A1CFB8A01209CFDF05EFB8E98599DBBB5FF88305B108529D415AB369DB386D45CF80

Function 00C2BC28 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

Haq, xrefs: 00C2BD2D

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 38b5ff14fec5d323c58817619ac57656356c7684597fb5f4604b1c5de946b736
Instruction ID: e3daef2b38c9ea37b3002e975faee5f9613fd57d301be8f9436a186ada0f1046
Opcode Fuzzy Hash: 38b5ff14fec5d323c58817619ac57656356c7684597fb5f4604b1c5de946b736
Instruction Fuzzy Hash: B7411231B042189FCB14EBB9E8556AE3FBAEF89300F1444BAE509DB652DE35ED01C790

Function 00C2BDE8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Haq, xrefs: 00C2BE36

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 7952342ce53fbd1628c7ec07fd80c6d1edbafb5f3cd45e0f49b6e0f4e2820817
Instruction ID: 7f10bd49345fa35a57a4c864cc28978f9a741d4155891610175a24ba8d69b6db
Opcode Fuzzy Hash: 7952342ce53fbd1628c7ec07fd80c6d1edbafb5f3cd45e0f49b6e0f4e2820817
Instruction Fuzzy Hash: A231B6347042049FD704DF79D991A6E7BB6FF89300F2584A9EA0597765CF319E02C790

Function 00C2BF80 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a081be4a6548770e913a3a54ce8b6ecfe1709075343ad9d2922023a7830baca
Instruction ID: 6c2c2aa6fd4ade1dfa58dc08946571e82240062bd01700d24df1173dcb64201f
Opcode Fuzzy Hash: 8a081be4a6548770e913a3a54ce8b6ecfe1709075343ad9d2922023a7830baca
Instruction Fuzzy Hash: 5461E576B006159FC714DA7DE8949AFBBB9EFC8321B14853AE429D7B41D631DC01C7A0

Function 00C23158 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3871b3b63cec779f5bb76ab05489c2d92e952c8141d6135c5810c0c6d3278c8
Instruction ID: 931e819ac3d953de5b9fc30ae091350f5533e59809ac4bef5baf8663f805bc67
Opcode Fuzzy Hash: f3871b3b63cec779f5bb76ab05489c2d92e952c8141d6135c5810c0c6d3278c8
Instruction Fuzzy Hash: 3E41C5B4E01218DFCB48DFA9E89499DBBB2FF89300F249429E805B7365DB349945CF14

Function 00C23168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563cba9ae78fbf6c5af06c5cf339412a03dae22680e4075110c2467ab54878ad
Instruction ID: 07ccf2aca7ed76733ead6c00fc2330bac89d8f890a37a9f91b2a737d8e10d47a
Opcode Fuzzy Hash: 563cba9ae78fbf6c5af06c5cf339412a03dae22680e4075110c2467ab54878ad
Instruction Fuzzy Hash: C741A5B4E01218DFCB08DFAAE89499DBBB2FF89300F249429E805B7365DB345945CF14

Function 00C29249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912ebc28e9ef4fbcb4f82bb1dfb94b26cb27eb89b1036f28d932c854b4759db8
Instruction ID: a2d276758a3dbce46b5e9e4fbe90022252fde57e78109b53d527afdcc6ce8e04
Opcode Fuzzy Hash: 912ebc28e9ef4fbcb4f82bb1dfb94b26cb27eb89b1036f28d932c854b4759db8
Instruction Fuzzy Hash: 5931C17442262A9FD2282F32A7AD13A7BB4FB0F3137486D01E14EC051A9B7A3844CF10

Function 00C218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862f0c0ffc4a7106613cd398624f8d7446dbcc5863dd07a51a3ee916481c6476
Instruction ID: 6ddd4d9e51e822585a354d10a3cc1da2a492026e41ab58f125b8518e3f7fb13b
Opcode Fuzzy Hash: 862f0c0ffc4a7106613cd398624f8d7446dbcc5863dd07a51a3ee916481c6476
Instruction Fuzzy Hash: 7221A435A00115AFCB14EF64D4509AE37A5FFA9354B28C419DC1D9B340EB35EE4ACBD2

Function 00BCD006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484065396.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bcd000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e64d5c861838d9b88fa4df010eb81eb75cf5c5a71ea9072a8dbe3df87d12bf5
Instruction ID: 5aefe5c93316d02036155663d0a5764bc206b03a99e29ccf46ca7f3376a283a5
Opcode Fuzzy Hash: 3e64d5c861838d9b88fa4df010eb81eb75cf5c5a71ea9072a8dbe3df87d12bf5
Instruction Fuzzy Hash: 3821737550D3C49FC713CB24D9A0B11BF71EB46314F28C5EBD9858B2A7C23A980ACB62

Function 00BCD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484065396.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bcd000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8480e54b8a9af99421b1e6af11e6fa7ca8b88bc04a66747c342596d6f1a3c3a4
Instruction ID: 154a0d8fb44c74d9d8185543507bc4204f62ac7f532897d74b79a09b98f7a5e7
Opcode Fuzzy Hash: 8480e54b8a9af99421b1e6af11e6fa7ca8b88bc04a66747c342596d6f1a3c3a4
Instruction Fuzzy Hash: 78210479604204EFCB14DF18D9D0F26BBA5FB84314F24C6BED9494B296C33AD847CA62

Function 00C20EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9ff52d2895d3e4ddcbf0f5081b39a70ccb2049c2d9b7df56f18bdb5c424453
Instruction ID: 4673bd4095e8c092f2ed1de0eb46d4ffcade04a3a48bea4a0011ebf845e79cd4
Opcode Fuzzy Hash: 3c9ff52d2895d3e4ddcbf0f5081b39a70ccb2049c2d9b7df56f18bdb5c424453
Instruction Fuzzy Hash: 42219D70A002189FDB05EFB8D4517AEBBB2EF84704F10C4BA94145B795DB749A45CF41

Function 00C217B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f418ec554d0b45247078602851f951fc04956b2e0a99a4a9e01305f3a071b817
Instruction ID: 9367508424e79334fa08be81af51ab5d9bd27f17846cff19fcdb4a6ec4a798e6
Opcode Fuzzy Hash: f418ec554d0b45247078602851f951fc04956b2e0a99a4a9e01305f3a071b817
Instruction Fuzzy Hash: 042118B9C052198FCB01DFA9D9945EEBFF0FF09300F14416AD809B7261EB345A45CBA5

Function 00C2BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f676d51b5c547d76930a9687fc6d4b094d4a4c4958c956865eaeb2c3855080e
Instruction ID: b58289f979df1f7852f4cdb93476c8262d7df68c56154ec1d57f0ad56f29f71a
Opcode Fuzzy Hash: 6f676d51b5c547d76930a9687fc6d4b094d4a4c4958c956865eaeb2c3855080e
Instruction Fuzzy Hash: 27118C323002148FD714DB69E984E66B7E6FF88721B20847AE659CB765CB71ED04CB50

Function 00C24850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dc4a84fc3c03e98cb2c648a5a3703b505d6d918e0c8f114e0c04c421f6f53f
Instruction ID: 70244def9c4e3a82d7bb0c6ef2fdc8eadb2f3e0e4cf44448636ec4dec802120a
Opcode Fuzzy Hash: a5dc4a84fc3c03e98cb2c648a5a3703b505d6d918e0c8f114e0c04c421f6f53f
Instruction Fuzzy Hash: 32012432F003215FE7289B79985463A37EBAFC4628311453AC909C73A4FE74DC028742

Function 00C2BB37 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dadfde760b43f0a46d27073f448daff6bb87fd1479027b41f40465b75c39e3ae
Instruction ID: 28782f68d53d3cddd26d9f4c0fdcaa495bdcdc94e7a123dc782d0fc63db11847
Opcode Fuzzy Hash: dadfde760b43f0a46d27073f448daff6bb87fd1479027b41f40465b75c39e3ae
Instruction Fuzzy Hash: 6F115B317002108FD714DB2AE984B6677E5FF89B21F248469E5598B765CB71ED00CB50

Function 00C24860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10260202de664677b1e82103b1eed43795e980bec8269d1e0240f7c676b3aea
Instruction ID: a0cf54dfa572404254b23cbfce5399720f38f08f51fc3e982845df8ef822a59d
Opcode Fuzzy Hash: f10260202de664677b1e82103b1eed43795e980bec8269d1e0240f7c676b3aea
Instruction Fuzzy Hash: FB01D136B003215FE718ABBA985463F76EBAFC4A683118539D909C7354FE70DD028B92

Function 00C2A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31253fbbb4d10ed0949ee4747921a43850c4fa3203f47a0ffca0dfd5a3d70e9c
Instruction ID: 2f24abc5f32d487b4585170326c2ac94221a64452a0b5e1ec65eaeafc9422f82
Opcode Fuzzy Hash: 31253fbbb4d10ed0949ee4747921a43850c4fa3203f47a0ffca0dfd5a3d70e9c
Instruction Fuzzy Hash: 69018C71A002199FCB649F6AE9485AF7BB9FB88311B004039EA1A97241DA359D10CBA2

Function 00C2A4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7422e954835bc932c6939eea26ecf19943c28afb7afe3efe31c24aef52e5a847
Instruction ID: 218f538da9ed9dbfa80091a59ae163e3a2c76f54de6fd07cb5bf649634121009
Opcode Fuzzy Hash: 7422e954835bc932c6939eea26ecf19943c28afb7afe3efe31c24aef52e5a847
Instruction Fuzzy Hash: 5F017C71A0061A9FCB64DFB9E9549AF7FB5FF88311B10403AE91AD3241DB358E10CB92

Function 00C2BEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12ae28ddb77a8b83632c6a6a8d41ab90545bfd6065089188154228fbb227d10
Instruction ID: 31b3d4fd0aedc5dccb71c8bea9b6b128c5923b1d110f2d0adfb638d93e194de0
Opcode Fuzzy Hash: f12ae28ddb77a8b83632c6a6a8d41ab90545bfd6065089188154228fbb227d10
Instruction Fuzzy Hash: 2DF046353003544BCB252B79ED0857E3F9AEBC9711B14046AEA0AC7385DE3BCD42C780

