Edit tour

Windows Analysis Report
Disable_automatic_email_errors.exe

Overview

General Information

Sample Name:	Disable_automatic_email_errors.exe
Analysis ID:	1285130
MD5:	971d710c2612f65b6dc5facb2ba5aac3
SHA1:	5a84e0d34ac1b8f41435ff09056915fa347be640
SHA256:	08552fc7c1fcdb754d81dad78184ad191d0585b970a1b633cef88ce63804947e
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

Disable_automatic_email_errors.exe (PID: 6428 cmdline: C:\Users\user\Desktop\Disable_automatic_email_errors.exe MD5: 971D710C2612F65B6DC5FACB2BA5AAC3)

ggh.exe (PID: 6624 cmdline: "C:\Users\user\AppData\Roaming\ggh\ggh.exe" MD5: 971D710C2612F65B6DC5FACB2BA5AAC3)

ggh.exe (PID: 760 cmdline: "C:\Users\user\AppData\Roaming\ggh\ggh.exe" MD5: 971D710C2612F65B6DC5FACB2BA5AAC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.grabinphone.com", "Username": "noreply2@grabinphone.com", "Password": "bGOD8rATGOD3sZGOD"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Disable_automatic_email_errors.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\ggh\ggh.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.385931542.0000000005F97000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000000.381688362.0000000000292000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Disable_automatic_email_errors.exe PID: 6428	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Disable_automatic_email_errors.exe PID: 6428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ggh.exe PID: 6624	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ggh.exe PID: 6624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ggh.exe PID: 760	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ggh.exe PID: 760	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Disable_automatic_email_errors.exe.290000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.grabinphone.com", "Username": "noreply2@grabinphone.com", "Password": "bGOD8rATGOD3sZGOD"}

Multi AV Scanner detection for submitted file

Source: Disable_automatic_email_errors.exe	ReversingLabs: Detection: 60%
Source: Disable_automatic_email_errors.exe	Virustotal: Detection: 57%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Disable_automatic_email_errors.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe

Avira: detection malicious, Label: TR/Spy.Gen8

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: Disable_automatic_email_errors.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: /log.tmp
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>[
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ]<br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: .txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: text/plain
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Time:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>User Name:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>Computer Name:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>OSFullName:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>CPU:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>RAM:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IP Address:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <hr>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: New
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IP Address:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: https://api.ipify.org
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: false
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: false
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: false
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: mail.grabinphone.com
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: noreply2@grabinphone.com
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: bGOD8rATGOD3sZGOD
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: noreply2@grabinphone.com
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: false
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: appdata
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ggh.exe
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: true
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Type
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 2023-07-30
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: yyyy-MM-dd
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <hr>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <b>[
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ]</b> (
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: )<br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {BACK}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {ALT+TAB}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {ALT+F4}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {TAB}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {ESC}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {Win}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {CAPSLOCK}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {KEYUP}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {KEYDOWN}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {KEYLEFT}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {KEYRIGHT}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {DEL}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {END}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {HOME}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {Insert}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {NumLock}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {PageDown}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {PageUp}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {ENTER}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F1}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F2}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F3}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F4}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F5}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F6}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F7}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F8}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F9}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F10}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F11}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {F12}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: control
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {CTRL}
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: &
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: >
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: "
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <hr>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: logins
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IE/Edge
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Secure Note
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Web Password Credential
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Web Credentials
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Credentials
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Domain Password Credential
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Extended Credential
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SchemaId
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pResourceElement
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pIdentityElement
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pPackageSid
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pAuthenticatorElement
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IE/Edge
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UC Browser
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UCBrowser\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Login Data
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: journal
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: wow_logins
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Safari for Windows
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <array>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <dict>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <string>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </string>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <string>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </string>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <data>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </data>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Microsoft\Protect\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: credential
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: QQ Browser
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Profile
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \EncryptedStorage
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: entries
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: category
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: str3
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: str2
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: blob0
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: password_value
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IncrediMail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PopPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SmtpPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Accounts_New
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PopPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SmtpPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SmtpServer
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: EmailAddress
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Eudora
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: current
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Settings
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SavePasswordText
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Settings
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ReturnAddress
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Falkon Browser
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \falkon\profiles\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: profiles.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: profiles.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \browsedata.db
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: autofill
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ClawsMail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Claws-mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \clawsrc
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \clawsrc
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passkey0
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \accountrc
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: smtp_server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: address
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: account
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \passwordstorerc
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Flock Browser
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: APPDATA
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Flock\Browser\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: signons3.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: DynDns
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: username=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: password=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: https://account.dyn.com/
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: t6KzXhCh
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: global
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: accounts
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: account.
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: username
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: account.
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Psi/Psi+
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: name
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Psi/Psi+
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: APPDATA
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Psi\profiles
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: APPDATA
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Psi+\profiles
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \accounts.xml
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \accounts.xml
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: OpenVPN
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: username
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: auth-data
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: entropy
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: USERPROFILE
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \OpenVPN\config\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: remote
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: remote
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: NordVPN
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: NordVPN
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: NordVpn.exe*
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: user.config
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: NordVPN
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Private Internet Access
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: %ProgramW6432%
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Private Internet Access\data
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Private Internet Access\data
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \account.json
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ."username":"(.?)"
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ."password":"(.?)"
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Private Internet Access
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: privateinternetaccess.com
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FileZilla
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: APPDATA
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: APPDATA
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Server>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Host>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Host>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </Host>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Port>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </Port>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <User>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <User>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </User>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </Pass>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Pass>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </Pass>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: CoreFTP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: User
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Host
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Port
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: WinSCP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HostName
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UserName
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PublicKeyFile
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PortNumber
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: WinSCP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ABCDEF
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Flash FXP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: port
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: user
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pass
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: quick.dat
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Sites.dat
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \FlashFXP\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \FlashFXP\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FTP Navigator
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SystemDrive
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: No Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: User
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SmartFTP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: APPDATA
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: WS_FTP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: appdata
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HOST
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PWD=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PWD=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FtpCommander
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SystemDrive
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SystemDrive
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SystemDrive
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;Password=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;User=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;Server=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;Port=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;Port=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;Password=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;User=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ;Anonymous=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FTPGetter
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_ip>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_ip>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </server_ip>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_port>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </server_port>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_user_name>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_user_name>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </server_user_name>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_user_password>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: <server_user_password>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: </server_user_password>
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FTPGetter
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: The Bat!
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: appdata
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \The Bat!
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Account.CFN
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Account.CFN
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Becky!
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: DataDir
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Folder.lst
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Mailbox.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Account
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PassWd
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Account
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SMTPServer
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Account
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: MailAddress
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Becky!
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Outlook
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IMAP Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: POP3 Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HTTP Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SMTP Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IMAP Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: POP3 Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HTTP Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SMTP Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Windows Mail App
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SchemaId
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pResourceElement
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pIdentityElement
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pPackageSid
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: pAuthenticatorElement
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: syncpassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: mailoutgoing
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FoxMail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Executable
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: FoxmailPath
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Storage\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Storage\
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Account.stg
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Account.stg
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: POP3Host
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SMTPHost
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: IncomingServer
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Account
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: MailAddress
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: POP3Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Opera Mail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: opera:
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PocoMail
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: appdata
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: POPPass
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SMTPPass
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SMTP
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: eM Client
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: eM Client\accounts.dat
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: eM Client
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Accounts
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: "Username":"
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: "Secret":"
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: "ProviderName":"
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: o6806642kbM7c5
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Mailbird
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SenderIdentities
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Accounts
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Server_Host
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Accounts
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Email
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Username
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: EncryptedPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Mailbird
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: RealVNC 4.x
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: RealVNC 3.x
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: RealVNC 4.x
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: RealVNC 3.x
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: TightVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: TightVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: PasswordViewOnly
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: TightVNC ControlPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ControlPassword
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: TigerVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: Password
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd2
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd2
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd2
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: UltraVNC
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: passwd2
Source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack	String decryptor: JDownloader 2.0

Source: Disable_automatic_email_errors.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: Disable_automatic_email_errors.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

ASN Name: NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 64.185.227.156 64.185.227.156
Source: Joe Sandbox View	IP Address: 64.185.227.156 64.185.227.156

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 103.211.239.66:587

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 103.211.239.66:587

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: Disable_automatic_email_errors.exe, 00000000.00000002.659647994.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FCE000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.0000000000945000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538076671.0000000005FB2000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.0000000000960000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A7000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Disable_automatic_email_errors.exe, 00000000.00000003.538201206.0000000000945000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.433183496.0000000006A70000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.659907754.0000000006390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Disable_automatic_email_errors.exe, 00000000.00000002.659647994.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.cCN
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.000000000096B000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FBF000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.0000000000945000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538076671.0000000005FB2000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A7000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Disable_automatic_email_errors.exe, 00000000.00000002.659647994.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FC6000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.0000000000951000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538076671.0000000005FB2000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A7000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.659907754.0000000006390000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Disable_automatic_email_errors.exe, 00000000.00000003.389381234.0000000000999000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.428721241.0000000001634000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000001.00000003.423297827.0000000001625000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000003.436792918.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ggh.exe, 00000001.00000002.433183496.0000000006A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.comod
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.grabinphone.com
Source: Disable_automatic_email_errors.exe, 00000000.00000002.659647994.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FCE000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FC6000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.0000000000951000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.000000000096B000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FBF000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.0000000000945000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538076671.0000000005FB2000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.0000000000960000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A7000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.659907754.0000000006390000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.0000000003231000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.000000000292C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.0000000003231000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.000000000292C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.0000000003231000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.000000000292C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Disable_automatic_email_errors.exe, 00000000.00000002.659647994.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FC6000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.0000000000951000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538076671.0000000005FB2000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A7000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.659907754.0000000006390000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Disable_automatic_email_errors.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ggh\ggh.exe			Jump to behavior

Contains functionality to log keystrokes (.Net Source)

Source: Disable_automatic_email_errors.exe, Y7ALd2ht.cs

.Net Code: cpDC0rHNkG

Source: Disable_automatic_email_errors.exe, 00000000.00000002.648252195.00000000008CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Source: Disable_automatic_email_errors.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0249AA70	0_2_0249AA70
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0249CA30	0_2_0249CA30
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_02499E58	0_2_02499E58
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0249020D	0_2_0249020D
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_02498144	0_2_02498144
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0249A1A0	0_2_0249A1A0
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053BF2D0	0_2_053BF2D0
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053BD998	0_2_053BD998
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053B3558	0_2_053B3558
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053BA5F8	0_2_053BA5F8
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053B71C8	0_2_053B71C8
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053BD068	0_2_053BD068
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053B3D70	0_2_053B3D70
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_053BC8E0	0_2_053BC8E0
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_060946B8	0_2_060946B8
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0609C7B8	0_2_0609C7B8
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_06096CB0	0_2_06096CB0
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_060932C0	0_2_060932C0
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0609D931	0_2_0609D931
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_0609D960	0_2_0609D960
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_017BAA70	1_2_017BAA70
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_017BCA30	1_2_017BCA30
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_017B9E58	1_2_017B9E58
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_017B8144	1_2_017B8144
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_017BA1A0	1_2_017BA1A0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CCA4D8	1_2_06CCA4D8
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CC4570	1_2_06CC4570
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CCF1B0	1_2_06CCF1B0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CC73FE	1_2_06CC73FE
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CCCF33	1_2_06CCCF33
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CCF879	1_2_06CCF879
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CF303A	1_2_06CF303A
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CF6A38	1_2_06CF6A38
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_06CC6C7F	1_2_06CC6C7F
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_00F8AA70	4_2_00F8AA70
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_00F8CA30	4_2_00F8CA30
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_00F89E58	4_2_00F89E58
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_00F8A1A0	4_2_00F8A1A0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064AC7C0	4_2_064AC7C0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064AA4D8	4_2_064AA4D8
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064A4570	4_2_064A4570
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064A7062	4_2_064A7062
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064AF1B0	4_2_064AF1B0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064ACF33	4_2_064ACF33
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DD6E0	4_2_064DD6E0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064D4440	4_2_064D4440
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DC538	4_2_064DC538
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064D303A	4_2_064D303A
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DD63B	4_2_064DD63B
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DD630	4_2_064DD630
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DD5EF	4_2_064DD5EF
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DD5F3	4_2_064DD5F3
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064D6A38	4_2_064D6A38
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064A6C7F	4_2_064A6C7F