Function 00C20FB8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dba16e8e61274afd1b3a432f916c69cc16c9f899ae7708afbf786da9a12f89
Instruction ID: 2e6fea66d7c599f4f5002a8c679b8ed4e0b307d73837cbb7d18ed57081ea22b8
Opcode Fuzzy Hash: d7dba16e8e61274afd1b3a432f916c69cc16c9f899ae7708afbf786da9a12f89
Instruction Fuzzy Hash: 46F059326D82248FCB38D9E5B2424F87739EEA2300B3041BBD85586A43DB319D06C640

Function 00C2C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f3e7d078eb56576f0be1c62c0756d8094ca7ecf1470db08fd93b673f0a5c2c
Instruction ID: 23bfc61bd5d83e09a81bad1f89ba5bfec6048505b153d3d459a6d6f6ba002f87
Opcode Fuzzy Hash: b4f3e7d078eb56576f0be1c62c0756d8094ca7ecf1470db08fd93b673f0a5c2c
Instruction Fuzzy Hash: 44F02032B006208BCB19666AF46196EB7AADFC4331710007AF008EB751CF32DC0287A0

Function 00C2B9EB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61663f8581c860532c93f5740b9a8b3c63c2d7bd50a31f85e9fd39470f4897b
Instruction ID: 41b6ab5ef69b467015e5aa29520c15937069f0a39f02c2f8aaa35f2e818319ed
Opcode Fuzzy Hash: e61663f8581c860532c93f5740b9a8b3c63c2d7bd50a31f85e9fd39470f4897b
Instruction Fuzzy Hash: A1F09675900218AF8750DF6ED84199FBBF9FF88350B144526E549E3211D77099069BE1

Function 00C246C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b734c8365bde5e549edfb982f59bc8426d7688a5c5a1fe45c2d34e006eab1ed5
Instruction ID: 60912b2d5bc14a811f5457892e4af9feacba52b9b7fded8d095fba6f5e6a270b
Opcode Fuzzy Hash: b734c8365bde5e549edfb982f59bc8426d7688a5c5a1fe45c2d34e006eab1ed5
Instruction Fuzzy Hash: 31E0C974566B428FE3252B20ADADB6A7B31EB1F313B846C55E04AC2071DF342485CB15

Function 00C2B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7baa83e5d20b130348c0a73dd4bc30264e16feae919ccb92305146cfd05e28e
Instruction ID: c6aeb40d2af92a752e5c26064455f4ec471b85388ded86873104bbc6455845b1
Opcode Fuzzy Hash: c7baa83e5d20b130348c0a73dd4bc30264e16feae919ccb92305146cfd05e28e
Instruction Fuzzy Hash: 8CF08271E002089F8B50DFAEE84199FBBF9FF88350B10453AD509D3615E7709A15DBE1

Function 00C246D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eef41c03aa1f31d04a6c77153d99a01ade91b5b9870a0f979edcce2fe5292e7
Instruction ID: eccb067566c1dc5fa168aa82752dbfd7138e4f4d8455a52479c7c56d69450038
Opcode Fuzzy Hash: 8eef41c03aa1f31d04a6c77153d99a01ade91b5b9870a0f979edcce2fe5292e7
Instruction Fuzzy Hash: C7E00274022B068FD7242B64B9ACB3A7A65FB1F317B806D10E05E824319F717494CA54

Function 00C21877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ffef6372cdbe049c5efdf72852751374a3f67f573a160a26226a45e1945642
Instruction ID: 12371de12bec495019b47aeb2117493c26db6ac8530febbf1e9240f67bcf6f16
Opcode Fuzzy Hash: 76ffef6372cdbe049c5efdf72852751374a3f67f573a160a26226a45e1945642
Instruction Fuzzy Hash: F7E08636D70626CBD702ABB1A8420DDBB35ED91225B558267C02836551EB30265F8AA1

Function 00C21888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca52c484ac0200c70a9f9c4ad265c17d41dee3c9a5ad0add2d8472cc5923192
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: aca52c484ac0200c70a9f9c4ad265c17d41dee3c9a5ad0add2d8472cc5923192
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 00C24831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730369ed8c8d26f90bb27cbc768ee3f33fe26d903c4b48d20d1c09c978bb69e9
Instruction ID: 3e7987b8045c2d22ae4058c598ff92de43f9617245a5f08d7399e554d30a4c20
Opcode Fuzzy Hash: 730369ed8c8d26f90bb27cbc768ee3f33fe26d903c4b48d20d1c09c978bb69e9
Instruction Fuzzy Hash: D4B09BB550D2C05FFF0B563114350657F20AD13300B5605DFC08281043F4195506C716

Non-executed Functions

Function 00C21A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00C21B2F
Xaq, xrefs: 00C21A76
Xaq, xrefs: 00C21B7C
Xaq, xrefs: 00C21AB0

Memory Dump Source

Source File: 00000003.00000002.3484828761.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_server01.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: a67330fcc58825657c1d9b5f3ae4a1a931c7c4dc81a68bf49df7900e08c043ca
Instruction ID: 442ed92a745551e932d55425a16c7a591381ae22c22c713b0b1c1dd64c70abbd
Opcode Fuzzy Hash: a67330fcc58825657c1d9b5f3ae4a1a931c7c4dc81a68bf49df7900e08c043ca
Instruction Fuzzy Hash: FA31B670E0023A8BDF64CFA9994136EB7B6BF94310F194075C825A7655EB30CE85DB92

Analysis Process: powershell.exePID: 3504, Parent PID: 1628COMMON

Executed Functions

Function 041FB470 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f7704b07f4caa1bd2ada2172d392d1f81cb5b59d517b7c8d70f84a50772e0f
Instruction ID: ba844396a24d88c3509464c498c56802d3c1b04c956475caff8fa585f6cdc372
Opcode Fuzzy Hash: 21f7704b07f4caa1bd2ada2172d392d1f81cb5b59d517b7c8d70f84a50772e0f
Instruction Fuzzy Hash: 679164B0B006155BEB19EFB488515AEB7E2EFC4608B00C51DD54AAB344EF34AD06CBD6

Function 041FB490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617661e2cd2014e6a3df99fa9a40dbb9c936db3a47aee1f1a2624ee0d9fe0db6
Instruction ID: 1a8c46427b45a4c3763f8e554c68541f96715c80be5224e6471bc6e1740dd34e
Opcode Fuzzy Hash: 617661e2cd2014e6a3df99fa9a40dbb9c936db3a47aee1f1a2624ee0d9fe0db6
Instruction Fuzzy Hash: E69153B0B006155BEB19EFB488515AEB7E2EFC4608B00C52DD54ABB744EF34AD06CBD6

Function 070C3CE8 Relevance: 5.6, Strings: 4, Instructions: 588COMMON

Download Yara Rule

Strings

4']q, xrefs: 070C4180
4']q, xrefs: 070C418A
4']q, xrefs: 070C4026
4']q, xrefs: 070C4030

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: e10cb7870eb053857c7c81a7c95a697911db310a17bb14209a43a569bc215b2f
Instruction ID: 435b2123034057974e89f9b67e62fb25119ebfabaa16a3d4debe36ab762d7f6e
Opcode Fuzzy Hash: e10cb7870eb053857c7c81a7c95a697911db310a17bb14209a43a569bc215b2f
Instruction Fuzzy Hash: CC1276B1B142468FCB55DB7898216AEBFE2AFC5310F24857FE901CF291DA31C845C7A2

Function 070C17B8 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

dl, xrefs: 070C193A
dl, xrefs: 070C192C

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: dl$dl
API String ID: 0-300489066
Opcode ID: 4d8c92419514f3210250f8b99f31cd35b4e6cbfb3d89d9752311c6f18273fad7
Instruction ID: 290349e0fdad3af8a68d951d45cd2e0f1084d07ac6338e73cf51f0e2f13bc74e
Opcode Fuzzy Hash: 4d8c92419514f3210250f8b99f31cd35b4e6cbfb3d89d9752311c6f18273fad7
Instruction Fuzzy Hash: E5B126F170420A9FCB54DF6D85106AEBBE6EF86310F18C2AED515CB252DB31D845CBA2

Function 041F6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 041F7105

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 315f1c4d18fd2ca41933ba0f7ea6707312fd5d3d9fbae579d4a04aa4db67dfa4
Instruction ID: a80e760f3960416308a4524b837d18d5f8b3ce234ec4d849ea634b774f1eaaff
Opcode Fuzzy Hash: 315f1c4d18fd2ca41933ba0f7ea6707312fd5d3d9fbae579d4a04aa4db67dfa4
Instruction Fuzzy Hash: FF412F34B041058FD719DFA8C894AAABBF1EF8E314F1544A9D916AB391DB35EC02CB61

Function 041FAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&]q, xrefs: 041FAFBA

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: b89a7db6a9fb3a7b5439b31eb1480b6b9a68c7998afce75ad99ef079e0232998
Instruction ID: efb718ef0a18988328135fa447fa2303c32efbee5278993c26c8643598411da2
Opcode Fuzzy Hash: b89a7db6a9fb3a7b5439b31eb1480b6b9a68c7998afce75ad99ef079e0232998
Instruction Fuzzy Hash: 7121D371A042588FCB14DB9ED45069EBFF5EF89320F14846AD508A7340CB78A805CBA5

Function 041F29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71628aac602613ff2f450b89de1091543967da83b48e77b43ab2c1d862b23b81
Instruction ID: 083e7f5d334fc908fd33d92a7d56bcc68df2208920fb97556f7201f0793c998a
Opcode Fuzzy Hash: 71628aac602613ff2f450b89de1091543967da83b48e77b43ab2c1d862b23b81
Instruction Fuzzy Hash: F5917A74A002059FCB15CF58C9D49AAFBB1FF88310B258599D915AB3A5C736FC92CBA0

Function 041F7740 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a3bbf261feff126b33df7d81ac64adb4268e67d01b9daaa2e2fac1c8d1e9fd
Instruction ID: e2df43577e1c7dc339d847b809f2ef4d838a181d9bb0326ec2505d3b210cdb41
Opcode Fuzzy Hash: a2a3bbf261feff126b33df7d81ac64adb4268e67d01b9daaa2e2fac1c8d1e9fd
Instruction Fuzzy Hash: 8B51D3353042059FD705DB79DC84A6B7BEAFF88214B1585AAE515CB391EB31EC02CB50

Function 070C28E8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f33aa9a6b51adbf4789511c91198f96a10b58f8420321fcc6701e61c402eb5d
Instruction ID: 67649fc053ea3f8630849a08d5315505e2416b160b665946f6e0b3e7cce93ce7
Opcode Fuzzy Hash: 7f33aa9a6b51adbf4789511c91198f96a10b58f8420321fcc6701e61c402eb5d
Instruction Fuzzy Hash: 0E5157B07143459FC761DB6889517AEBBE6EF8A310F0441BED606CB692CA31CC02C7B2