Source: Disable_automatic_email_errors.exe, 00000000.00000002.648252195.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Disable_automatic_email_errors.exe
Source: Disable_automatic_email_errors.exe, 00000000.00000002.648022270.00000000006F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Disable_automatic_email_errors.exe
Source: Disable_automatic_email_errors.exe, 00000000.00000000.381688362.0000000000292000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamee54e8234-c538-4d61-9ae7-0c66fe2c76ab.exe4 vs Disable_automatic_email_errors.exe
Source: Disable_automatic_email_errors.exe, 00000000.00000003.385931542.0000000005F97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee54e8234-c538-4d61-9ae7-0c66fe2c76ab.exe4 vs Disable_automatic_email_errors.exe
Source: Disable_automatic_email_errors.exe	Binary or memory string: OriginalFilenamee54e8234-c538-4d61-9ae7-0c66fe2c76ab.exe4 vs Disable_automatic_email_errors.exe

Source: Disable_automatic_email_errors.exe	ReversingLabs: Detection: 60%
Source: Disable_automatic_email_errors.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

File read: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Jump to behavior

Source: Disable_automatic_email_errors.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Disable_automatic_email_errors.exe C:\Users\user\Desktop\Disable_automatic_email_errors.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ggh\ggh.exe "C:\Users\user\AppData\Roaming\ggh\ggh.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ggh\ggh.exe "C:\Users\user\AppData\Roaming\ggh\ggh.exe"

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

File created: C:\Users\user\AppData\Roaming\ggh

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@11/3

Source: Disable_automatic_email_errors.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: Disable_automatic_email_errors.exe, Kmbq.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Disable_automatic_email_errors.exe, i3NieABBvPx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Disable_automatic_email_errors.exe, mmBPv5px6TD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Disable_automatic_email_errors.exe, f1PesMmfD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Disable_automatic_email_errors.exe, 4BiOIibx7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Disable_automatic_email_errors.exe, Zt080i.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: Disable_automatic_email_errors.exe, PkUuN2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Disable_automatic_email_errors.exe, PkUuN2.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Disable_automatic_email_errors.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Disable_automatic_email_errors.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Code function: 0_2_024922AD push esp; retf	0_2_024922AE
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 1_2_017B22AD push esp; retf	1_2_017B22AE
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_00F822AD push esp; retf	4_2_00F822AE
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064D87A0 push es; ret	4_2_064D87B0
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DBA00 pushad ; iretd	4_2_064DBA01
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Code function: 4_2_064DBAAA pushfd ; iretd	4_2_064DBAAD

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

File created: C:\Users\user\AppData\Roaming\ggh\ggh.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ggh			Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ggh			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

File opened: C:\Users\user\AppData\Roaming\ggh\ggh.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5572	Thread sleep count: 9801 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99194s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98589s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98472s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99380s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -99022s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -179840s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe TID: 5588	Thread sleep time: -179717s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 5416	Thread sleep count: 2984 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98751s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98499s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7144	Thread sleep time: -98054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 7132	Thread sleep count: 9860 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99638s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -96805s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -96686s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99529s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe TID: 6776	Thread sleep time: -98094s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Code function: 0_2_02498144 rdtsc

0_2_02498144

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Window / User API: threadDelayed 9801	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Window / User API: threadDelayed 2984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Window / User API: threadDelayed 9860	Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99194	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98589	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98472	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98122	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97464	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99858	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99380	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99139	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 99022	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 179840	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Thread delayed: delay time: 179717	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98751	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98499	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99638	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 96805	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 96686	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99529	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Thread delayed: delay time: 98094	Jump to behavior

Source: Disable_automatic_email_errors.exe, 00000000.00000002.656076012.000000000377D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 3+sMCfGRRU7TovIJ7FA9oRz+IBYcSzeCE74ll8sOPe2CO72SXWcUgyg13qJPmtv999HkIqW90TRVv194dY1dOyCPlcqbdSJxRBJnlhPbLUh8JzZakPh9U0S304MnSi81AYHSTReTjitkTnoanHw1Enzz8T9rxlf/mNFrc8r7GLUmOdrPna1aGzj7Wgsyehy40YndHjkDilkEx0oPDaw/hGJI8NfxZ6HP7r1KMx8qIOLb4ggrYY0+4RvoY3E/JhsdY4u48vnRFq5SPihHmu3uNeLmKos0oghJ4KYPWoUk9FmhBr5aLtMN0PSDtM9yVhO0wPohH3pUGy3WvZFLJ9EA2ZJS9AoeYudfGLF8rXMmi9QxCjAi+XJkcFFaSqkHcn5hKlfbPc3dVopf3TEakoVgQ3ijELLYAC3V4ooCo9qDZrC25/bgStdXKIvdIzM+bOOOHW0PpAHNuzjQA47dlGECHbs40mlOJBlGBXor+TSLh3c+zrotbtj3KtMFOUeLmsxfVK8gwpGEptQvoDvfcgSjbJBNDQJBO0RbBJpgmleCAlZ/SJN+dW9IlPz1zRJ/504gF0SAh1mmwH0jY7faAtvIq4uanI8rAxocDdOhtEyLbM553LwxwIzxtRMyPqxM49qaGZ5fp7M0k9Hh/eMn9i3ozmzSisGcU8zYg8SGEfbmZIx+jnpMn+RF+yv4OZi0UNo8vNk0Ga4jkxreK8aV0EMxQsdDdF4eVmQxH2ydI09rSHatj/xk5o+ZDAT80cl/nxcbGEeRjmhrGVNVzOWeeH3vkgw3Fok6qVAhOgaA1BKvC1mqQScRRUfkJhl2a5bJrL7cL/68vmileEbjhfQAlKmqFwsEiuiIVu4Bnmk1Ii59AtxMO2AGGuxCM0wlyzSa8wV+zDf45Bl0NUzYGyiCkNDx7EBKokrYPLL17hAWmrQuL62kGqkLiRbFVIPLHibqyRHeYjrWyCPNLS679xzq6xD8N1WHn8kFST5LyiRwBTm5Id9DK4NgCWzpyiPX33hbStZLuc000gqu2hvB+U/lDel4j9oXwQlbg/FXIjpt++J+13vhAkTkrHzQt2NoLdaBes7WyIiLYFm2VCi5YJLdripStah81GHYJ9KYOWYGTzUQSW5Xr0BMhM0g01h7GMlrE2gPxaWoDL7Nj5bvvvHUUnBNmNp1zvZHWmxn70H+/+fBv7SBRdjpHIyxO+cth8r52jHOuu4k52FVCulbTLGBOQdePmn4yWU4DHapUZIIDCE8haBuaP6ME1bUVd9ksPLwr6pYfXJ8elhx923AebXopcXGpLkZt521LkiRV3Y1HvC1N99mnyc//+3IXs1+e1eylrd6Ndu7a5muj3Qz76XY1YK57GiorA802X9XenHsNF5xg64LEOHPN0K3b016FAx/CMOtT3awYtx0gnRWFakE/Uy9iHnluqt7hTJZezzgbyu828hKT79DdAiLkQEmZWB63rToy4E4N0W6/LlbXPSnf8740LIXeuR7c30C7b5S4I+G45ah79uhgFsdEuCNsAJqJowQLCRcldJB13WEDU0e1noJVWocpD+H/ShMxXwbvcghYeFib40kxHmVuNLsNfZHj8sfiwVOIrR4Qq3tUXF0DUWFq7ZnF6NhD10Y7390fR4uHJGUXEWKeEoi3SY60tj8lSlgaEtz5pzpbZ5o433vCvi9j8LOmxNnraoda54Q1ehz7vkdc/GmGfD69qsM83jjenB7FZjJ4R+WO1U2KtjLfnGZL82rWHBsfdD8XuU/tB6T61LxG7Tx1EJe5PhVwBagEkXJIueG0LyR675e1/uTvK/hCifCr8DKl8OlCvazdzvref2p/cCLbbTz8g7fbTl4Tt9jOIRtyXBnHftURZtjQ32hM0dgpt0jElPOz2NVRVqh0Rao2DglCG7cSQKsDxST9arYEV9vM1Xp7B6/dUYZ+g8vr9oj8yhCVZsWrQ7p+++PLL8NCFSagkQmDXcalRmqzzZdzOFVRA5UGBh9dbcFLDuoFHNrDkdjS2JJPTMqImepOp7ijuHdO9YMcC9jdwV4qxtO
Source: ggh.exe, 00000004.00000003.436792918.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: Disable_automatic_email_errors.exe, 00000000.00000003.389381234.0000000000983000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000001.00000003.423297827.000000000160F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Code function: 0_2_02498144 rdtsc

0_2_02498144

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (8/3/2023 6:46:25 PM)<br>{Win}r
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (8/3/2023 6:46:25 PM)<br>
Source: Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (8/3/2023 6:46:25 PM)<br>{Win}

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Users\user\Desktop\Disable_automatic_email_errors.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Users\user\AppData\Roaming\ggh\ggh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Users\user\AppData\Roaming\ggh\ggh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Code function: 0_2_0249F1DC GetUserNameW,

0_2_0249F1DC

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Disable_automatic_email_errors.exe PID: 6428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ggh.exe PID: 6624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ggh.exe PID: 760, type: MEMORYSTR
Source: Yara match	File source: Disable_automatic_email_errors.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.385931542.0000000005F97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.381688362.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ggh\ggh.exe, type: DROPPED

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Disable_automatic_email_errors.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Disable_automatic_email_errors.exe PID: 6428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ggh.exe PID: 6624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ggh.exe PID: 760, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Disable_automatic_email_errors.exe PID: 6428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ggh.exe PID: 6624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ggh.exe PID: 760, type: MEMORYSTR
Source: Yara match	File source: Disable_automatic_email_errors.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Disable_automatic_email_errors.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.385931542.0000000005F97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.381688362.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ggh\ggh.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	2 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	211 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Masquerading	NTDS	221 Security Software Discovery	Distributed Component Object Model	211 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Process Injection	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Network Configuration Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Disable_automatic_email_errors.exe	61%	ReversingLabs	Win32.Trojan.Whispergate
Disable_automatic_email_errors.exe	57%	Virustotal		Browse
Disable_automatic_email_errors.exe	100%	Avira	TR/Spy.Gen8
Disable_automatic_email_errors.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ggh\ggh.exe	100%	Avira	TR/Spy.Gen8
C:\Users\user\AppData\Roaming\ggh\ggh.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ggh\ggh.exe	61%	ReversingLabs	Win32.Trojan.Whispergate