Function 041FBAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc0d91d661b0d652484472d0512f1e902e68fe1abb2d0a066760b86ee318f66
Instruction ID: 2775bae16fb53a473f0eb0175d4b3cef2479ca4ab04508644bdf838e6d3fc663
Opcode Fuzzy Hash: 2fc0d91d661b0d652484472d0512f1e902e68fe1abb2d0a066760b86ee318f66
Instruction Fuzzy Hash: EE6128B1E00248DFCB14DFA9C984B9DBBF5FF88310F15816AE919AB254EB34AC41CB50

Function 041FBAB0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b83b6c04aea8a5385da00e68e381d195fa5b72096342bc7d9e13bc6b6990e04
Instruction ID: 5676ac940c9b63a64b1558e37e83717de168f92d34cba6130c415430103c6546
Opcode Fuzzy Hash: 3b83b6c04aea8a5385da00e68e381d195fa5b72096342bc7d9e13bc6b6990e04
Instruction Fuzzy Hash: 715128B0E00248DFCB14DFA9D984A9DBFF5EF88310F148069E919AB354EB34AC46CB50

Function 070C271F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26ce61243141d67d39e8a222c4ba6fdfdcb393e25d7ac6a47c45e2eb3e96af7
Instruction ID: c4f4bda209cf9abac1833bbfb11ee9f9330e08b416ede2ecdaad94249a1cb848
Opcode Fuzzy Hash: a26ce61243141d67d39e8a222c4ba6fdfdcb393e25d7ac6a47c45e2eb3e96af7
Instruction Fuzzy Hash: D94168B5700206DFCB50DFA885916AEBBD6FF89311F04826EE9129FA91CB31CC45C761

Function 041F2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee2ee01c8c852c0650a2ae1c6f8fea9ea5947a1b983b815275545d0f79de927
Instruction ID: a7784a888e2f1d620914c5eaf531785eefc5afd395540dadcecf6dc71a6bc71d
Opcode Fuzzy Hash: 4ee2ee01c8c852c0650a2ae1c6f8fea9ea5947a1b983b815275545d0f79de927
Instruction Fuzzy Hash: 7B412674A006059FCB05CF58C5D89AAFBB1FF48310B1585A9D955AB364C732FC92CBA4

Function 041FC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b58e87237a23f635eb80d37f85b7b04c15b03080bea646f5e9c98a919c0af74
Instruction ID: 9cd57ef46f3b3a96c7faa65a7334a8f50b387751fc0f68ea9d2cfed3fd13e27b
Opcode Fuzzy Hash: 4b58e87237a23f635eb80d37f85b7b04c15b03080bea646f5e9c98a919c0af74
Instruction Fuzzy Hash: 59317C313006019FD709DB78E994B9AB79AEFC8314F048679D60ACB364EF75AC06CB91

Function 041F6FD1 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce5cb5d5426d0e03bb18d60de04d71fe457d52a5bdc7cff80607c7aa859d0bb
Instruction ID: 2ca80dda6e674750c24b44cbc49f715e32818d596ff3501f65349f50c3eea709
Opcode Fuzzy Hash: 3ce5cb5d5426d0e03bb18d60de04d71fe457d52a5bdc7cff80607c7aa859d0bb
Instruction Fuzzy Hash: 33311E74B001458FCB15CFA4C994AA9BBF1EF8E315F1540A8E916AB391DB35EC02CB61

Function 041FAE60 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3f533eb4767115f82010f5d41061efed1ec8382bbef9cb02c7478f5ad14e39
Instruction ID: 1bd90bba8ac19100ebd39ed63c70daac057143aa9290b07b5f25b402e9c182f8
Opcode Fuzzy Hash: 6d3f533eb4767115f82010f5d41061efed1ec8382bbef9cb02c7478f5ad14e39
Instruction Fuzzy Hash: 8C3172B0A002099FDB08DFB9D8957AD7FF6AF88350F148069E505EB754EB389C428B91

Function 041FAD28 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9634406509c7301a3c0bb26fcb42c5d75b7690cde4581fe8231e0b57695870ac
Instruction ID: 065b6da74d00a325293805167c210a8790d581f710ad5fc3bad8e1c4b2458288
Opcode Fuzzy Hash: 9634406509c7301a3c0bb26fcb42c5d75b7690cde4581fe8231e0b57695870ac
Instruction Fuzzy Hash: 883163B4A002059FEB04DFA4D855AEF7BF6EF84304F118469D614BB395DA38AD018F61

Function 041FE049 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090e0853be3f7e6eb0a88f6e608ce0caf618383be090582ef41f5e4483df056a
Instruction ID: 93ae161f660f72b4d0a6c1cd5c05968b865a710cb9b28064846aaa404ff5d7d6
Opcode Fuzzy Hash: 090e0853be3f7e6eb0a88f6e608ce0caf618383be090582ef41f5e4483df056a
Instruction Fuzzy Hash: FA312B71A00204DFDB14DF69D498AAEBBF2EF89314F144569D806E73A0DB38AC81CB91

Function 041FAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651dfdfa789c56f76fef3d5795b5b8b017ee74aea9ae7478c61013b4eafcebe0
Instruction ID: ea1a9d54aada7f00c6b7e081dc9fe5a5473a26d222a9cda45dd715f5b43e4782
Opcode Fuzzy Hash: 651dfdfa789c56f76fef3d5795b5b8b017ee74aea9ae7478c61013b4eafcebe0
Instruction Fuzzy Hash: AD3141B0A002099FDB08DFA9C5947AE7BF6AF88344F148069E505EB354EB389C028B51

Function 041FE058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadd03d3359e29cb49b0c42563b9bd39ea6621a12f027f0d20135bf4be974e3c
Instruction ID: 6fa690bfcebdc0b8152ead52e9b5b8d98aaf7e6007751f9bd182ea098301fe85
Opcode Fuzzy Hash: cadd03d3359e29cb49b0c42563b9bd39ea6621a12f027f0d20135bf4be974e3c
Instruction Fuzzy Hash: 7E310971A00204DFDB14DF69D498A9EBBF2EF88314F144569D806E73A0DB78AC81CB90

Function 041F93F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbebbc433bcea9403f7e902e6a843d852464c8b14217559ffdd5e87c5306914
Instruction ID: 704d3080b4e48c34306a23b5ea96da73a53a414a83f015cac8586ba57711fcb4
Opcode Fuzzy Hash: 6dbebbc433bcea9403f7e902e6a843d852464c8b14217559ffdd5e87c5306914
Instruction Fuzzy Hash: F031AEB19117448EDB60DF6AD4883CAFFF2EF88320F28C45AD54DA7215D7746482CB61

Function 041FAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662ce1295f502cc64c044a17e2dc49dcc85aebfcca816203c0893c0e5846f870
Instruction ID: b8b3862bbc487488b709267abcd2505c1aded40490e569b4477dfc029bdeee1d
Opcode Fuzzy Hash: 662ce1295f502cc64c044a17e2dc49dcc85aebfcca816203c0893c0e5846f870
Instruction Fuzzy Hash: 2C312FB4A002099FEB04EFA4D855BAF77B6EF88304F118469D615BB394DA35ED018F51

Function 0409F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c82dd811b5d8b07365937a23d120c51218c104e1228a9775cd16302e90f52b
Instruction ID: 9c3557375c79b40e1b3ee772728253e1414e1ea748bcddc0572b751702121ce6
Opcode Fuzzy Hash: 17c82dd811b5d8b07365937a23d120c51218c104e1228a9775cd16302e90f52b
Instruction Fuzzy Hash: 1B21F771600201DFDF05DF54D9C0B26BFE5FB88314F24C5A9E9099A256C33AE856EBA2

Function 0409F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ae636415786b07afcbe85d8b8a2f5a0f50353c8e51a76bbf37cf6ea4695461
Instruction ID: e43fe374e86a0293a6f34a9b9be1370f7e5a3b0b7295d112d7b0c57cf6c56e65
Opcode Fuzzy Hash: 93ae636415786b07afcbe85d8b8a2f5a0f50353c8e51a76bbf37cf6ea4695461
Instruction Fuzzy Hash: 57212571604201EFCF14DF24C9C0B26BFE9FB84314F24C569DA099B256C33AE846EA62

Function 041F9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4c38a169232f9464a78a18acfbf6e2728b45463743d03ba871b89b0d32f2f7
Instruction ID: 4ddce033ecddbef45261c7b88ca2c5e39df26c957d4537784ec02eb9091ff8d1
Opcode Fuzzy Hash: 0e4c38a169232f9464a78a18acfbf6e2728b45463743d03ba871b89b0d32f2f7
Instruction Fuzzy Hash: A7219CB0A017448EDB60DF6AC58838AFFF6EF88310F28C05ED90DA7214D7746482CB61

Function 041F767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee5d44b360d757d4c0fca872bd1bfcfecee5d27ce1c70665eca5b3f254eed71
Instruction ID: 3f1edacc7804a3cabf8056839f1dbd83aefaf81e8e456692346bf71ee620af84
Opcode Fuzzy Hash: cee5d44b360d757d4c0fca872bd1bfcfecee5d27ce1c70665eca5b3f254eed71
Instruction Fuzzy Hash: 02112E75B001188FDB04DBA9E9409DD77F6EBCC225B0440A5E919DB364DB34EC168B91

Function 041FDD60 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2333277cd63b007b4f3c3d32a71030ef0202df74f3b62c22eda14449928470a5
Instruction ID: 4a429d007be3d48129f4b8efa32b5a44963d79c566f9534106fc54816fd91a63
Opcode Fuzzy Hash: 2333277cd63b007b4f3c3d32a71030ef0202df74f3b62c22eda14449928470a5
Instruction Fuzzy Hash: BF11E3317002048BCB14E768E8454FDBBA2DF88221B14847AD50697352DB34AC478B90

Function 070C198F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42ec55f0f4641464703ddbab3b5247cbbd2ff757aaad87c959ef7971c07e60c
Instruction ID: d9784bcbe7a39746438721f67e983e9cb1ae5387c32576ec01874ca547c32656
Opcode Fuzzy Hash: f42ec55f0f4641464703ddbab3b5247cbbd2ff757aaad87c959ef7971c07e60c
Instruction Fuzzy Hash: CB11B2F1A1020ADFCBA0CF5AC540B6EB7E1EF49211F0882AED6199B212D330D841CBA1