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.comod	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://mail.grabinphone.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api4.ipify.org	173.231.16.76	true	false	high
mail.grabinphone.com	103.211.239.66	true	true	unknown
api.ipify.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Disable_automatic_email_errors.exe, 00000000.00000002.649418383.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.0000000003231000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.000000000292C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Disable_automatic_email_errors.exe, 00000000.00000002.659647994.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FC6000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.648588268.0000000000951000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538201206.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000003.538076671.0000000005FB2000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A7000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.659907754.0000000006390000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.648288743.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.comod	Disable_automatic_email_errors.exe, 00000000.00000002.659852655.0000000005FBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	ggh.exe, 00000001.00000002.433183496.0000000006A70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.grabinphone.com	Disable_automatic_email_errors.exe, 00000000.00000002.649418383.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Disable_automatic_email_errors.exe, 00000000.00000002.649418383.0000000002731000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Disable_automatic_email_errors.exe, 00000000.00000002.649418383.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000001.00000002.429886562.0000000003231000.00000004.00000800.00020000.00000000.sdmp, ggh.exe, 00000004.00000002.649230805.000000000292C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.211.239.66	mail.grabinphone.com	Malaysia	45144	NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	true
64.185.227.156	unknown	United States	18450	WEBNXUS	false
173.231.16.76	api4.ipify.org	United States	18450	WEBNXUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1285130
Start date and time:	2023-08-03 15:53:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Disable_automatic_email_errors.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@11/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 155 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:54:03	API Interceptor	963x Sleep call for process: Disable_automatic_email_errors.exe modified
15:54:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ggh C:\Users\user\AppData\Roaming\ggh\ggh.exe
15:54:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ggh C:\Users\user\AppData\Roaming\ggh\ggh.exe
15:54:19	API Interceptor	803x Sleep call for process: ggh.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.211.239.66	Amended_Po-1423300134.exe	Get hash	malicious	Unknown	Browse
64.185.227.156	1.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	rQIV7B0ua7.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=qwd
	31d722331a9890b3ac394bf19fa6246397fbf79b37f23.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=txt
	PIB42H30FM.exe	Get hash	malicious	Neshta, Targeted Ransomware	Browse	api.ipify.org/
	dCiZg2JJEr.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	4SZhefNRtQ.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=txt
	mTCDNn2yjZ.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	img014012022.exe	Get hash	malicious	MassLogger RAT	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api4.ipify.org	ChromeSetup.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	SecuriteInfo.com.Trojan.PackedNET.2235.1062.27589.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.Win32.KeyloggerX-gen.22638.32322.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Microsoft_Teams_SC.ba#.bat	Get hash	malicious	Unknown	Browse	173.231.16.76
	SecuriteInfo.com.Trojan.Olock.1.6641.10915.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Hc9QZCcNQx.exe	Get hash	malicious	GuLoader, SmokeLoader	Browse	173.231.16.76
	nE6APl1dxH.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Rkei13h0CV.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Booking071305pdf.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	all_invoice0876.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	Updated_SOA.docx.doc	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SHIPPMENT.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Order_#_CCI-12623-28830.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	US_$_295,500.00.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	PENDING_NEW_ORDER__097KH89.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.Win32.PWSX-gen.27086.7282.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	SecuriteInfo.com.Win32.PWSX-gen.17904.14064.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	s1dL3d8yiL.exe	Get hash	malicious	AgentTesla, GuLoader, SmokeLoader	Browse	104.237.62.211
	SecuriteInfo.com.Trojan.Olock.1.32408.29910.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.MSIL.GenericKDS.61009645.tr.1321.15127.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WEBNXUS	ChromeSetup.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.Trojan.PackedNET.2235.1062.27589.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.Win32.KeyloggerX-gen.22638.32322.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Microsoft_Teams_SC.ba#.bat	Get hash	malicious	Unknown	Browse	173.231.16.76
	SecuriteInfo.com.Trojan.Olock.1.6641.10915.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Hc9QZCcNQx.exe	Get hash	malicious	GuLoader, SmokeLoader	Browse	173.231.16.76
	nE6APl1dxH.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Rkei13h0CV.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Booking071305pdf.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	all_invoice0876.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	Updated_SOA.docx.doc	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SHIPPMENT.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Order_#_CCI-12623-28830.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	US_$_295,500.00.pdf.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	PENDING_NEW_ORDER__097KH89.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.Win32.PWSX-gen.27086.7282.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	SecuriteInfo.com.Win32.PWSX-gen.17904.14064.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	s1dL3d8yiL.exe	Get hash	malicious	AgentTesla, GuLoader, SmokeLoader	Browse	104.237.62.211
	SecuriteInfo.com.Trojan.Olock.1.32408.29910.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	SecuriteInfo.com.MSIL.GenericKDS.61009645.tr.1321.15127.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	Amended_Po-1423300134.exe	Get hash	malicious	Unknown	Browse	103.211.239.66
	PO-21004-1-Ind Expert.doc	Get hash	malicious	Unknown	Browse	43.252.37.193
	PAYMENT DETAILS .doc	Get hash	malicious	Unknown	Browse	43.252.37.193
	Revised Purchase Order 1214.doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	INQUIRY_RFQ_20210208.doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Unknown	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Unknown	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	AgentTesla	Browse	43.252.37.193
	PAYMENT 25SW Aug-06-2018.doc	Get hash	malicious		Browse	182.239.42.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ChromeSetup.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	SourceTreeSetup-3.4.14.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	S3RTqIfDZ4.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	64.185.227.156 173.231.16.76
	SourceTreeSetup-3.4.14.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	SecuriteInfo.com.Trojan.PackedNET.2235.1062.27589.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	SecuriteInfo.com.Win32.KeyloggerX-gen.22638.32322.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	SecuriteInfo.com.Trojan.Olock.1.6641.10915.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	Hc9QZCcNQx.exe	Get hash	malicious	GuLoader, SmokeLoader	Browse	64.185.227.156 173.231.16.76
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	nE6APl1dxH.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	Rkei13h0CV.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	service-supporterx.hta	Get hash	malicious	NetSupport RAT	Browse	64.185.227.156 173.231.16.76
	download.ps1	Get hash	malicious	Unknown	Browse	64.185.227.156 173.231.16.76
	Booking071305pdf.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	all_invoice0876.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	Refbkefruvt.exe	Get hash	malicious	Snake Keylogger	Browse	64.185.227.156 173.231.16.76
	csAWlpkhD1.exe	Get hash	malicious	SystemBC	Browse	64.185.227.156 173.231.16.76
	#U00d6deme_31722.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	SHIPPMENT.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76
	Order_#_CCI-12623-28830.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156 173.231.16.76

Process:	C:\Users\user\Desktop\Disable_automatic_email_errors.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	252928
Entropy (8bit):	5.3157327730608435
Encrypted:	false
SSDEEP:	3072:lN9XD38z8b6/cFaWJsGv9o0OwlqeVnZFdTqdtk+NI:D9XDMgbPF0Gv60OwbvTt+N
MD5:	971D710C2612F65B6DC5FACB2BA5AAC3
SHA1:	5A84E0D34AC1B8F41435FF09056915FA347BE640
SHA-256:	08552FC7C1FCDB754D81DAD78184AD191D0585B970A1B633CEF88CE63804947E
SHA-512:	CA4A21028735F687CD883168CE2FD5D65EC4BC2A602AAE45A4729C3266DB62FDB2E4141A985DC726DD699FE98D3D039E117AA155D9E9EDCA438A2117F4949D35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R5.d..............0.............N.... ........@.. .......................@............@.....................................K.......F.................... ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................0.......H............................................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Roaming\ggh\ggh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Disable_automatic_email_errors.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.3157327730608435
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Disable_automatic_email_errors.exe
File size:	252'928 bytes
MD5:	971d710c2612f65b6dc5facb2ba5aac3
SHA1:	5a84e0d34ac1b8f41435ff09056915fa347be640
SHA256:	08552fc7c1fcdb754d81dad78184ad191d0585b970a1b633cef88ce63804947e
SHA512:	ca4a21028735f687cd883168ce2fd5d65ec4bc2a602aae45a4729c3266db62fdb2e4141a985dc726dd699fe98d3d039e117aa155d9e9edca438a2117f4949d35
SSDEEP:	3072:lN9XD38z8b6/cFaWJsGv9o0OwlqeVnZFdTqdtk+NI:D9XDMgbPF0Gv60OwbvTt+N
TLSH:	7034FE037E48FB15E6A83937C2EF6D2413F1A0CB0673860B6F49AE6525416537E6E36C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R5.d..............0.............N.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x43f14e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64C63552 [Sun Jul 30 10:02:58 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f100	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x42000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3d154	0x3d200	False	0.40309863880368096	data	5.32815211332084	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x40000	0x546	0x600	False	0.3997395833333333	data	3.9890740197125236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x42000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x400a0	0x2bc	data			0.44285714285714284
RT_MANIFEST	0x4035c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2023 15:54:02.060964108 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.061053038 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.061177015 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.084135056 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.084207058 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.545829058 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.546117067 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.551608086 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.551665068 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.552612066 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.592885017 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.774641991 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.814825058 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.922512054 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.922602892 CEST	443	49717	173.231.16.76	192.168.2.5
Aug 3, 2023 15:54:02.922702074 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:02.924038887 CEST	49717	443	192.168.2.5	173.231.16.76
Aug 3, 2023 15:54:04.853214979 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:05.014898062 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:05.017293930 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:05.628433943 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:05.636997938 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:05.798723936 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:05.801402092 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:05.965980053 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:05.966521978 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.138428926 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.138463020 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.138483047 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.138504028 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.138572931 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.138573885 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.140841007 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.186631918 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.348315001 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.357249975 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.518825054 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.522990942 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.685060978 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.685517073 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:06.853383064 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:06.853862047 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.015300989 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.015662909 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.185642958 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.186091900 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.347997904 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.355880976 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.356082916 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.356195927 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.356302977 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.520006895 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.520055056 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.520076990 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.520100117 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.521512032 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.561444044 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.732770920 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.895986080 CEST	587	49718	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:07.896075010 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.896532059 CEST	49718	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:07.953730106 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:08.117723942 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:08.117866039 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:08.491868973 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:08.492029905 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:08.655824900 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:08.656322956 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:08.823014975 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:08.823740959 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.001853943 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.001955986 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.002017975 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.002073050 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.002110004 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.002186060 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.005470991 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.007431030 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.171188116 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.173660040 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.337599993 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.338141918 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.502240896 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.502888918 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.673640013 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.674087048 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:09.837968111 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:09.838553905 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.011584044 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.012142897 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.175945997 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.185378075 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.185671091 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.185797930 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.185940027 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.186077118 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.186183929 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.186285973 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:10.348927975 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.349041939 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.349116087 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.349179029 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.349241972 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.349302053 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.349359989 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.353594065 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:10.406064034 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:16.524733067 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:16.524827957 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:16.524971962 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:16.538777113 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:16.538851976 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:16.859675884 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:16.859900951 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:17.437663078 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:17.437731981 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:17.438337088 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:17.594223022 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:18.385575056 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:18.430799007 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:18.488370895 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:18.488465071 CEST	443	49720	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:18.488543034 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:18.490827084 CEST	49720	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:20.699285984 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:21.894304991 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:21.894471884 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:22.281714916 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.281985044 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:22.457453012 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.457691908 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:22.635792971 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.636277914 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:22.821680069 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.821707964 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.821727037 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.821747065 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.821801901 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:22.821803093 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:22.824091911 CEST	587	49721	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:22.875976086 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:23.620198011 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:23.620286942 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:23.620436907 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:23.629549026 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:23.629601955 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:23.956212997 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:23.956322908 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:23.961703062 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:23.961749077 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:23.962186098 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:24.016666889 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:24.180917025 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:24.222850084 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:24.283727884 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:24.283896923 CEST	443	49722	64.185.227.156	192.168.2.5
Aug 3, 2023 15:54:24.284087896 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:24.285085917 CEST	49722	443	192.168.2.5	64.185.227.156
Aug 3, 2023 15:54:25.301714897 CEST	49721	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:26.963839054 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:28.157387972 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:28.157675982 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:28.564657927 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:28.565188885 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:28.731561899 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:28.731966972 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:28.901004076 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:28.901964903 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.079310894 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.079359055 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.079391003 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.079417944 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.079451084 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.079529047 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.081315994 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.088952065 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.255740881 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.267824888 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.434266090 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.435201883 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.602125883 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.602730989 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.775162935 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.775619030 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:29.942028046 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:29.942336082 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.121006012 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.121336937 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.287563086 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.288748026 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.288932085 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.289062977 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.289161921 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.455075026 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.455137968 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.455179930 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.455216885 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.459157944 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.501534939 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.619093895 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.787499905 CEST	587	49723	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:30.787606001 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.788077116 CEST	49723	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:30.841865063 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.074114084 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.074305058 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.261920929 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.262284040 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.437623978 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.437858105 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.618319035 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.618799925 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.805996895 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.806077003 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.806121111 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.806159019 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.806252003 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.806252003 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.808080912 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.820410967 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:32.996143103 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:32.997406006 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:33.172776937 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:33.173280001 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:33.349379063 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:33.349976063 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:33.532608032 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:33.544734001 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:33.720024109 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:33.722141981 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:33.911381006 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:33.911699057 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.086986065 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.087646961 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.087800980 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.087800980 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.087850094 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.087913036 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.087963104 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.088005066 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:54:34.264213085 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.264285088 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.264333010 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.264375925 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.264420986 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.264467955 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.264518976 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.268821955 CEST	587	49724	103.211.239.66	192.168.2.5
Aug 3, 2023 15:54:34.330091953 CEST	49724	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:55:44.839380980 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:55:45.005958080 CEST	587	49719	103.211.239.66	192.168.2.5
Aug 3, 2023 15:55:45.006056070 CEST	49719	587	192.168.2.5	103.211.239.66
Aug 3, 2023 15:55:45.006671906 CEST	49719	587	192.168.2.5	103.211.239.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2023 15:54:01.968673944 CEST	49724	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:02.003626108 CEST	53	49724	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:02.010869026 CEST	61452	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:02.045402050 CEST	53	61452	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:04.805252075 CEST	65323	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:04.850008011 CEST	53	65323	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:07.921372890 CEST	51484	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:07.949980021 CEST	53	51484	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:16.453155041 CEST	63446	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:16.487117052 CEST	53	63446	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:16.494508982 CEST	56751	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:16.514183044 CEST	53	56751	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:20.649677992 CEST	55039	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:20.697659969 CEST	53	55039	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:23.545010090 CEST	60975	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:23.573916912 CEST	53	60975	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:23.581034899 CEST	59220	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:23.610007048 CEST	53	59220	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:26.934053898 CEST	55068	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:26.962753057 CEST	53	55068	8.8.8.8	192.168.2.5
Aug 3, 2023 15:54:30.805300951 CEST	56682	53	192.168.2.5	8.8.8.8
Aug 3, 2023 15:54:30.840508938 CEST	53	56682	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 3, 2023 15:54:01.968673944 CEST	192.168.2.5	8.8.8.8	0xc007	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:02.010869026 CEST	192.168.2.5	8.8.8.8	0xb879	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:04.805252075 CEST	192.168.2.5	8.8.8.8	0xb423	Standard query (0)	mail.grabinphone.com	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:07.921372890 CEST	192.168.2.5	8.8.8.8	0xe6ee	Standard query (0)	mail.grabinphone.com	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.453155041 CEST	192.168.2.5	8.8.8.8	0x5a7d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.494508982 CEST	192.168.2.5	8.8.8.8	0xc109	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:20.649677992 CEST	192.168.2.5	8.8.8.8	0x6a7f	Standard query (0)	mail.grabinphone.com	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.545010090 CEST	192.168.2.5	8.8.8.8	0x1cd	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.581034899 CEST	192.168.2.5	8.8.8.8	0x71f3	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:26.934053898 CEST	192.168.2.5	8.8.8.8	0xbe0d	Standard query (0)	mail.grabinphone.com	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:30.805300951 CEST	192.168.2.5	8.8.8.8	0x2adf	Standard query (0)	mail.grabinphone.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 3, 2023 15:54:02.003626108 CEST	8.8.8.8	192.168.2.5	0xc007	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Aug 3, 2023 15:54:02.003626108 CEST	8.8.8.8	192.168.2.5	0xc007	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:02.003626108 CEST	8.8.8.8	192.168.2.5	0xc007	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:02.003626108 CEST	8.8.8.8	192.168.2.5	0xc007	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:02.045402050 CEST	8.8.8.8	192.168.2.5	0xb879	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Aug 3, 2023 15:54:02.045402050 CEST	8.8.8.8	192.168.2.5	0xb879	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:02.045402050 CEST	8.8.8.8	192.168.2.5	0xb879	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:02.045402050 CEST	8.8.8.8	192.168.2.5	0xb879	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:04.850008011 CEST	8.8.8.8	192.168.2.5	0xb423	No error (0)	mail.grabinphone.com		103.211.239.66	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:07.949980021 CEST	8.8.8.8	192.168.2.5	0xe6ee	No error (0)	mail.grabinphone.com		103.211.239.66	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.487117052 CEST	8.8.8.8	192.168.2.5	0x5a7d	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Aug 3, 2023 15:54:16.487117052 CEST	8.8.8.8	192.168.2.5	0x5a7d	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.487117052 CEST	8.8.8.8	192.168.2.5	0x5a7d	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.487117052 CEST	8.8.8.8	192.168.2.5	0x5a7d	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.514183044 CEST	8.8.8.8	192.168.2.5	0xc109	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Aug 3, 2023 15:54:16.514183044 CEST	8.8.8.8	192.168.2.5	0xc109	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.514183044 CEST	8.8.8.8	192.168.2.5	0xc109	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:16.514183044 CEST	8.8.8.8	192.168.2.5	0xc109	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:20.697659969 CEST	8.8.8.8	192.168.2.5	0x6a7f	No error (0)	mail.grabinphone.com		103.211.239.66	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.573916912 CEST	8.8.8.8	192.168.2.5	0x1cd	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Aug 3, 2023 15:54:23.573916912 CEST	8.8.8.8	192.168.2.5	0x1cd	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.573916912 CEST	8.8.8.8	192.168.2.5	0x1cd	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.573916912 CEST	8.8.8.8	192.168.2.5	0x1cd	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.610007048 CEST	8.8.8.8	192.168.2.5	0x71f3	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Aug 3, 2023 15:54:23.610007048 CEST	8.8.8.8	192.168.2.5	0x71f3	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.610007048 CEST	8.8.8.8	192.168.2.5	0x71f3	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:23.610007048 CEST	8.8.8.8	192.168.2.5	0x71f3	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:26.962753057 CEST	8.8.8.8	192.168.2.5	0xbe0d	No error (0)	mail.grabinphone.com		103.211.239.66	A (IP address)	IN (0x0001)	false
Aug 3, 2023 15:54:30.840508938 CEST	8.8.8.8	192.168.2.5	0x2adf	No error (0)	mail.grabinphone.com		103.211.239.66	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49717	173.231.16.76	443	C:\Users\user\Desktop\Disable_automatic_email_errors.exe

Timestamp	Direction	Data
2023-08-03 13:54:02 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2023-08-03 13:54:02 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Thu, 03 Aug 2023 13:54:02 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin
2023-08-03 13:54:02 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 30 Data Ascii: 102.129.143.30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49720	64.185.227.156	443	C:\Users\user\AppData\Roaming\ggh\ggh.exe

Timestamp	Direction	Data
2023-08-03 13:54:18 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2023-08-03 13:54:18 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Thu, 03 Aug 2023 13:54:18 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin
2023-08-03 13:54:18 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 30 Data Ascii: 102.129.143.30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49722	64.185.227.156	443	C:\Users\user\AppData\Roaming\ggh\ggh.exe

Timestamp	Direction	Data
2023-08-03 13:54:24 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2023-08-03 13:54:24 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Thu, 03 Aug 2023 13:54:24 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin
2023-08-03 13:54:24 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 30 Data Ascii: 102.129.143.30

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 3, 2023 15:54:05.628433943 CEST	587	49718	103.211.239.66	192.168.2.5	220 cvsv--elite-mx01
Aug 3, 2023 15:54:05.636997938 CEST	49718	587	192.168.2.5	103.211.239.66	EHLO 932923
Aug 3, 2023 15:54:05.798723936 CEST	587	49718	103.211.239.66	192.168.2.5	250-cvsv--elite-mx01 Hello 932923 [102.129.143.30] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 3, 2023 15:54:05.801402092 CEST	49718	587	192.168.2.5	103.211.239.66	STARTTLS
Aug 3, 2023 15:54:05.965980053 CEST	587	49718	103.211.239.66	192.168.2.5	220 TLS go ahead
Aug 3, 2023 15:54:08.491868973 CEST	587	49719	103.211.239.66	192.168.2.5	220 cvsv--elite-mx01
Aug 3, 2023 15:54:08.492029905 CEST	49719	587	192.168.2.5	103.211.239.66	EHLO 932923
Aug 3, 2023 15:54:08.655824900 CEST	587	49719	103.211.239.66	192.168.2.5	250-cvsv--elite-mx01 Hello 932923 [102.129.143.30] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 3, 2023 15:54:08.656322956 CEST	49719	587	192.168.2.5	103.211.239.66	STARTTLS
Aug 3, 2023 15:54:08.823014975 CEST	587	49719	103.211.239.66	192.168.2.5	220 TLS go ahead
Aug 3, 2023 15:54:22.281714916 CEST	587	49721	103.211.239.66	192.168.2.5	220 cvsv--elite-mx01
Aug 3, 2023 15:54:22.281985044 CEST	49721	587	192.168.2.5	103.211.239.66	EHLO 932923
Aug 3, 2023 15:54:22.457453012 CEST	587	49721	103.211.239.66	192.168.2.5	250-cvsv--elite-mx01 Hello 932923 [102.129.143.30] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 3, 2023 15:54:22.457691908 CEST	49721	587	192.168.2.5	103.211.239.66	STARTTLS
Aug 3, 2023 15:54:22.635792971 CEST	587	49721	103.211.239.66	192.168.2.5	220 TLS go ahead
Aug 3, 2023 15:54:28.564657927 CEST	587	49723	103.211.239.66	192.168.2.5	220 cvsv--elite-mx01
Aug 3, 2023 15:54:28.565188885 CEST	49723	587	192.168.2.5	103.211.239.66	EHLO 932923
Aug 3, 2023 15:54:28.731561899 CEST	587	49723	103.211.239.66	192.168.2.5	250-cvsv--elite-mx01 Hello 932923 [102.129.143.30] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 3, 2023 15:54:28.731966972 CEST	49723	587	192.168.2.5	103.211.239.66	STARTTLS
Aug 3, 2023 15:54:28.901004076 CEST	587	49723	103.211.239.66	192.168.2.5	220 TLS go ahead
Aug 3, 2023 15:54:32.261920929 CEST	587	49724	103.211.239.66	192.168.2.5	220 cvsv--elite-mx01
Aug 3, 2023 15:54:32.262284040 CEST	49724	587	192.168.2.5	103.211.239.66	EHLO 932923
Aug 3, 2023 15:54:32.437623978 CEST	587	49724	103.211.239.66	192.168.2.5	250-cvsv--elite-mx01 Hello 932923 [102.129.143.30] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 3, 2023 15:54:32.437858105 CEST	49724	587	192.168.2.5	103.211.239.66	STARTTLS
Aug 3, 2023 15:54:32.618319035 CEST	587	49724	103.211.239.66	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	15:54:00
Start date:	03/08/2023
Path:	C:\Users\user\Desktop\Disable_automatic_email_errors.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Disable_automatic_email_errors.exe
Imagebase:	0x290000
File size:	252'928 bytes
MD5 hash:	971D710C2612F65B6DC5FACB2BA5AAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.649418383.0000000002700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000003.385931542.0000000005F97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.381688362.0000000000292000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	15:54:13
Start date:	03/08/2023
Path:	C:\Users\user\AppData\Roaming\ggh\ggh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ggh\ggh.exe"
Imagebase:	0xdb0000
File size:	252'928 bytes
MD5 hash:	971D710C2612F65B6DC5FACB2BA5AAC3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.429886562.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\ggh\ggh.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	15:54:21
Start date:	03/08/2023
Path:	C:\Users\user\AppData\Roaming\ggh\ggh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ggh\ggh.exe"
Imagebase:	0x590000
File size:	252'928 bytes
MD5 hash:	971D710C2612F65B6DC5FACB2BA5AAC3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.649230805.0000000002970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	129
Total number of Limit Nodes:	13