Function 070C28E7 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8fa21b677b7a9f3d4b4922e863880c531ffc0962398af46bef6090a8254a66
Instruction ID: 9edffc6f91b49d1eebc77140713fa3e8d52943409bbf5ce0f53eead209c1650a
Opcode Fuzzy Hash: 5b8fa21b677b7a9f3d4b4922e863880c531ffc0962398af46bef6090a8254a66
Instruction Fuzzy Hash: 7E11C4F1A10306DFCBA0CF59C581B6EB7E5FF45620F0882AED6199B611D731D841CBA1

Function 070C28E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5196bc5b69deb665e555c28870c7f3ec498ee9f2fe91e747bf3f70b6238a451f
Instruction ID: a7c87847225cf666792e4f253f35e8ee61eed1ca627326e9fdcdda2ba958dd3c
Opcode Fuzzy Hash: 5196bc5b69deb665e555c28870c7f3ec498ee9f2fe91e747bf3f70b6238a451f
Instruction Fuzzy Hash: 5011B2F1A10206DFCBA0CF59C581B6EB7E1FF49620F0882AED5199B611D731D946CBA1

Function 070C1990 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97191171a6f0eb70e69eef92eca912a72b1885f001a20fd2b85898379be15cc9
Instruction ID: 038cc4356d15e1acdaad4698a5664efd8404f8daee4caae4f7ed104862fde099
Opcode Fuzzy Hash: 97191171a6f0eb70e69eef92eca912a72b1885f001a20fd2b85898379be15cc9
Instruction Fuzzy Hash: 4211B2F1A1020ADFCB90CF5AC540B6EB7E1EF49211F0882AED6199B212D330D841CB91

Function 0409F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 7328f22f6480a2b1b71029c4944e25e6343d5b91d323957501eea148f833b691
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 2621CD76504240DFCF06CF10D9C4B16BFB2FB88314F24C5A9D9494A256C33AD86ADBA1

Function 041FDD0F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3d43278dc067b53176d8c8a667846ba43749aaad4cc78b2c24f3e278981d0c
Instruction ID: 0e05900d03b48104dba3b530d395ef5e8b9eb6c07754bdb2dd58674ce65f38a8
Opcode Fuzzy Hash: 5c3d43278dc067b53176d8c8a667846ba43749aaad4cc78b2c24f3e278981d0c
Instruction Fuzzy Hash: 670124317042045BCB09966DBC504FEBBAADFC9231B15847BE60AD7781DF21AC0787E1

Function 041F79C3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c77aa59a9892160509872787ca7bfd36d8b94e6b23b6ffd168fb2de312868c7
Instruction ID: 1505b226fdfeaad4d9aafd2e460795004af05961c5bf19b9edf06666965b4eeb
Opcode Fuzzy Hash: 6c77aa59a9892160509872787ca7bfd36d8b94e6b23b6ffd168fb2de312868c7
Instruction Fuzzy Hash: 3601D4317082445FC711DA69AC80A6F7BEAEF8922570005ADE509D3782DB31AD0287A0

Function 0409F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: be6b6a640f5da45cbe019dc2c65f0af152da01df987866874a2b4ec0c25181e7
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 8511DD75504280DFCB12CF14D5C4B15BFA1FB84324F28C6AAD9498B656C33AE84ADBA2

Function 041FBCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545b775b43e3b30e71d27e121db3f851608fdb7675aacfa9b8e06b2ed5b46c9d
Instruction ID: 5a4a99ff2ffd0983c4f2d7daee92ce4920805f742ecdaf1aa9a7719011506dbf
Opcode Fuzzy Hash: 545b775b43e3b30e71d27e121db3f851608fdb7675aacfa9b8e06b2ed5b46c9d
Instruction Fuzzy Hash: C501D2316083449FD718CF79D998A9A7FE0AF85210F2488EED15AC76A2CB34FC42C701

Function 041FDC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af1b192e5806f1a9a6716359793dff7410e737669e830a335704ff76672f72d
Instruction ID: bf61044f9b857aa87f6d4e62844038e295d318609f5acc9e555f048821a46118
Opcode Fuzzy Hash: 3af1b192e5806f1a9a6716359793dff7410e737669e830a335704ff76672f72d
Instruction Fuzzy Hash: 26111B35204754CFC728DF75D48085ABBF6EF8A31532089ADD44A87BA1DB36F846CB50

Function 041FDF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3f84ba18165a59f2d06a3b83b3702329b5728fb1cb22a0a012082054c4f432
Instruction ID: 8ba5a62fb6273793decf6fe80049b692748514011627eb8c885361be822cd6df
Opcode Fuzzy Hash: 3e3f84ba18165a59f2d06a3b83b3702329b5728fb1cb22a0a012082054c4f432
Instruction Fuzzy Hash: CB019236B002149FCB119F75E818AAEBBF5FB88315F04406DE90AD3241DB359901CF90

Function 041FBF10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaa40bfa841d544d09c29a7e6bac8eeaa618c838a1fb3707e3c7e3deef28c54
Instruction ID: 9ac6cf5fe9c7726fd53ea36a0c4295bd03d576d7cbfee4cda7a338749e400444
Opcode Fuzzy Hash: 8aaa40bfa841d544d09c29a7e6bac8eeaa618c838a1fb3707e3c7e3deef28c54
Instruction Fuzzy Hash: 81F028B23093541FD7004A799C549B7BFEDEF86610B0541BBF840C7352CA70CD0087A0

Function 0409D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb49d3e20073b32db0b1ace4d6065c408c7468db651565e2b46d5601def99cb
Instruction ID: f64beebd37086ccc778c4c17faaf4e0559bd09be5f76224ba038b4c9e4794f2d
Opcode Fuzzy Hash: 2fb49d3e20073b32db0b1ace4d6065c408c7468db651565e2b46d5601def99cb
Instruction Fuzzy Hash: 00012B71145304BADB208E16DD84B67FFDCEFC5320F18C529ED481B246D279AC42E6B2

Function 0409D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3330c2a0eb80ba19ddb7f93216d8c1eaad7956d3a7e8c34156e2ad3bb38e2fe3
Instruction ID: 99dbc925928773ec84e06689815cc138bb878ce56a6dc3264da3a7470078bea9
Opcode Fuzzy Hash: 3330c2a0eb80ba19ddb7f93216d8c1eaad7956d3a7e8c34156e2ad3bb38e2fe3
Instruction Fuzzy Hash: 1D015E7100E3C09FD7128B259C94B52BFB4EF53224F1D85DBD9889F2A3C2695849D772

Function 041F7958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85918d4b5575dea31e305fd78c3fd2243ea43909b9ebb6614d269f848347819
Instruction ID: 2875b0c7dda6851d46b493b727b0eab9818a4016f49c47da7d729711a342da3a
Opcode Fuzzy Hash: d85918d4b5575dea31e305fd78c3fd2243ea43909b9ebb6614d269f848347819
Instruction Fuzzy Hash: 3AF0C8313092406FC7119769AC8096F7FE9DF89564704066EE14AD3752DF246C478761

Function 041F2C5C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ae4e4b29689dc958cd1b8aa0786505b7d240230e13928f595018a79f8f97c5
Instruction ID: 89f8d2baad952fb2c114abe86fd2c522425faccc14a03c42ee06c42ef1900ea3
Opcode Fuzzy Hash: c6ae4e4b29689dc958cd1b8aa0786505b7d240230e13928f595018a79f8f97c5
Instruction Fuzzy Hash: 9F01B9349092949FCB02CF6CC8A09EDBFB1EF46310F1440D6D1549B2A2C336EC56CB55

Function 041F90D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b48b232fdd134da9267deb091c10666635cb02da902db164cd07c8209ef6ba7
Instruction ID: ee4782b0b85b8b18c7fc4c5905bc3ff172d0b3386d8f3e4a2cca335bd9e8a529
Opcode Fuzzy Hash: 8b48b232fdd134da9267deb091c10666635cb02da902db164cd07c8209ef6ba7
Instruction Fuzzy Hash: DCF022B26042045BEB116B74D0183EB7BAADFC231CF25819BC9094B285CE393806DBA1

Function 041FDEC1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3b54db98c50e080a81dc05d187df6aa43a049ed2399d56c66f87c52c8b89f3
Instruction ID: ff8a2bbaf58ab84e29d583b1274fb319a4c23ecb07afb970a9a9bc9a190151d9
Opcode Fuzzy Hash: 7e3b54db98c50e080a81dc05d187df6aa43a049ed2399d56c66f87c52c8b89f3
Instruction Fuzzy Hash: 78F05E753552404FC7019B2DE898965BBEADFCA61472A00DAE545CB772CA61EC028790

Function 0409D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981be2bb66292bfc4ca9ab0f11e82bc5f01d177691c9c6b82b4925e9e0c73622
Instruction ID: ff4ab924d710199c443e50e7cb5c161a096bae7ce6011e4c089a71448bc819bb
Opcode Fuzzy Hash: 981be2bb66292bfc4ca9ab0f11e82bc5f01d177691c9c6b82b4925e9e0c73622
Instruction Fuzzy Hash: 28F03776200600AF97208F0AC984C26FBEDEFD4730319C15AE84A4B611C631FC41CAA0

Function 041F9158 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83d41f73c4cc526caebeb02db8774681916d3ff88ee1f2d287e18085d610f6d
Instruction ID: 638e7532a43c6ec7b90caf369313fe50e12f6021e9f6eb1f2cab9169ebc518f4
Opcode Fuzzy Hash: c83d41f73c4cc526caebeb02db8774681916d3ff88ee1f2d287e18085d610f6d
Instruction Fuzzy Hash: 96F05EB56053004FD7609B79D8993EABBE5FB05324F1144AAE24EC7241DB3968868BA1

Function 041F8969 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4f0a87192fccbaefaa5f5b3c0e6b043122254cd0b8dd6f43560d55ec1ca737
Instruction ID: 2ef5556a6bca93dd81f71cf8b1b6ff6564c8dc6d1abcf197c6b1a0c749c27f25
Opcode Fuzzy Hash: 2b4f0a87192fccbaefaa5f5b3c0e6b043122254cd0b8dd6f43560d55ec1ca737
Instruction Fuzzy Hash: E1F0A73530C3505BDB0A2776A8193EE3F95AF86328F05015BD90587242DF6D1D0687E7