Executed Functions

Function 0249F1DC Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0249F8AB

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 73ac044e25fc3825de51bd2cfb6c8060aed8f75d9f07213b6002082dfd60a34c
Instruction ID: d381351f13bf29d5c7037a68c5f34e68c73f364fc42e1a34365919d703cd86f9
Opcode Fuzzy Hash: 73ac044e25fc3825de51bd2cfb6c8060aed8f75d9f07213b6002082dfd60a34c
Instruction Fuzzy Hash: 26510270E002188FDF14CFA9C895BDEBBB1BF48314F25812AE815BB750DB74A849CB95

Uniqueness

Uniqueness Score: -1.00%

Function 053BD998 Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c4c50f8ac8356dd92299297dd82fb27c090208125afd60c9a28fdffea6804b
Instruction ID: 48da964e8d47ef0eb2867547d42af0bad5cb879b8150c9bd3d2630930b985341
Opcode Fuzzy Hash: f7c4c50f8ac8356dd92299297dd82fb27c090208125afd60c9a28fdffea6804b
Instruction Fuzzy Hash: 8C625B30B042049FEB14EB68D454BEDB7E6EF84310F148869E50AEBB51DBB5ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 060946B8 Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019bb027c76004a843c4999365956222fc1b5d29e83a8a3023fb03856728382b
Instruction ID: e0fef8e52515d55149d250c66f800a825ad085a1941fe245304501075a361b34
Opcode Fuzzy Hash: 019bb027c76004a843c4999365956222fc1b5d29e83a8a3023fb03856728382b
Instruction Fuzzy Hash: DD426D70F101089FDF94EBA8C4506AEBBF3AB89350F144469E40AEB781DE34DD429BA5

Uniqueness

Uniqueness Score: -1.00%

Function 060932C0 Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf16a4300df9293c78d13ffb968074797d758fec5bd4b71599b791fe31d343b
Instruction ID: f086db325497bd44d18dd27fa49482321234805be919a9d11449aba669ea2339
Opcode Fuzzy Hash: 5cf16a4300df9293c78d13ffb968074797d758fec5bd4b71599b791fe31d343b
Instruction Fuzzy Hash: A8223070F501099BEFA8DBA8C4907AEBBF2EB45310F50442AE456EB781DA25DC41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06096CB0 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e3bad6561246ea3b216db23f38b95c744b9a17d1327133fe47643ee8b99af7
Instruction ID: cc5dc9e7e4bd590b4c1317eaf74750394ba24d2f51d5401e0af70a0b884de6f4
Opcode Fuzzy Hash: f1e3bad6561246ea3b216db23f38b95c744b9a17d1327133fe47643ee8b99af7
Instruction Fuzzy Hash: 7F228231B201048FDF94DB78C494AAEBBE3EF85710F248469E40ADB391DB35EC419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 053BF2D0 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e61d73778c39d91404e1d117c1bec9ba7c8bc57984b7fa47440d0a81e7ca0d2
Instruction ID: ef058532c5c238ef3034ab5e8a49e89c22bb98750112c646c5bb48830e3cbc0d
Opcode Fuzzy Hash: 6e61d73778c39d91404e1d117c1bec9ba7c8bc57984b7fa47440d0a81e7ca0d2
Instruction Fuzzy Hash: 2D02A130B042159FEB14EBB8C8507AEB7E2BF84310F149469E506DBB95DFB5ED428B90

Uniqueness

Uniqueness Score: -1.00%

Function 0609C7B8 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f8a714725a6096583428c957b7d49d6349b7f38642221556d727bc9507fd0d2c
Instruction ID: f5b222293b103d094cc779f717cea5ff2d98676e514a4ef1a79b6185dc9f29fe
Opcode Fuzzy Hash: f8a714725a6096583428c957b7d49d6349b7f38642221556d727bc9507fd0d2c
Instruction Fuzzy Hash: 1CD16E70E40208DFCF45EFB8D8545AEBBB2FF88300F148429E506AB354DB38A946DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0249CA30 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4389db397d6ec217525d52f0e570fbb564649637d3c1d5d42266c5f50cc44c8c
Instruction ID: f191b2a02174016c96a3970033d193446ba81d7bb629fc05604aff55f407c3ea
Opcode Fuzzy Hash: 4389db397d6ec217525d52f0e570fbb564649637d3c1d5d42266c5f50cc44c8c
Instruction Fuzzy Hash: CDD13875E00209CFCF14DFA8D484AAEBBF6FF88314F14855AE415AB361DB34A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0249AA70 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39db1d65dc8bf5fed25f2c0941982deb0f000823785bc27ca214e735b0f8bbef
Instruction ID: a143f7f579e81ac3df48140c7a5de067dc6e8df085331469c91b619e3228f779
Opcode Fuzzy Hash: 39db1d65dc8bf5fed25f2c0941982deb0f000823785bc27ca214e735b0f8bbef
Instruction Fuzzy Hash: 82B12C70E00219CFDF14CFA9D99579EBFF2AF88714F14812AE815AB394DB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02499E58 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e944be865177df82d5c9f63af21df652df3aa9debb59d304aeff88ef784e25
Instruction ID: bafd18dfe12cffcabb15b1dbd07dadfea36534f77396fa1b461b9214dbf479c3
Opcode Fuzzy Hash: 09e944be865177df82d5c9f63af21df652df3aa9debb59d304aeff88ef784e25
Instruction Fuzzy Hash: 01912770E002199FDF10CFA9C9857EEBFF2AF88718F14812AE405A7294DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0609A138 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce646340edc8a16599e40a3dcb08c1acd87267b2d563d8725a969bf638c674a5
Instruction ID: 5be75b123e1a3e87843d5e104b9bfa2180351679e17805a6e3cba7d508d2eb15
Opcode Fuzzy Hash: ce646340edc8a16599e40a3dcb08c1acd87267b2d563d8725a969bf638c674a5
Instruction Fuzzy Hash: 61410172E043958FCB10CFA9D8146DEBFF5EF8A210F1485AAE405EB241DB749985CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0249F1F4 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0249F8AB

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 533db5da0fe4f8ed1a2dabc1caedd1b4915009ef6a4865efbaf05d01fadb47eb
Instruction ID: b7141fa38d54747c9f697cfd137a637f73dc409b2e657e4b23bb842d384bc39c
Opcode Fuzzy Hash: 533db5da0fe4f8ed1a2dabc1caedd1b4915009ef6a4865efbaf05d01fadb47eb
Instruction Fuzzy Hash: A851F270E102188FDF14CFA9C895BDEBBB1BF48314F25812AE815AB750D774A849CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0249F764 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0249F8AB

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6203b257108e78543fddda8230e6515d140447acc0b27da73a5ea08255af8288
Instruction ID: 4a3e36b31d8338918d3f70fb2cba2945d0284f2911139f13b21e54ad32dcac70
Opcode Fuzzy Hash: 6203b257108e78543fddda8230e6515d140447acc0b27da73a5ea08255af8288
Instruction Fuzzy Hash: 145103B0E002188FDF14CFA9C895BDEBBB1BF48314F25812AE815AB750D774A849CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0609C4B4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0609E462

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 09a04ffe21c105bb8ed4aacce2bbc6a2076dc63d70977077f4af0cf39965f68a
Instruction ID: 0e5e765ed7a10181433ccfa188673bd83cc38d909554ddc87ba59f6502a9d0e0
Opcode Fuzzy Hash: 09a04ffe21c105bb8ed4aacce2bbc6a2076dc63d70977077f4af0cf39965f68a
Instruction Fuzzy Hash: 805190B1D002099FDF54CFA9C984ADEBFB5BF48310F64852AE819AB210D774A885DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0609E344 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0609E462

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a4e813163ed341d5b35b64c56d957fa1993af29848111e6587a365307471e6c4
Instruction ID: 457da8d978104340dfe6015be1db5656bb654223bb78c1d466a670798efe230f
Opcode Fuzzy Hash: a4e813163ed341d5b35b64c56d957fa1993af29848111e6587a365307471e6c4
Instruction Fuzzy Hash: 4851B0B1D003099FDF14CFA9C994ADEBFB6BF48310F24852AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 024976A4 Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 02497797

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38dab859593c618c4061e1a50cf7826c3ed293c5957e9d97098b89e79a4aa659
Instruction ID: 6fb7fa9ac89b75fbabb8728d7ec39ac5f088e797b6c408242f3687bdfd0e7455
Opcode Fuzzy Hash: 38dab859593c618c4061e1a50cf7826c3ed293c5957e9d97098b89e79a4aa659
Instruction Fuzzy Hash: 5A4146B1D106188FDB10CFA9C9857DEFBF1AB48314F14816AE815EB344E779A886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02495ADC Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 02497797

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a723e7b9f4579a30db4030105323ea0c507c7613dcbbc3861e4f0055315bd6e9
Instruction ID: 558e1a4912cc2ecbaa730fc7cb55bbc70d1102498c0f5c9be2d2cad4ebc1df41
Opcode Fuzzy Hash: a723e7b9f4579a30db4030105323ea0c507c7613dcbbc3861e4f0055315bd6e9
Instruction Fuzzy Hash: 794135B0E106088FDB10CFA9C98579EFFF1AB48714F10816AE815AB340D775A882CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0609FE21 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0609FDEE,?,?,?,?,?), ref: 0609FEAF

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e2bfb3d46e4b9f361a46ead5452472b4e24dd9e10ef5135c8d09dd79a9121ad
Instruction ID: 97739a38048f6466162472f7ba2e17df32490151698d899cb1d010b8b414095b
Opcode Fuzzy Hash: 1e2bfb3d46e4b9f361a46ead5452472b4e24dd9e10ef5135c8d09dd79a9121ad
Instruction Fuzzy Hash: 7C2103B59012099FCB10CFAAD984ADEFFF8EF48320F14841AE854A7310D374A984DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0609F7D4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0609FDEE,?,?,?,?,?), ref: 0609FEAF

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef867407891cba5e538652533c05d838d83962e10953a26c5827e217f9200681
Instruction ID: 22d040be2e56bb97093c6ea570eb2a0ac3c1891ea32c6c46cf0b798fdb7c452f
Opcode Fuzzy Hash: ef867407891cba5e538652533c05d838d83962e10953a26c5827e217f9200681
Instruction Fuzzy Hash: F521E4B5D002099FDB50CFAAD984ADEBFF9EB48320F14841AE914B7310D374A954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0609B837 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0609D3D6

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88aca5c9677031b97b67da3060bc80d10d6360bdb6e3a46350d556c76ca71842
Instruction ID: 2be718ee63178af63e4a35045acb6d9938c467bfa558fabaeb099c62a6dbd40b
Opcode Fuzzy Hash: 88aca5c9677031b97b67da3060bc80d10d6360bdb6e3a46350d556c76ca71842
Instruction Fuzzy Hash: 312187B18043888FCB11CFAAC8447CEBFF0EF49224F1480AAC455AB242C378A446CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0609A208 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0609A18A), ref: 0609A277

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f39c373909b36401c10a9b5a2fa2cd881d175122042c384e0a0715f96018dacd
Instruction ID: e2e22d33f784c8e4b8111c2b76ae0aac9015772e7dc32a53bd2c6bb9c6ee492d
Opcode Fuzzy Hash: f39c373909b36401c10a9b5a2fa2cd881d175122042c384e0a0715f96018dacd
Instruction Fuzzy Hash: A911F2B1D006199FCB10CF9AD944BDEFBF4AF48720F14856AE818B7240D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06098620 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0609A18A), ref: 0609A277