Function 041F7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca85c4ac129eac379d665a916f435df40986a506a257d85ce675369a221e3467
Instruction ID: 6678f5ed7ed9c0b32017a0cb2b9ebb532a9a07dbbfd9eb8578c23c5084ce4116
Opcode Fuzzy Hash: ca85c4ac129eac379d665a916f435df40986a506a257d85ce675369a221e3467
Instruction Fuzzy Hash: 36F0A031700614AFDB149A6AEC84A6FB7EAEFCC675B00052DE20AD3741DF30AD4387A0

Function 0409D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317235578.000000000409D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0409D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c264a269f4a01144367cfbe88704b22fd0d1a0182a9819add53e7cf74bb063bf
Instruction ID: 487fef6d8e92c42e6414e8475edda0c60f4e8e2a61b6ecb5ed7135221d59840f
Opcode Fuzzy Hash: c264a269f4a01144367cfbe88704b22fd0d1a0182a9819add53e7cf74bb063bf
Instruction Fuzzy Hash: EAF0E775100A80AFD765CF06C985D22BBBAEF89620B198589A84A5B752C631FC42CB61

Function 041F7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0171cd4423e63141f3708d4dcb2425eaa77e6bf3c20cb64243400ab884be9464
Instruction ID: 1ec11165a587bb02b25b4dcf95095864170a2ebad412da29173bb81940068151
Opcode Fuzzy Hash: 0171cd4423e63141f3708d4dcb2425eaa77e6bf3c20cb64243400ab884be9464
Instruction Fuzzy Hash: 7AF0A079B001188FDB10DB6DA840ADA7BE7EBCC26570941A5E91ACB364DB30EC028B91

Function 041F90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d22bc4178ee4a62988fbd51cbe85eaab487230d5ffe625ffe71b66484b154f2
Instruction ID: 8aec42094a1287f4af6a5d209e137ee8e333bc4974cc574217c80f6b5333f5fb
Opcode Fuzzy Hash: 7d22bc4178ee4a62988fbd51cbe85eaab487230d5ffe625ffe71b66484b154f2
Instruction Fuzzy Hash: 83F027B16002045BE700ABA5C0193EF77DADFC571CF14816AC90A5B384CE353C06CBE1

Function 041FDED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbc8c01cb1cfba62283625fd6060b221224d024ac4fb9ab2b68f2c5927682fe
Instruction ID: 6d26fd543ba5bfd78e834fa3651923b3bbb47a56b5a504ebd1c030aaf1d1fb71
Opcode Fuzzy Hash: 4cbc8c01cb1cfba62283625fd6060b221224d024ac4fb9ab2b68f2c5927682fe
Instruction Fuzzy Hash: AFE0ED357501118F87109F1DE898C66B7EAEFCE71531500AAE64ADB735DB61EC028B90

Function 041FAF88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f43806339079823913c42595ef0095caa709b2006b11a2edfda70f9f6c0ec6a
Instruction ID: b27604377351a1b7199899e9f69856413cd517be59634d372aac8d7f056f168e
Opcode Fuzzy Hash: 8f43806339079823913c42595ef0095caa709b2006b11a2edfda70f9f6c0ec6a
Instruction Fuzzy Hash: 6CE0D862308395078B1681296C540AAAF674EC316032941B7E144CF642DD19580343E1

Function 041F9549 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3175336fb1fbb6840cbfbcbd1ff301cf16314845d6c45a755f6a758c412ce8fb
Instruction ID: 7c1612b9c6394d93e66be5230a58f5df326abc61b22813df55ea78c5fddaf750
Opcode Fuzzy Hash: 3175336fb1fbb6840cbfbcbd1ff301cf16314845d6c45a755f6a758c412ce8fb
Instruction Fuzzy Hash: DAD012A271211927555871B92C807FBA6CF8AC44A47090176DB05C7641FF60EC1703E2

Function 041F9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512809ac3ed521d89c9f48e5223db262cc12307084a94a97c9d544d7b6f4ac09
Instruction ID: f2747e5a15eb596633e826524f1f84d80048d2758d27f4fe052420824646e039
Opcode Fuzzy Hash: 512809ac3ed521d89c9f48e5223db262cc12307084a94a97c9d544d7b6f4ac09
Instruction Fuzzy Hash: 16F06D709003044BD7649FB8D89D39ABBE5FB44324F004469D60ED3340DB3968818B90

Function 041F8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb67b767fa35f07ce94b894fef7d84f07ad7edb4b493f45ab1ae25ad8ec4c09e
Instruction ID: cc3d62c9d32b6616e28d5f0a53b10c379d70dcaf40773cc811eb140de76ea1e8
Opcode Fuzzy Hash: bb67b767fa35f07ce94b894fef7d84f07ad7edb4b493f45ab1ae25ad8ec4c09e
Instruction Fuzzy Hash: EDE04F3570461457DB093775A81D3AE7B96ABC9729F04002AD60A87345CF796D0287D6

Function 041F9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a2ef523db6a7690e8e60536dc7c8cf5e305f4cbcc00507c7a46b8c07a3737f
Instruction ID: 73c0025eeb19bedda09e3a8c71d47b628bcbd0f71f392a44c14a13312d24664b
Opcode Fuzzy Hash: 78a2ef523db6a7690e8e60536dc7c8cf5e305f4cbcc00507c7a46b8c07a3737f
Instruction Fuzzy Hash: 4ED05E9271212927165470BA1C807FF96CF8AC44A47090176DB09C7281FF60FC1703E1

Function 041F8739 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110fb18a37943904b6abef285abbbad33cdfbb3d0b73a0c8faf02b21ce81ff73
Instruction ID: 724bb0f8ddb8433606404abd2d7dc919c6507242d5439761c5ac4b11b51792ba
Opcode Fuzzy Hash: 110fb18a37943904b6abef285abbbad33cdfbb3d0b73a0c8faf02b21ce81ff73
Instruction Fuzzy Hash: 96E04F309041098BCB09BBB4E84A5FDBF70FF00311F500269DA4282580DE341A4BCEC1

Function 041FDD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b839a95986c7b368018a4583de85eaadddcbd84be9ef4f6142cb3e1c5c572bd6
Instruction ID: 9e74c92e6d3bcc55df65172f268ba16874bd9c257256ddefef8df608cdb090fe
Opcode Fuzzy Hash: b839a95986c7b368018a4583de85eaadddcbd84be9ef4f6142cb3e1c5c572bd6
Instruction Fuzzy Hash: F5E08C31300A14178615662EB8209AF77DADFC8675310452AE10A97340DF64EC068BA5

Function 041FDD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 14277df882fb366a70dea0ba5b967635183e628477b3720b60e0eac8fc635a8e
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: DAE08631B00014978B08D699E8514E9F7A5DBCC220F04847EDA0AA7341DB32691687A1

Function 041F8800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688f67b1f0055f02d1b4306e782d27e70cc63865c775c8be05fd01dc58a55765
Instruction ID: a2d652099a5fc27f60f9c169a61d11f8ad26167a5b6a774d3d119e49d054022e
Opcode Fuzzy Hash: 688f67b1f0055f02d1b4306e782d27e70cc63865c775c8be05fd01dc58a55765
Instruction Fuzzy Hash: DDE04F74A0830A8BCB14DBA4E48AAAABFF4AB44308F104169ED4597741EB309C81DB81

Function 041FF460 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4847cbddd7a2665c9f4f4040b56aa42b17b46f6a3c68bb98d75593a15f641f7e
Instruction ID: 022ecaebf7211b14c42e337854c583976f2fb764be24be448c125c147b39615c
Opcode Fuzzy Hash: 4847cbddd7a2665c9f4f4040b56aa42b17b46f6a3c68bb98d75593a15f641f7e
Instruction Fuzzy Hash: 44E01A70D04209AFC780DFA8CC8255ABBF4AB49200B5085AED908EB201E73196428BE1

Function 041FF470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 4df228597ca88647b6b6760ac8e178988ffc93aa200ba03b1e23ff9882538732
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 3DD067B0D042099F8784EFADC94156EFBF4EB48200F6085AA8919E7301F7729A12CBD1

Function 041F8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c25c7dc7d9cd9bd22e3dcc5393aba149fe366ceb7f395840993da99215b3326
Instruction ID: 76397a64ea082b7cfb6530d5ee9000303cac636878bca5e28dbbd63f80ca7727
Opcode Fuzzy Hash: 6c25c7dc7d9cd9bd22e3dcc5393aba149fe366ceb7f395840993da99215b3326
Instruction Fuzzy Hash: AAD067319041098BCB08BBA5E85B5BDBB74FA14311F404169DA0792590EF352A5ACAC5

Function 041F8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c35bfed3b35f75ee94f3d06cc857bd24250e88aab71965120ad4d1b36ceae00
Instruction ID: ae139bc4588ef1ea135d5c5f89eb1826ea6995ed6c2cc793f552682d1d492d18
Opcode Fuzzy Hash: 6c35bfed3b35f75ee94f3d06cc857bd24250e88aab71965120ad4d1b36ceae00
Instruction Fuzzy Hash: F6D01734A0830A8BCB18EFA4E84A96EBBB4BB44300F00416AEE0993340EB306C01CBC1

Function 041F7933 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835a002fb21628a82e0c6a832c92e023cee5c6ee51edbe94d5d996f42f2526f4
Instruction ID: 0f6a19c623f6620df28df92796d9cfb87a926d2ffa4241b65d43aa4fcf17511d
Opcode Fuzzy Hash: 835a002fb21628a82e0c6a832c92e023cee5c6ee51edbe94d5d996f42f2526f4
Instruction Fuzzy Hash: 59D0223000C3C44FC3439B3498100603F28FE4712A32524CEE94E4B1E3CA26A84ACB61

Function 041F7EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e5efbeea6ff83dbb8cf65fe54fda470054020ee53aa452ac43bb23450f7375
Instruction ID: c19ba09be81c1ab9986c7f33aa6b6d14f0df8aa5c046d80394361a40817caf34
Opcode Fuzzy Hash: d1e5efbeea6ff83dbb8cf65fe54fda470054020ee53aa452ac43bb23450f7375
Instruction Fuzzy Hash: 7FC08C1180D2C00EEF0783358E660007F729E4350830A01C2C98397123CD188822C341