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d48046a1cac3a7b9c0e19a158740a5612fe0b0d078c0a1cddaca1613a23c6347
Instruction ID: ddc6f7158b62c3eb895c5847ec54413bf009786c0427fa1da3b0271e9d99091c
Opcode Fuzzy Hash: d48046a1cac3a7b9c0e19a158740a5612fe0b0d078c0a1cddaca1613a23c6347
Instruction Fuzzy Hash: 5711FFB1D046199BCB50CF9AC944BDEFBF4AB48320F14856AE818B7240D379AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0609B854 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0609D3D6

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d1b396189d6fb499b4e4803cbfc0cedb2931f4043e402dc57bbf0abee22669cc
Instruction ID: b5df93119c969b7f7d8ca31e5835f25db307de5b2a6f8819b39a70ffbd5f7079
Opcode Fuzzy Hash: d1b396189d6fb499b4e4803cbfc0cedb2931f4043e402dc57bbf0abee22669cc
Instruction Fuzzy Hash: AB11F0B5C406098FCB60CFAAC544BDEFBF5AF88220F10856AD819B7640C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0609D368 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0609D3D6

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 207302e195fddacf7d41a0bf303c03b63bad557676bec1be65110da84a4915b1
Instruction ID: 167b6f731eb0e59efc1f654216b74ccbd45c024551d09beb7f2e2b1f1650ed58
Opcode Fuzzy Hash: 207302e195fddacf7d41a0bf303c03b63bad557676bec1be65110da84a4915b1
Instruction Fuzzy Hash: AE11F0B2C006498FCB50CFAAD544ADEFBF5AF88324F10856AD859BB640D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053BE4D8 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7a7dacdea816f2fb4ffeff41ed7e3db28562e0f1b3ff4494c9e4ce97548743
Instruction ID: 468ba8e52e4d795ba0779ef78c661c3a30897dcb4253f8aa217e12b96ddb725b
Opcode Fuzzy Hash: 1d7a7dacdea816f2fb4ffeff41ed7e3db28562e0f1b3ff4494c9e4ce97548743
Instruction Fuzzy Hash: 9BF13C70B042088FEB14EBB8C4506AEBBA7BF84300F20846DD51A9B795DFB5ED41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 053BE4CA Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903d5d5df069f5a2c3dbb59a57a43aab9c4e3f0f07d925b01a9ba0d102c46c4d
Instruction ID: 6b5ebe092f4009912b244e02a0941d85f36b989bb0be6a20074e7df18864a32b
Opcode Fuzzy Hash: 903d5d5df069f5a2c3dbb59a57a43aab9c4e3f0f07d925b01a9ba0d102c46c4d
Instruction Fuzzy Hash: BE614E70A002589FEB14EBA9D451AEEBBB6BF85300F204469D406EB754DBB4AD41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053BE128 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f05759dd67cce559489f879335077fd2e4e9bbf45029f686f1a84032a528052
Instruction ID: 57c45093eef21b895c321e165cf07c308f838a6acf7c6b117a0ed158b32ce01d
Opcode Fuzzy Hash: 0f05759dd67cce559489f879335077fd2e4e9bbf45029f686f1a84032a528052
Instruction Fuzzy Hash: 9621A131B101045FEF14EAADD4546EEB7FBEBC4220F144429E509DB780EAB4DD018BD5

Uniqueness

Uniqueness Score: -1.00%

Function 053BEAB5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f969a024d86c1b06dfd04881606d17633d8f9730f0c30b11d0185df349bf8f4
Instruction ID: f9fbf0b67281bf685bdddd2d5fd42d5e9ad35f81cccbe1eb7d8aa344ed12f1dd
Opcode Fuzzy Hash: 1f969a024d86c1b06dfd04881606d17633d8f9730f0c30b11d0185df349bf8f4
Instruction Fuzzy Hash: 2C210830F042088BEB14EBA8D551AEEB7BABB85301F205069D909EBA51DBB0ED41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 053BFDE8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda4744598ea84af44f6baebe7472d9bf4730a32e3ae00bc59a8a568db4110cb
Instruction ID: 72eaebf4b7df5f20ec5bfa47fa4087e7ba5ace893a8772fff5389c5520c64452
Opcode Fuzzy Hash: fda4744598ea84af44f6baebe7472d9bf4730a32e3ae00bc59a8a568db4110cb
Instruction Fuzzy Hash: FC312B78AC13409FE3059F20E4447A97BF6F74A355F10A429EA458B3CADB790C81DF11

Uniqueness

Uniqueness Score: -1.00%

Function 053BFDF8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c39de719d3c9021a7302d4f9db89e07c679d43154a2a2920f20446759133994
Instruction ID: 59c02ebe26e3456ac39b383bacc6645aba4ea8db8465072ec73ed60e0e137798
Opcode Fuzzy Hash: 7c39de719d3c9021a7302d4f9db89e07c679d43154a2a2920f20446759133994
Instruction Fuzzy Hash: 66212A78AC13409FE3089F20E44476977EAF38A755F00A029AA454B3C9DF791C81DF11

Uniqueness

Uniqueness Score: -1.00%

Function 053BF5E8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781e37efff963b7def2d80f0dc23e0f9f71c148d2b3b967bdefa53b848ff302a
Instruction ID: d052823415381fb1ae828855bfb214db8a0110f7878867d2711405bb6f22073e
Opcode Fuzzy Hash: 781e37efff963b7def2d80f0dc23e0f9f71c148d2b3b967bdefa53b848ff302a
Instruction Fuzzy Hash: 61012832B181145BAF24A9B15C007FF769BAB841A0F045079DE06E7E50DEE0D901C7E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 053B3D70 Relevance: 3.1, Instructions: 3100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b0bf766d5ec9cb16b2d607d83a5f3573d5402bf398642770dcb0e4513e1931
Instruction ID: 70a5948089339dca3c20201e082905189b0bad74b1b04f7c19460feae26f996d
Opcode Fuzzy Hash: 21b0bf766d5ec9cb16b2d607d83a5f3573d5402bf398642770dcb0e4513e1931
Instruction Fuzzy Hash: 34630931D10B1A8ADB11EF68C8945E9F7B1FF99300F15C69AE558B7221EB70AAC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 053B71C8 Relevance: 2.2, Instructions: 2238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048c2f30ee2a536de5d54b34db466be485dc5af3a4c9408a4649ffe9b09c87e8
Instruction ID: 5312858a6dc42045576d8a3a59ef04ee3cc71051a0c34c043e33a97cd9239722
Opcode Fuzzy Hash: 048c2f30ee2a536de5d54b34db466be485dc5af3a4c9408a4649ffe9b09c87e8
Instruction Fuzzy Hash: 65333B31D10A198EDB11EF68C894AEDF7B1FF89300F14C79AE559A7211EB70AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 053BC8E0 Relevance: 1.9, Strings: 1, Instructions: 611COMMON

Download Yara Rule

Strings

$, xrefs: 053BCC72

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 224fa8695f40f376808fafaa3abe8063d548a8477e011862230aae386a851029
Instruction ID: 1c6ee709250f4ff577366fc7fc19621f87861d8e649d64e97c4a76c8839364e3
Opcode Fuzzy Hash: 224fa8695f40f376808fafaa3abe8063d548a8477e011862230aae386a851029
Instruction Fuzzy Hash: 16227F31F0021A8FEF24DBA8C490AEEBBB2FB85310F10856AD515EB741DAB5DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053B3558 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4669efff73c18e86edbb76332a603d9dd0b6cb8b45e10c19d6ad8db4684612
Instruction ID: 7f9243b3a652f65cb8baef836388d19b1f2dd87d80f368cff5d682ed30319363
Opcode Fuzzy Hash: ef4669efff73c18e86edbb76332a603d9dd0b6cb8b45e10c19d6ad8db4684612
Instruction Fuzzy Hash: 19328F70B002149FEB14DB68D484BADBBB2FF88310F248869E50ADB751DBB5DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053BA5F8 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e417a36f25efb05fd5079f180746cd9f5591da98394204da39f15dd3c13b99e3
Instruction ID: 5e5c49532368e48654fe0c6df457360cd955229fdb5ddc5d103c4f6e75ad8045
Opcode Fuzzy Hash: e417a36f25efb05fd5079f180746cd9f5591da98394204da39f15dd3c13b99e3
Instruction Fuzzy Hash: F7421E31E10619CFDB14EBB5C8506DEB7B2BFC9300F5086AAD509AB650EF70A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053BD068 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.659454457.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a100dfa70e3ca7b40fede4ae11686a88e293c0d56501a75504d313c1b2bfb3
Instruction ID: 1eddf78a66a3f8dab5178738c95ad3ab45ea3cefb599b7f5aa026693efc49e2c
Opcode Fuzzy Hash: 49a100dfa70e3ca7b40fede4ae11686a88e293c0d56501a75504d313c1b2bfb3
Instruction Fuzzy Hash: 74D1D731B000148FEF14DB68D494BFEB7A6FB89710F24896AE60ADB751CAB1DC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 0609D960 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91bbb9eb08f041aec68559a1b1e6dda020794e487153f12fb77592d3b806b10
Instruction ID: bcebe54d11514d4caad367c5aa8010f312656937fcde79577417468a968d51b1
Opcode Fuzzy Hash: c91bbb9eb08f041aec68559a1b1e6dda020794e487153f12fb77592d3b806b10
Instruction Fuzzy Hash: 7E12ECF9C917468BD310CF66E488149BBE1B76132DBD04A0AD2611BAD1F7B4116EEF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0249A1A0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae6220845beba2c605df5c31bc96def33911df13308f825dc548b336aa7b1bb
Instruction ID: 75fb5981c607f2abf06f7311095828cb1aa4aecd82ba6ee0ee7fdaeb3a5953da
Opcode Fuzzy Hash: 9ae6220845beba2c605df5c31bc96def33911df13308f825dc548b336aa7b1bb
Instruction Fuzzy Hash: 9DB11B70E00219CFDF14CFA9C9857AEBBF2AF89714F14812AD819AB354DB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0609D931 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.660080112.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b91e65225d46ff6f000611910fb6fcbfa820803dfa805f1c6555d5ce648348
Instruction ID: 76c489a30354203cd3917bab2305c3db98232cc18fe145c1f16c6e52ea8221a7
Opcode Fuzzy Hash: a0b91e65225d46ff6f000611910fb6fcbfa820803dfa805f1c6555d5ce648348
Instruction Fuzzy Hash: 0FC14EB9C917458BD310CF26E888189BBF1BB6532DFD04B0AD1616B6D1E7B4106EEF48

Uniqueness

Uniqueness Score: -1.00%

Function 02498144 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f3364430bf2e152f1cbeced15a56d61f5bcca77eb904b8c725a3ef2a7e6927
Instruction ID: 1220d52948e268ee2d7f2efd76cb023d681dc825dd14001677467aa1b363a61a
Opcode Fuzzy Hash: 15f3364430bf2e152f1cbeced15a56d61f5bcca77eb904b8c725a3ef2a7e6927
Instruction Fuzzy Hash: 5751226180E3D09ED707A77C6C757C63FB16F13654F4A49E7C0C2CA4A3E7188889E66A

Uniqueness

Uniqueness Score: -1.00%

Function 0249020D Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.648946981.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2490000_Disable_automatic_email_errors.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44558d3759372e74651ea72f003e5880638a759b7235f4f47e4bf947065313a6
Instruction ID: 209000905315167f3201be6c4f1be15b22b3d38c9a562542381778d4e4f0f37b
Opcode Fuzzy Hash: 44558d3759372e74651ea72f003e5880638a759b7235f4f47e4bf947065313a6
Instruction Fuzzy Hash: FB4182A281C6E64BEB36463D48691EAFFA0AB5327CF2C13CBC4E1892D3D3956156D344

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ggh.exePID: 6624, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	140
Total number of Limit Nodes:	9