Function 041F7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac02a23d996261951a34695f47c36af6beeef9047539b5ef92584ddf2847bef5
Instruction ID: 70e1b0383df9c055f8f56d561d6eff6b41971f440acf738b68575a3090d6dcfa
Opcode Fuzzy Hash: ac02a23d996261951a34695f47c36af6beeef9047539b5ef92584ddf2847bef5
Instruction Fuzzy Hash: 14B092340447088FC298AF7AA4048147329EF4921938008ECEA0E0B2938E37E889CA45

Non-executed Functions

Function 070C0FB8 Relevance: 20.3, Strings: 16, Instructions: 318COMMON

Download Yara Rule

Strings

$]q, xrefs: 070C1229
tP]q, xrefs: 070C1127
fbq, xrefs: 070C10A2
$]q, xrefs: 070C1253
$]q, xrefs: 070C1081
`Q]q, xrefs: 070C1193
$]q, xrefs: 070C1044
$]q, xrefs: 070C1065
`Q]q, xrefs: 070C10ED
84ll, xrefs: 070C10D4
$]q, xrefs: 070C1263
tP]q, xrefs: 070C1133
`Q]q, xrefs: 070C1153
84ll, xrefs: 070C10DE
`Q]q, xrefs: 070C115F
$]q, xrefs: 070C1239

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: fbq$84ll$84ll$`Q]q$`Q]q$`Q]q$`Q]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3941682436
Opcode ID: f1840f5808f26855bf985d448cdc767edd51556f8f0cf245e4b3ada49d481cbf
Instruction ID: 8b3710ba1c06292a9254dc7951f1c45f03e94842e45d4a6100e360a4b96cdbdf
Opcode Fuzzy Hash: f1840f5808f26855bf985d448cdc767edd51556f8f0cf245e4b3ada49d481cbf
Instruction Fuzzy Hash: 5DB1F4F061420EDFDB55CF68C940AAE7BF6EF85300F24856AE8119B292CB75DC51CBA1

Function 070C1EF8 Relevance: 15.2, Strings: 12, Instructions: 183COMMON

Download Yara Rule

Strings

Jol, xrefs: 070C2017
Jol, xrefs: 070C1FA1
4']q, xrefs: 070C1F89
Jol, xrefs: 070C20C2
tP]q, xrefs: 070C1FEB
Jol, xrefs: 070C20CE
4']q, xrefs: 070C1F95
84ll, xrefs: 070C1F6C
Jol, xrefs: 070C200B
$cak, xrefs: 070C20B4
84ll, xrefs: 070C1F76
tP]q, xrefs: 070C1FDF

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: $cak$4']q$4']q$84ll$84ll$tP]q$tP]q$Jol$Jol$Jol$Jol$Jol
API String ID: 0-1772102648
Opcode ID: 092740ed2b3a9356612421e1a764445d8a18fb5737554d8f5bfaa06d4673461d
Instruction ID: 01b96ffafeed457e12230e28da90c60c6c15d8b5de4c631035dd9417c64f42fe
Opcode Fuzzy Hash: 092740ed2b3a9356612421e1a764445d8a18fb5737554d8f5bfaa06d4673461d
Instruction Fuzzy Hash: 125118B1B0430A8FD765CB58855066FBBEAAF81710F28866FD515CF657C731C842C3A5

Function 070C3928 Relevance: 11.5, Strings: 9, Instructions: 249COMMON

Download Yara Rule

Strings

$]q, xrefs: 070C396C
4']q, xrefs: 070C3B29
tP]q, xrefs: 070C39A5
tP]q, xrefs: 070C39B1
dl, xrefs: 070C3A0F
4']q, xrefs: 070C3B35
dl, xrefs: 070C3A1D
$]q, xrefs: 070C3960
$]q, xrefs: 070C393A

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$dl$dl
API String ID: 0-110020175
Opcode ID: 13075b5e864ee7beed2c295a9284214ed87cad61683b0f7a23ed9ea42cb8983d
Instruction ID: fc12d77604d4c81c9508d06e5137f2f40cda3b1428bd79255b236c69d3e3fe67
Opcode Fuzzy Hash: 13075b5e864ee7beed2c295a9284214ed87cad61683b0f7a23ed9ea42cb8983d
Instruction Fuzzy Hash: 478166B13283458FC755CB68941066EFBF5EF86210F18C2AFD545CB2A2CA31C845C7A3

Function 070C3678 Relevance: 8.9, Strings: 7, Instructions: 185COMMON

Download Yara Rule

Strings

4']q, xrefs: 070C372E
$]q, xrefs: 070C37FF
$]q, xrefs: 070C382A
$]q, xrefs: 070C3836
dl, xrefs: 070C387B
dl, xrefs: 070C386D
4']q, xrefs: 070C3722

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$dl$dl
API String ID: 0-3659981593
Opcode ID: 20db3cb904eec6abeb8720c78fa7b84466c24b2f030f5a026b71d1aee93de21c
Instruction ID: 0f31e8980673996113b86dd7b9ce14875b4985be955a7279ae2ac5e883ff29e7
Opcode Fuzzy Hash: 20db3cb904eec6abeb8720c78fa7b84466c24b2f030f5a026b71d1aee93de21c
Instruction Fuzzy Hash: FE5164B17243069FCB64DB69890126EFBE6AFC2610F24C66FD445CB291DA31C849C7A3

Function 070C2327 Relevance: 8.9, Strings: 7, Instructions: 138COMMON

Download Yara Rule

Strings

Jol, xrefs: 070C237F
pi6k, xrefs: 070C2363
pi6k, xrefs: 070C23B0
pi6k, xrefs: 070C2416
Jol, xrefs: 070C23D1
Jol, xrefs: 070C23C5
pi6k, xrefs: 070C23A0

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: pi6k$pi6k$pi6k$pi6k$Jol$Jol$Jol
API String ID: 0-470287443
Opcode ID: 0383ee945d13b3931dabbb222dc6c7d0a1a663630ffe2a3054180366dd4c846c
Instruction ID: ea730b21df9ea68ad26b44b7e84d617e07961062a292e8031bac6fbf19079be1
Opcode Fuzzy Hash: 0383ee945d13b3931dabbb222dc6c7d0a1a663630ffe2a3054180366dd4c846c
Instruction Fuzzy Hash: 4C4179B5700206DFCB50DF6885402AEBBE6FF85310F04867EE8218FA91DA75CD41CBA2

Function 041F7200 Relevance: 6.5, Strings: 5, Instructions: 247COMMON

Download Yara Rule

Strings

tMnl, xrefs: 041F7AD4
`^q, xrefs: 041F7BA2
`^q, xrefs: 041F7CC2
`^q, xrefs: 041F7C44
`^q, xrefs: 041F7B23

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID: tMnl$`^q$`^q$`^q$`^q
API String ID: 0-3010539823
Opcode ID: b939798f0496b43d3a78788f09967f334acd15f2039cdd24371103b0bd7655f1
Instruction ID: c670e0cabcc78d404acc24f1b871ac0a646d3729a3f6f5583d2eb61f7a72b3e1
Opcode Fuzzy Hash: b939798f0496b43d3a78788f09967f334acd15f2039cdd24371103b0bd7655f1
Instruction Fuzzy Hash: 5CB1B774E002099FDB54DFA9D990A9DFBF6FF88304F10862AD819AB355DB34A905CF90

Function 041F7A21 Relevance: 6.5, Strings: 5, Instructions: 243COMMON

Download Yara Rule

Strings

tMnl, xrefs: 041F7AD4
`^q, xrefs: 041F7BA2
`^q, xrefs: 041F7CC2
`^q, xrefs: 041F7C44
`^q, xrefs: 041F7B23

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID: tMnl$`^q$`^q$`^q$`^q
API String ID: 0-3010539823
Opcode ID: d9d7664064dfd21784541a64efd14f27b83a720651fe13c76b5e996b4f5083f2
Instruction ID: b42df6d6eaca9902bd0ca3b67489ead6787575ff69b41509692a3b7e54fbf9c3
Opcode Fuzzy Hash: d9d7664064dfd21784541a64efd14f27b83a720651fe13c76b5e996b4f5083f2
Instruction Fuzzy Hash: CDB1B774E002099FDB54DFA9D990A9DFBF6FF88304F108629D819AB355DB34A905CF90

Function 041F7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tMnl, xrefs: 041F7AD4
`^q, xrefs: 041F7BA2
`^q, xrefs: 041F7CC2
`^q, xrefs: 041F7C44
`^q, xrefs: 041F7B23

Memory Dump Source

Source File: 00000004.00000002.2317651978.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID: tMnl$`^q$`^q$`^q$`^q
API String ID: 0-3010539823
Opcode ID: 794708a956c419328d2249e9eccc3545b735aef69729edfa59b468b674a621c6
Instruction ID: 585377dd528c1a78fa8ec0d0d732caa3fd8886bcc82be0083c7e2ced58a629bf
Opcode Fuzzy Hash: 794708a956c419328d2249e9eccc3545b735aef69729edfa59b468b674a621c6
Instruction Fuzzy Hash: 5DB19674E0020A9FDB54DFA9D990A9DFBF6FF88304F108629D819AB354DB34A945CF90

Function 070C1BE0 Relevance: 6.5, Strings: 5, Instructions: 216COMMON

Download Yara Rule

Strings

rnl, xrefs: 070C1C53
4']q, xrefs: 070C1C86
rnl, xrefs: 070C1C5D
4']q, xrefs: 070C1C92
pi6k, xrefs: 070C1C73

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$pi6k$rnl$rnl
API String ID: 0-1275723643
Opcode ID: e95dfc6531d48059a9e14e35873ae53b485e208276923e1e18a9388c654ab22f
Instruction ID: 1d675812ca2f95741435ac039010a335cc1bcd2e3f6f784e62d2963700a10bfe
Opcode Fuzzy Hash: e95dfc6531d48059a9e14e35873ae53b485e208276923e1e18a9388c654ab22f
Instruction Fuzzy Hash: F16133F1B0420D8FCB65DB6894402AEBBF6EF86211F18866FD455CB25BDA318846CB91

Function 070C08B8 Relevance: 6.4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

4']q, xrefs: 070C0962
rnl, xrefs: 070C092B
fbq, xrefs: 070C094B
4']q, xrefs: 070C096E
rnl, xrefs: 070C0935