Executed Functions

Function 06CC6C7F Relevance: 1.8, Instructions: 1816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67eca97ab9c95ff687018edc71abc73d310ab7a00b0ff27f438cc48c46839a04
Instruction ID: 570cbdf0d5c6a7c2c92873ad24a3b9fd8c2ee69a4548a535576b61fe010d4e9f
Opcode Fuzzy Hash: 67eca97ab9c95ff687018edc71abc73d310ab7a00b0ff27f438cc48c46839a04
Instruction Fuzzy Hash: 0A131731D10B1A8ACB50EF68C894599F7B1FF99310F11D79AE459B7221EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06CC4570 Relevance: 1.4, Instructions: 1354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f882b7cdb6ba10678a50804ea500e07d84d9fed31011dc9ed28d8f99948153c4
Instruction ID: 28f0658029619bd6e8dccd6b8d5c9a87009d3abccde667b91dc5ef5029992492
Opcode Fuzzy Hash: f882b7cdb6ba10678a50804ea500e07d84d9fed31011dc9ed28d8f99948153c4
Instruction Fuzzy Hash: B1E21631D10B1A8ECB50EF68C894699F7B1FF99310F11D69AE059B7221EB70AAD4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06CCA4D8 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6d1ab62321bb0012362937659e9003ce81146169080402daef1defba3ff4e4
Instruction ID: 1457be392817370a5e898a9e11c124841e87fc3e0a71a0a3e83025f222526e79
Opcode Fuzzy Hash: 0b6d1ab62321bb0012362937659e9003ce81146169080402daef1defba3ff4e4
Instruction Fuzzy Hash: 33423431E10619CFCB54EBB5C8546DEB7B2AFD9300F50865ED409AB254EF70AE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCF1B0 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993b0e7b91e68d906a3992bf61ac8742d752bdb6b82a235ef60bd940c2c71d1c
Instruction ID: 0d3c1623e2be1aa0775295ec47393e46ad626ffafb8c306aecf43ff4143035fb
Opcode Fuzzy Hash: 993b0e7b91e68d906a3992bf61ac8742d752bdb6b82a235ef60bd940c2c71d1c
Instruction Fuzzy Hash: 4E027930F042159FDB54EBA9C4546AEB7E3AF84320F24846DE526DB794DB34EE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017BF764 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 017BF8AB

Memory Dump Source

Source File: 00000001.00000002.429521874.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17b0000_ggh.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9ed0d08109b527a15e98c796d98e9e86b09b37047ab681a3e5ff50aaa9b19762
Instruction ID: 58649b126d104638dbce758a8711e4bc10247a2ce3e10de598830df1d31e48ea
Opcode Fuzzy Hash: 9ed0d08109b527a15e98c796d98e9e86b09b37047ab681a3e5ff50aaa9b19762
Instruction Fuzzy Hash: 4C5102B0E002289FDB18CFA9C885BDDFBB1BF48714F15812AE819AB351D774A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 017BF1DC Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 017BF8AB

Memory Dump Source

Source File: 00000001.00000002.429521874.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17b0000_ggh.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e92861ea16e8a0a0ea3ff1faaf3c4885c8733b6b04ef144589e3cce8271dc0f2
Instruction ID: 944d4e19899708c7ed522a12fa7c3e46767608aae6695bf7ea0855500b274e19
Opcode Fuzzy Hash: e92861ea16e8a0a0ea3ff1faaf3c4885c8733b6b04ef144589e3cce8271dc0f2
Instruction Fuzzy Hash: C5510270E002288FDB18CFA9C885BDDFBB1BF48714F158169E819BB351D774A845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 017BF1F4 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 017BF8AB

Memory Dump Source

Source File: 00000001.00000002.429521874.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17b0000_ggh.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 802ead23cb9dccf4519669a6757f9e4c3b2e7e56a6971173daf3c79d97b3f48a
Instruction ID: 26ebfcc9c81627bd77ebb072bea6ac1cc16483f97ed57b24e4fe60761c31d364
Opcode Fuzzy Hash: 802ead23cb9dccf4519669a6757f9e4c3b2e7e56a6971173daf3c79d97b3f48a
Instruction Fuzzy Hash: C5510270E002288FDB18CFA9C885BDDFBB1BF48714F148129E819BB351D774A845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06CF9EB8 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.433527591.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cf0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde4519528c59ee2df87da95a81507a66e457fc4aed0e68f87989fbacb2d16b8
Instruction ID: 2fcfdd37adf04ddbed2eaa8d28236f9967065db8f0a3f32f931fd80c573e3c84
Opcode Fuzzy Hash: bde4519528c59ee2df87da95a81507a66e457fc4aed0e68f87989fbacb2d16b8
Instruction Fuzzy Hash: D7412172E1035A9FCB50CFA9D8002EEBBF4AF89310F14856AE445E7240DB749885CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 017B76A4 Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 017B7797

Memory Dump Source

Source File: 00000001.00000002.429521874.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17b0000_ggh.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52a0443157a28affbcf606a63546bc13946593be06121ffc27f55768840851b1
Instruction ID: c4e290545c3977e20b3d6fe4862ff32a9a388d8c04bb92ca79d64a717c3ea364
Opcode Fuzzy Hash: 52a0443157a28affbcf606a63546bc13946593be06121ffc27f55768840851b1
Instruction Fuzzy Hash: A64147B0D002599FDB18CFA9C885BDEFBF1BB88314F148529E855AB390D774A481CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017B5ADC Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 017B7797

Memory Dump Source

Source File: 00000001.00000002.429521874.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17b0000_ggh.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8665d9295eb6a574d0a16102cc2508a46d5c8fc8304828876a926ef423d412b5
Instruction ID: 0840e60a9af02115268b957c3a0003ae769aeb6d98e6620457e7aaba06c1360d
Opcode Fuzzy Hash: 8665d9295eb6a574d0a16102cc2508a46d5c8fc8304828876a926ef423d412b5
Instruction Fuzzy Hash: D34124B0E002498FDB14CFA9C9857DEFBF1EB88714F148129E815AB280D774A841CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06CCCAF1 Relevance: 1.6, Strings: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06CCCB52

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 624d20e4b7b1b5bf3a4ac1f25691c67a9823a0d387a8cd638d177d1b9409f9da
Instruction ID: 7f4e35c927af46948eb9e9824002364e0f043347e3ca5fd5ea52ad8022513c4d
Opcode Fuzzy Hash: 624d20e4b7b1b5bf3a4ac1f25691c67a9823a0d387a8cd638d177d1b9409f9da
Instruction Fuzzy Hash: A5C14B31F102198FEB54DBA4C4546AEB7B2EF98320F20416DE40AEB354DB75EE46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CF9F88 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06CF9F0A), ref: 06CF9FF7

Memory Dump Source

Source File: 00000001.00000002.433527591.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cf0000_ggh.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d0e0c71bb8ec77d09a41dda6484906b525f9b841e7ac13005f04df84425ba9b7
Instruction ID: 5f921a65c8b98b85c19b970fffa6fa507349f7146d56ce2281a47d2124dc56ab
Opcode Fuzzy Hash: d0e0c71bb8ec77d09a41dda6484906b525f9b841e7ac13005f04df84425ba9b7
Instruction Fuzzy Hash: 801133B1C0061A9FCB50CF9AD844BDEFBB4BF48320F10812AE458B7240D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CF8A28 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06CF9F0A), ref: 06CF9FF7

Memory Dump Source

Source File: 00000001.00000002.433527591.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cf0000_ggh.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c19da7d240daff8ff327f6f8abe14ee35592650c9cfd49945e4781c1cbd769fb
Instruction ID: e29fe5f02c1a94c9611fb37cc8f1947889ff5579273d5aae81d88965034782e2
Opcode Fuzzy Hash: c19da7d240daff8ff327f6f8abe14ee35592650c9cfd49945e4781c1cbd769fb
Instruction Fuzzy Hash: 441122B1C006599FCB50CF9AD8447DEFBB4AB48320F14816AE518B7200D378A940CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06CC953D Relevance: 1.4, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P@Gp, xrefs: 06CC95E7

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID: P@Gp
API String ID: 0-1978594688
Opcode ID: ec5177e04abc4cde1d945ecc2f3b6a51ddb59c917cf47c57a380a984ef240dad
Instruction ID: fc8b2afae526a048e2b27c2deee44ace7c159a88b24af63afd8d6eced30a9da9
Opcode Fuzzy Hash: ec5177e04abc4cde1d945ecc2f3b6a51ddb59c917cf47c57a380a984ef240dad
Instruction Fuzzy Hash: 6D411270B042019FDB94AB38842426E7BE3AF99610F15487DE006DB391DF34DD06CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9550 Relevance: 1.4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P@Gp, xrefs: 06CC95E7

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID: P@Gp
API String ID: 0-1978594688
Opcode ID: f0e0cf8fff5beb805301785bb14e54a3d97c13affaa778ccf685c54f59fd7902
Instruction ID: 67972f56e95046ec2d1489dbee01f1981a4d3ab75297f51f7d1f26d5ca8ce650
Opcode Fuzzy Hash: f0e0cf8fff5beb805301785bb14e54a3d97c13affaa778ccf685c54f59fd7902
Instruction Fuzzy Hash: C231BC70B042019FEB94AB75842466F76E3AF88610F25882DE006DB394EF35DD02CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06CC09F3 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f85b566fb80789e63259483811ec9b0b1383382e7954b825c78443969343d2a
Instruction ID: 093569ea51c282f247d90f9d9af4c32152116a2fe774ebfd191e0cdbcecc26f8
Opcode Fuzzy Hash: 3f85b566fb80789e63259483811ec9b0b1383382e7954b825c78443969343d2a
Instruction Fuzzy Hash: 8B327BB4B11111DBDB98AB78C05426E72B7EBD9390F64082DE106CB394DF35CE429BE6

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD878 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7226735ddf0b6834538ab2367484a320e970c80128f95beb8710cc7b92465fe3
Instruction ID: 817e7615e5c32ddf7a0490f1827702a9e8f61ae4cb0aa026c225558e6d4c2ea0
Opcode Fuzzy Hash: 7226735ddf0b6834538ab2367484a320e970c80128f95beb8710cc7b92465fe3
Instruction Fuzzy Hash: A9228E30F102159FDBA4EB68C5947AEB7F2AF89260F14846DE406DB390DB35EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCE3B8 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa88b6413221153eff45833564a4bea0bd0f0019e2ed82dedacbb3c9a11ffe07
Instruction ID: b8e325eba0735d7b3f2f88a044b30ed3ab1a34b7783ccb20e85a9bbd23273d87
Opcode Fuzzy Hash: aa88b6413221153eff45833564a4bea0bd0f0019e2ed82dedacbb3c9a11ffe07
Instruction Fuzzy Hash: 0DF13C30B042198FDB94EBB9C4547AEB7B2AF89310F20842DD41AAB395DF75ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CC3030 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd683a84931429d0393863219338756f63a14f45ef81bc65dceabb0b6526331b
Instruction ID: 44d7a35fbbf69bfbd87f82543342355331aa7dda4b0dd5a9c2be3cbeaccdde1b
Opcode Fuzzy Hash: cd683a84931429d0393863219338756f63a14f45ef81bc65dceabb0b6526331b
Instruction Fuzzy Hash: 22E18F30F142459FDB54DB68E8946AEBBB2EF89320F14842DE50ADB390DB35DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBFB9 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309af6b216b0a435c020ea8f95386f31d95d880666da57495c6bd16214144070
Instruction ID: 208ff87952a371ff21f2d540b9537dca151356b1aba882b46c71f733550d6a3c
Opcode Fuzzy Hash: 309af6b216b0a435c020ea8f95386f31d95d880666da57495c6bd16214144070
Instruction Fuzzy Hash: E7D16F70B002159FEB54DBA9C854B6EB7B2BF99710F20806DE50AEB3A4DF759C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC7C0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4c6cd82b26f6da00455044d6d4e158252dc1830da353a5f6150770294a83b4
Instruction ID: f3a2e09a11fb78fd1ed215e3687eb58d786b177cb81bd2bdefc6d8d559041a50
Opcode Fuzzy Hash: cd4c6cd82b26f6da00455044d6d4e158252dc1830da353a5f6150770294a83b4
Instruction Fuzzy Hash: E291DF32E041158FDF70CB68C484BAEFBA1EB86320F15896ED4AEDB281D635DA41C791

Uniqueness

Uniqueness Score: -1.00%

Function 06CC301D Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8059fe90c5e9e3d36f967519b6f495dab9a787fee7026cb20cdbfa8a74e2245
Instruction ID: e8e4a5a136221a9aa99a3fd20d556fede763fbab6ff592d0cd5fe8829626797c
Opcode Fuzzy Hash: a8059fe90c5e9e3d36f967519b6f495dab9a787fee7026cb20cdbfa8a74e2245
Instruction Fuzzy Hash: 6C918F35B102549FDB54DB68E898AADB7F2EF88320F14842DE40AE7350DB31DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB469 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0794d9fe24832378e7474f15bc6742bcf4883d5983a59791e4069c0d16390849
Instruction ID: 5e84d94f9f14735ba4becc765202401b08ee65d75854587b9f8774dd35d2e03b
Opcode Fuzzy Hash: 0794d9fe24832378e7474f15bc6742bcf4883d5983a59791e4069c0d16390849
Instruction Fuzzy Hash: BB915D70F006059FDB54DBA9C4967AEB7F2AF98310F10852DE50AEB344EE34ED428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB476 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555f6014c7f59898c2af3443195aea869717c3f4eaf35ac1563713e5c3f4c866
Instruction ID: 580e79ee2288eb43af04de1c343122ab11b8df83bde2564af8f30879abba221a
Opcode Fuzzy Hash: 555f6014c7f59898c2af3443195aea869717c3f4eaf35ac1563713e5c3f4c866
Instruction Fuzzy Hash: DC812C70F106059FDB54DBA9C4957AEB7E2AF88350F10852DE50AEB384EE34ED428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD448 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9978f7f3ff091fa073032b1c9965a91addb796afb9f664426094c7b76cf3bb8f
Instruction ID: 422f4e63e35a11c2f70a69a6fbfa73c66548876471aa9891af8865396f885714
Opcode Fuzzy Hash: 9978f7f3ff091fa073032b1c9965a91addb796afb9f664426094c7b76cf3bb8f
Instruction Fuzzy Hash: 2F61D371F104214BEB609B6D885066FB2EB9FD4620B25443EE90FDB360EF69ED0287D5

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBFC2 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7837447c8b5a32e21ae21f3d90a0ff5fe6cb83e7a26dab7f562244f01697cd73
Instruction ID: 99b0de793e7312660376929a1fa2c6294924e35f5a735b7dff64b5da416bae4a
Opcode Fuzzy Hash: 7837447c8b5a32e21ae21f3d90a0ff5fe6cb83e7a26dab7f562244f01697cd73
Instruction Fuzzy Hash: D2815E70B002159FDB54DBA9C854BAEBBF6BF98700F20406DE50AEB3A4DF759C418B80

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB7CB Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af94a6a537604e3588969497fdac7e68031b7dc026aa3ee03526a51f75b5de8d
Instruction ID: ee27ebd1ced7bfce8792ae6d1b1d6af77e645783ad8e48ed52824ee9bceea088
Opcode Fuzzy Hash: af94a6a537604e3588969497fdac7e68031b7dc026aa3ee03526a51f75b5de8d
Instruction Fuzzy Hash: 99914F30E1021A8FDF60DFA8C850B9DB7B1FF95310F20859AD549AB251EB75AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB7E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89710041025ee83f38857879c4a8efbeefaf19cf9018593528a12c0d9550af93
Instruction ID: d5af4ed429e38f2eb0a2cc99ca1d36a0d0ee7c48c342f527ea63bd342fda3ab3
Opcode Fuzzy Hash: 89710041025ee83f38857879c4a8efbeefaf19cf9018593528a12c0d9550af93
Instruction Fuzzy Hash: 0B912E30E1021ACBDF60DFA8C850B9DB7B1FF99310F208599D549AB255DB71AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC5AD Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9aee88b208af112fef44fb3332193a16d2c8cf1ca4eafbcab07c56d3bd375a4
Instruction ID: d5aa20f69061fe88ae022c892ce2be16435af7c161eadc6df0fb7068e6c7e77a
Opcode Fuzzy Hash: b9aee88b208af112fef44fb3332193a16d2c8cf1ca4eafbcab07c56d3bd375a4
Instruction Fuzzy Hash: AB619F76A007058FDB60CFA9C880AAEBBB1FF49320F10496ED19AD7661D330E945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CCE3A8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5f9362f736e15435fe7739eca8920067af2c063f6a9c7b92ec28a0134b5db6
Instruction ID: a7f8dc9e736848a1e1fb5e229d900f50f19897329ba2e9c182e3adde77862130
Opcode Fuzzy Hash: 0d5f9362f736e15435fe7739eca8920067af2c063f6a9c7b92ec28a0134b5db6
Instruction Fuzzy Hash: 19616D70E102598FDB58EFA8D5547AEBBB2BF89310F60442DE406AB394DB74ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBD78 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7728d2cbf425dd13ff6e835ed990525e2abd6e64c02bed016980a0a2de80b4cf
Instruction ID: 71f15623c0419c79cb8244fbc11cb1c87ec7223afbaef04c465888862bb371a6
Opcode Fuzzy Hash: 7728d2cbf425dd13ff6e835ed990525e2abd6e64c02bed016980a0a2de80b4cf
Instruction Fuzzy Hash: 0F518474F002199FEF54ABA9C4157AEB6BAFB98710F10442EE106EB394DE748D01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06CC33C8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626c7d25bab59e3e20b12333b698845d71d8fbe4855fb2e42b9b2afca325c128
Instruction ID: 336bae676dd7bb9c917fd92fbb842d20e6627da3cbbe3432dc2cc4c8ac4d9859
Opcode Fuzzy Hash: 626c7d25bab59e3e20b12333b698845d71d8fbe4855fb2e42b9b2afca325c128
Instruction Fuzzy Hash: BD51B970F141868FDFA5DB68E48076EB762EB85224F20882DE50EDB341DB39DE45C791

Uniqueness

Uniqueness Score: -1.00%

Function 06CC35A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fc1741b9220ffbc1684b410d95a13d035fda8aa6da1aa9eafafb7d2306403f
Instruction ID: 7a4a71b5ef18ed3fbdf103d5c8aac6a4344b1cb4aef9c01a9d539f3cf0deadd3
Opcode Fuzzy Hash: 32fc1741b9220ffbc1684b410d95a13d035fda8aa6da1aa9eafafb7d2306403f
Instruction Fuzzy Hash: B3515871A00204CFDB44DF69E880699FBB1FF88320F14C1AEE9099B356E7759945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBD68 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd5fb1e4d4da96e8b8dd8b318316d3dfdee30194d3e9ca378e56785f5373d33
Instruction ID: f1e50d33770898835e51b9f51e615edba8e369716c64abe2084cf4521e104dbd
Opcode Fuzzy Hash: 6cd5fb1e4d4da96e8b8dd8b318316d3dfdee30194d3e9ca378e56785f5373d33
Instruction Fuzzy Hash: 0441C530F002199FEF54ABA984157AEBAE7FB94710F10842DE106EB394DE749D01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC33B8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a69f84934c660db99749be815bbb407f0632c51a77deeb53016f307ece7e4f
Instruction ID: 9d85ef9f6a4b9f8d72392d8dd179c06f8ae049fd606dfd907848b374846fe89c
Opcode Fuzzy Hash: e3a69f84934c660db99749be815bbb407f0632c51a77deeb53016f307ece7e4f
Instruction Fuzzy Hash: 9C419870F141818FDFA5DB68E49036EBB65EB85220F10882DE50EDB341DA39DE4587D1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC7272 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1f60180207ff437acbdc69259077f20491c1094f34729af0d09927ec5de467
Instruction ID: 80a6cf8dbf4434a9a61ddfe17d11acb987947935cbf428c99bbfcdb80ad1b378
Opcode Fuzzy Hash: da1f60180207ff437acbdc69259077f20491c1094f34729af0d09927ec5de467
Instruction Fuzzy Hash: A5317375B00615EFD714DB68C890E3EB7A6BBC8710F54C068E9468B399CB35E842CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC0448 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dc94fa5460baab6984976dc1b66d63cf7cd809ef688b2667f2c7b3ecd6192e
Instruction ID: 696c985dcd5dd8daf55d7071a744a23314506b76fecd914c798c1f954d7aa252
Opcode Fuzzy Hash: e5dc94fa5460baab6984976dc1b66d63cf7cd809ef688b2667f2c7b3ecd6192e
Instruction Fuzzy Hash: E4318370F10219DFDB54DFA5D44479EB7B2EF45320F10842EE906E7240EB76A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9403 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc46d8d9464103b67f976c0b7cf4349b98d7dd296041927c03994732b4661803
Instruction ID: c3a285f3fa993105a8a4eafa6b663eca2755f8ac26c1d23121398d074eaa937d
Opcode Fuzzy Hash: fc46d8d9464103b67f976c0b7cf4349b98d7dd296041927c03994732b4661803
Instruction Fuzzy Hash: 90313930E102199BCB54CFA9D89469EB7B6FF88310F10892DE856E7340DB71ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2EFF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee864b487b36ec355f3f2062f001475822be135bfaccc125239e080cf474d74
Instruction ID: 1716f5c8c730c39682510f1fad3372b4d2bfaaf557158952af035aee0473f2ad
Opcode Fuzzy Hash: 9ee864b487b36ec355f3f2062f001475822be135bfaccc125239e080cf474d74
Instruction Fuzzy Hash: 8331A170E102599FDB95CF69D84069EF7B2FF89310F14851EE845EB340DB74AA82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CC3B22 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8129eab81eb69138266eb295b2023d1748352060f301854a8d7faca80450678b
Instruction ID: f04ef3c189b4e805d935c3c5ef18588308f12f6f7dfd35f95601e07f185addf8
Opcode Fuzzy Hash: 8129eab81eb69138266eb295b2023d1748352060f301854a8d7faca80450678b
Instruction Fuzzy Hash: D931F631A042908FEB55DB78D854BAE7FF5AF49720F1481AEE405EB3A1DA74CD04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB010 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7c8902a954bc24eba1409d253543c5e84169f117bbe88534dfa66b26148481
Instruction ID: 8b0b2ae8e6cbc82efff7e5965a5727a9b84a6258f11d0690b8e21a5497e4c939
Opcode Fuzzy Hash: 6b7c8902a954bc24eba1409d253543c5e84169f117bbe88534dfa66b26148481
Instruction Fuzzy Hash: F931D271F402559FDB90EFB985917EEB7F59B48220F14802DE919E7380EA39DE418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9410 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2470bb6aaa5c63472e10f3d9fd8cc127e9f4c4d67e1e8006e2858cc744a11672
Instruction ID: 8ec8088686a2002e08dca7769811e460c2392293dcf2c48539eceba2b8726354
Opcode Fuzzy Hash: 2470bb6aaa5c63472e10f3d9fd8cc127e9f4c4d67e1e8006e2858cc744a11672
Instruction Fuzzy Hash: F4313A30E102159FCB54CF69D45469EB7B6BF89310F10852DE856E7350DB70ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB020 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2d2170336e107a1a2926814d618c59f6875c4e404c8df79609f8dbe986e626
Instruction ID: f900d6f5befcc907029aedbfd355e1072fd5eacbce249fce0f4e1082198b96ee
Opcode Fuzzy Hash: 7f2d2170336e107a1a2926814d618c59f6875c4e404c8df79609f8dbe986e