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: fbq$4']q$4']q$rnl$rnl
API String ID: 0-3631458751
Opcode ID: b046d4a9ef96f745e6f394bad9064f8199ebe6bdfbaa28407471ecf3f482aa51
Instruction ID: c1c414ec785103262797e3594334bc6ba6ae5799fd3ae8faaa435f84863acb6f
Opcode Fuzzy Hash: b046d4a9ef96f745e6f394bad9064f8199ebe6bdfbaa28407471ecf3f482aa51
Instruction Fuzzy Hash: BB41D6B0B04346CFDB55DB68881066EBBF1EF86211F18C1AFD449CB252DB358D45C791

Function 070C1EF4 Relevance: 6.3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

Jol, xrefs: 070C1FA1
4']q, xrefs: 070C1F89
84ll, xrefs: 070C1F6C
Jol, xrefs: 070C200B
tP]q, xrefs: 070C1FDF

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84ll$tP]q$Jol$Jol
API String ID: 0-2233797684
Opcode ID: 0a886d47b2b33ff9cbe873d3789a45923546551d1984f82e1d60ea2790c6d6fc
Instruction ID: d30eedd9c6500239710fd9e9f2704d4e2f62249b0384b1e67f600b18cf068401
Opcode Fuzzy Hash: 0a886d47b2b33ff9cbe873d3789a45923546551d1984f82e1d60ea2790c6d6fc
Instruction Fuzzy Hash: 4131B1F1A0020ADBEB64CF448444A6EB7EAEF81710F2882AED6149F553C372D442C761

Function 070C1EF2 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

Jol, xrefs: 070C1FA1
4']q, xrefs: 070C1F89
84ll, xrefs: 070C1F6C
Jol, xrefs: 070C200B
tP]q, xrefs: 070C1FDF

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84ll$tP]q$Jol$Jol
API String ID: 0-2233797684
Opcode ID: ce9df06172511922de4773aa0e27356e12349b9ada466beeab98acd149b88a23
Instruction ID: 4504504ce8c51359085ad1c5135c740ba18333b96ba85865ec8a88ee48b766e2
Opcode Fuzzy Hash: ce9df06172511922de4773aa0e27356e12349b9ada466beeab98acd149b88a23
Instruction Fuzzy Hash: 4C218FF1A0420ADBEB64CF448444B7EB7E6AF81711F2882AED6159B557C372D842C761

Function 070C5BF8 Relevance: 5.3, Strings: 4, Instructions: 307COMMON

Download Yara Rule

Strings

4']q, xrefs: 070C5D37
4']q, xrefs: 070C5EFE
4']q, xrefs: 070C5F08
4']q, xrefs: 070C5D2D

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 6b44fe90d00806c7c8339af5090d65aead9474c0bc398258d80cfbf4ea49a285
Instruction ID: d5504af275a78d33e8a2afa97205052fa0f8e084d063df7a7099965b1bf0fb75
Opcode Fuzzy Hash: 6b44fe90d00806c7c8339af5090d65aead9474c0bc398258d80cfbf4ea49a285
Instruction Fuzzy Hash: DFA178B5B043068FCB68DB68885526EBBE69FC5200F34866FD411CF255DB32E861C7A2

Function 070C5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 070C57F4
$]q, xrefs: 070C57AA
$]q, xrefs: 070C5800
$]q, xrefs: 070C57C6

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 228537193f299a99d7af854626bd853a3c230e22a58762d23e570e90a58b8ba5
Instruction ID: d659a39e679b741e1cc15ad8ab992a6e89f72325ad4bb6b63d952c5a96660e5f
Opcode Fuzzy Hash: 228537193f299a99d7af854626bd853a3c230e22a58762d23e570e90a58b8ba5
Instruction Fuzzy Hash: 652187B93142029BDB64DB7E9D01B3FB7D6AFC0710F34862EA906DB281DD76E8548361

Function 070C2108 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

$]q, xrefs: 070C2166
Jol, xrefs: 070C214A
Jol, xrefs: 070C2156
$]q, xrefs: 070C2172

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$Jol$Jol
API String ID: 0-3612309805
Opcode ID: 3043ac254715c579ce3ecd99e56c0fc8b89f1ebbd3366a01ba30a449f2ea281e
Instruction ID: 54fe5dede9a6c72c72a6638d67937a5315dc9bfc6cd1ee30d7c25d6fbbb10c81
Opcode Fuzzy Hash: 3043ac254715c579ce3ecd99e56c0fc8b89f1ebbd3366a01ba30a449f2ea281e
Instruction Fuzzy Hash: D6012BB150C3814FC327872C0D2001A6FF6AFE3910719469BC950DF76AC4298C09C366

Function 070C0327 Relevance: 5.0, Strings: 4, Instructions: 35COMMON

Download Yara Rule

Strings

$]q, xrefs: 070C035E
4']q, xrefs: 070C0373
4']q, xrefs: 070C037F
$]q, xrefs: 070C0352

Memory Dump Source

Source File: 00000004.00000002.2336655844.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 58a9634663e48ee30cf74f496f500f4bbd84017570668a28cb8d8b6e00cead6c
Instruction ID: 717120c704f42de73620f614ae37e8a8f974e6c002d41c524ad62d5bcd3ac32e
Opcode Fuzzy Hash: 58a9634663e48ee30cf74f496f500f4bbd84017570668a28cb8d8b6e00cead6c
Instruction Fuzzy Hash: 44F02070754216DBC6BC576C2D2066E94EFABC0E10B358A2FD8529B344CE228C02C7EE

Analysis Process: apihost.exePID: 1720, Parent PID: 1628COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	390
Total number of Limit Nodes:	35

Executed Functions

Function 00CAF6B2 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CAF73E
GetCurrentThread.KERNEL32 ref: 00CAF77B
GetCurrentProcess.KERNEL32 ref: 00CAF7B8
GetCurrentThreadId.KERNEL32 ref: 00CAF811

Memory Dump Source

Source File: 0000000B.00000002.3484821889.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ca0000_apihost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 29478f53934bce88e6fec5a14c68e567b1ac133d056ceb73b148f19038ac74ae
Instruction ID: d5405c9fca60fff99750cfbb074329ecc01aa0fcb6097867846dd14469616bc8
Opcode Fuzzy Hash: 29478f53934bce88e6fec5a14c68e567b1ac133d056ceb73b148f19038ac74ae
Instruction Fuzzy Hash: 1E5174B090134A8FCB14DFAAD548BAEBBF1EF49304F20C4ADE419A7361D7389945CB65

Function 00CAF6C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CAF73E
GetCurrentThread.KERNEL32 ref: 00CAF77B
GetCurrentProcess.KERNEL32 ref: 00CAF7B8
GetCurrentThreadId.KERNEL32 ref: 00CAF811

Memory Dump Source

Source File: 0000000B.00000002.3484821889.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ca0000_apihost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 13affad13f1d2e5ce54d9ffe9b11625ad346c2348e76697def0ec5983f5e8cfb
Instruction ID: 4f0249d6595d5e451d740a04fc295502ca4253e0eea0a881729b32e4627f2665
Opcode Fuzzy Hash: 13affad13f1d2e5ce54d9ffe9b11625ad346c2348e76697def0ec5983f5e8cfb
Instruction Fuzzy Hash: 265164B090030A8FDB14DFAAD548BAEBBF1EF49304F20C469E519A7360D7789945CB65

Function 04DB16C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,037F4164,0289FF6C,?,00000000,?,00000000,00000000), ref: 04DB1877

Strings

Haq, xrefs: 04DB1760

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Haq
API String ID: 2492992576-725504367
Opcode ID: 22c3c780f66b6742d6462556b28a2d7fb7cd5382826e29a343b3523ec725efc6
Instruction ID: 9a5633735f16b9f0830e77603a600aba77473608f3c06a3794fde291b117e8a6
Opcode Fuzzy Hash: 22c3c780f66b6742d6462556b28a2d7fb7cd5382826e29a343b3523ec725efc6
Instruction Fuzzy Hash: 6C5178343006119FC728EB69D865B6E77E6BF86B54B158469E446CB3A2CF74EC0287A0

Function 00CAD418 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAD67E

Memory Dump Source

Source File: 0000000B.00000002.3484821889.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ca0000_apihost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fc8a0215accff96a08a30583ef6a5ad4768d0f673ebed3accf7e5524ef3a17af
Instruction ID: 152b4c2cc3b90caddb7917b07bde721c6bf03d985ca135a0ce0b1999e3c9d703
Opcode Fuzzy Hash: fc8a0215accff96a08a30583ef6a5ad4768d0f673ebed3accf7e5524ef3a17af
Instruction Fuzzy Hash: 7B8135B0A00B468FD724DF6AD0457AABBF1FF89308F00892DD49AD7A51DB74E945CB90

Function 04DB3E64 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB3F82

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 31731a4d8e2901f9ae6fe94cf16c6cbe5cd943d40d534f6dcd7586da4f4beb5c
Instruction ID: cb3b60edf175fb42de4599e04f1d4daa1ea6242b6405760d1812469e98af528b
Opcode Fuzzy Hash: 31731a4d8e2901f9ae6fe94cf16c6cbe5cd943d40d534f6dcd7586da4f4beb5c
Instruction Fuzzy Hash: E651B0B1D00349DFDB14CF99C894ADEFBB5BF48310F64822AE819AB250D775A985CF90

Function 04DB3E70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB3F82

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9155f66ab618d5fe2bc196d7d409174bec712acbf10dc6827e619ea0691e5c62
Instruction ID: 56984c14eef9880798e94e84195bb61444440982a82c99d49f75eac04547a0ed
Opcode Fuzzy Hash: 9155f66ab618d5fe2bc196d7d409174bec712acbf10dc6827e619ea0691e5c62
Instruction Fuzzy Hash: E741B0B1D00359DFDB14CF9AC884ADEFBB5BF48310F64812AE819AB250D775A985CF90

Function 04DB1C94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04DB6671

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fe2654e2eb8b1b6ac631582f1212cb1c42e4984747b018b0e319b0651a6eb2b0
Instruction ID: 11803f2654be646652bad8e3f76436efda5a6cdcffa8ea0214d605818e4075bc
Opcode Fuzzy Hash: fe2654e2eb8b1b6ac631582f1212cb1c42e4984747b018b0e319b0651a6eb2b0
Instruction Fuzzy Hash: 624125B4A00309CFCB14CF99C488AAABBF5FB88314F24C499D559AB321D334E841CFA1

Function 04DBF898 Relevance: 1.6, APIs: 1, Instructions: 86
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 04DBF967

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 12a53b43b1ceebafbe47be947c9f9637888054c6d6a1c74af88bef59b51ed340
Instruction ID: c406db68509514dfcfa3433e964fb1fb09b1492ad9f18e44a282ec9f8d962e1c
Opcode Fuzzy Hash: 12a53b43b1ceebafbe47be947c9f9637888054c6d6a1c74af88bef59b51ed340
Instruction Fuzzy Hash: 06319871904349EFCB129FA9D800AEEBFF4EF09310F14806AE994EB221C335D950DBA1

Function 00CAFD0A Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAFD97

Memory Dump Source

Source File: 0000000B.00000002.3484821889.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ca0000_apihost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c132d58ebc815adaf2272b63d22b8484694babaea1a2064c02c42013436a0148
Instruction ID: 4f178bd95ba0639b6232b5397b24c7695c9e0278c3fd9beb9cc3327d22826192
Opcode Fuzzy Hash: c132d58ebc815adaf2272b63d22b8484694babaea1a2064c02c42013436a0148
Instruction Fuzzy Hash: 5F21E3B5D00249AFDB11CFAAD584AEEFFF5EB49310F14845AE958A3210C378A945CF64

Function 00CAFD10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAFD97

Memory Dump Source

Source File: 0000000B.00000002.3484821889.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ca0000_apihost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 33d2c212b0db71e1fa4c218c46111ae964b5b2c7632ed8a58cb6bcacc15225a0
Instruction ID: c22f672bbfc3b65a0de7afee7046818625ce23800ceafd3f16002f236f88e395
Opcode Fuzzy Hash: 33d2c212b0db71e1fa4c218c46111ae964b5b2c7632ed8a58cb6bcacc15225a0
Instruction Fuzzy Hash: E221E3B59002499FDB10CFAAD584ADEBBF8EB48310F14841AE918A3210C378A940CFA5

Function 04DBD520 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 04DBD592

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: f122df25836e4698b11e3db242e92fb60a43d156ab0176270779bd336048acc9
Instruction ID: e56129ddeaeb8a1b3e3bd01606eade5a9970731a921d079847409b11b79f8c13
Opcode Fuzzy Hash: f122df25836e4698b11e3db242e92fb60a43d156ab0176270779bd336048acc9
Instruction Fuzzy Hash: 072122B28002498FDB20DF9AC448BDEBBF5EF49324F10802AD859A7250D338A545CFA1

Function 04DBD528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 04DBD592

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 612e3460c2d74c13d08d7bfffc75551d4227c3444b0a5ae8192837c048997b11
Instruction ID: 7c1ebc1182eb700087eaf3ee2f953e71e960f993fa47bb37f15fe205ea2f642f
Opcode Fuzzy Hash: 612e3460c2d74c13d08d7bfffc75551d4227c3444b0a5ae8192837c048997b11
Instruction Fuzzy Hash: D61112B68002498FDB24CF9AC448ADEFBF5EF89320F14C42AD859A3240D338A545CFA5

Function 04DBF8F8 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 04DBF967

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 2276149d3046bf7f7ac15f37e99a5d2fa68e3440e2a7bae8711a128aa091f010
Instruction ID: 82f49df327412200e3387f6b7a7be5433256676df0d058a5928b8d92c2547639
Opcode Fuzzy Hash: 2276149d3046bf7f7ac15f37e99a5d2fa68e3440e2a7bae8711a128aa091f010
Instruction Fuzzy Hash: D91134B5800349DFDB20CFAAD844ADEBFF8EB48320F14841AE554A3210C339A990CFA5

Function 04DB40B1 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 04DB4115

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8024a407f2ecc9f5553b9a688234ab5ddbbe8a9aa8c5bad0262b87efb87cbd54
Instruction ID: 321b9741c164afbbef2c8e74822bb5a452aec2cf2c586083917b23d4f689d1d0
Opcode Fuzzy Hash: 8024a407f2ecc9f5553b9a688234ab5ddbbe8a9aa8c5bad0262b87efb87cbd54
Instruction Fuzzy Hash: 4311E3B58002499FDB20DF99D485BEBBBF8EB58310F108419D959A7301C378A944CFA5

Function 04DBE460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 04DBFCCD

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 62f5a06792908c72dd4d675a6a17d00528994bdb3d5d8de7366b6975e08280b4
Instruction ID: eaa9bd00a61379fb49cde249340fdee3fbb8fa55fe4ee719c8122315b7f4c290
Opcode Fuzzy Hash: 62f5a06792908c72dd4d675a6a17d00528994bdb3d5d8de7366b6975e08280b4
Instruction Fuzzy Hash: BA11F5B5800349DFDB20DF99D989BDEBBF8FB48310F108419E959A7200D375A984CFA5

Function 04DB1B7C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 04DB4115

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3aef6cbbc9d3663a44686fdb24c2b8fc2eb7a4a1a7eae5046e3c518ffd9c2990
Instruction ID: 3d4e43927e21f17e96f348b99138f5ea8786d92e6b95abaf84e4ba275399ef36
Opcode Fuzzy Hash: 3aef6cbbc9d3663a44686fdb24c2b8fc2eb7a4a1a7eae5046e3c518ffd9c2990
Instruction Fuzzy Hash: C511F5B5900249DFDB20DF99D449BDEBBF8EB48310F108459D959B7301D378A944CFA5

Function 00CAD618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAD67E

Memory Dump Source

Source File: 0000000B.00000002.3484821889.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ca0000_apihost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a10f34c04e0bf2af4968256ea4b47caa2e7dbbc50d79a65174924b1ae5c195a7
Instruction ID: 38ea317548c896687a8fee898dce13f1098270be91d84f922e62413894f064e1
Opcode Fuzzy Hash: a10f34c04e0bf2af4968256ea4b47caa2e7dbbc50d79a65174924b1ae5c195a7
Instruction Fuzzy Hash: 3611DFB5C003498FCB20DF9AD444ADEFBF4EB89314F14842AD42AA7610C379A545CFA5

Function 05BE21B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BE319D

Memory Dump Source

Source File: 0000000B.00000002.3499357134.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5be0000_apihost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2a53bddaafdc77128db4ced253bf27b2e5f46efa3a6e8f19bd7a82ef2839d449
Instruction ID: a29aced2df896ab453275ba54d1e1c7d1fbc2ee813babf42298415ba1cc7757b
Opcode Fuzzy Hash: 2a53bddaafdc77128db4ced253bf27b2e5f46efa3a6e8f19bd7a82ef2839d449
Instruction Fuzzy Hash: CF1115B59003488FCB20DF9AD948BDEFBF4EB48310F248859D519A7200C379A944CFA5

Function 04DBFC69 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 04DBFCCD

Memory Dump Source

Source File: 0000000B.00000002.3497592130.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4db0000_apihost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7c1f3b26fa1438b872ec6e4d9934590c7c70eab5d505c1e519b40bfc8dbe8cd0
Instruction ID: f004d28d2b218e81dd662f9b1b12d6819ee81a56301b8d103e6b9a9d420cfa59
Opcode Fuzzy Hash: 7c1f3b26fa1438b872ec6e4d9934590c7c70eab5d505c1e519b40bfc8dbe8cd0
Instruction Fuzzy Hash: 3D11B3B5800349DFDB11DF99D985BDEBBF4FB48310F10841AD959A7240C375A584CFA5

Function 05BE3141 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BE319D

Memory Dump Source

Source File: 0000000B.00000002.3499357134.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5be0000_apihost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3c885a3f36be919a37effa289d8c8b8cc70da00181698121f34b693964999360
Instruction ID: 1c9ccaabf2e08ffb7ebc174b9fdff10044a25ab92f53d0a4655b1ab38484807d
Opcode Fuzzy Hash: 3c885a3f36be919a37effa289d8c8b8cc70da00181698121f34b693964999360
Instruction Fuzzy Hash: 961100B58003498FCB20DF9AD549B9EBBF4EB48320F248859D519A7210C378A544CFA5

Function 009FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3477479248.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9fd000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee78bd5c8c72aafd41306b45dacfb075f45e6385932a97dfce6249cf579c3d60
Instruction ID: da71c4d5fb8546b857dd5ff3f1883e887b62f8629216c0d798880a78512ca74f
Opcode Fuzzy Hash: ee78bd5c8c72aafd41306b45dacfb075f45e6385932a97dfce6249cf579c3d60
Instruction Fuzzy Hash: B221F571504208DFDB15DF24D584B26BF6AFB84314F28C969DA094B356CB3AD807CB61

Function 009FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3477479248.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9fd000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76608446676e25328283ba00cc0e657bc900c0afc7609b7a5cca80bfa823823
Instruction ID: 798ff62801d56f4a5ffe4d30546793ffd103b9ec7936361ade30a9252e369058
Opcode Fuzzy Hash: a76608446676e25328283ba00cc0e657bc900c0afc7609b7a5cca80bfa823823
Instruction Fuzzy Hash: 7B218E755093848FCB02CF24D994715BF72EB46314F28C5EAD9498B2A7C33A980ACB62

Function 009ED07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3477172299.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9ed000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0aee2676b2c69840bad1a3787da1e30ba2cf8681f27f5420b8f563563f32e8
Instruction ID: 7c6257c26eb4d89bc8f59ff6e323bb926f71893cfc248312edb02996661e8230
Opcode Fuzzy Hash: ae0aee2676b2c69840bad1a3787da1e30ba2cf8681f27f5420b8f563563f32e8
Instruction Fuzzy Hash: 2601DB710063849AE7219B27CD84B67FF9CEF55321F2CC82AED095B286C67D9C41CA75

Function 009ED07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3477172299.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9ed000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831a5266861fbc0aef190bda84aada36bfbe77736ead967dfedb64e171a588d4
Instruction ID: b1aa4ee8ac5f2ccb6ace33aca2b2398b4fea1c750457d7bcb381d6340c4ace34
Opcode Fuzzy Hash: 831a5266861fbc0aef190bda84aada36bfbe77736ead967dfedb64e171a588d4
Instruction Fuzzy Hash: 36F0C2710053849AEB218B16C884B63FFACEF51335F18C45AED484B286C2799C40CA70

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F7Xu8bRnXT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F7Xu8bRnXT.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcme4mpd.5jk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzpxpq3b.sty.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwhchn5x.agd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4m412ps.3p5.ps1

C:\Users\user\AppData\Local\Temp\server01.exe

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Static File Info

Windows Analysis Report
F7Xu8bRnXT.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 021896D0 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre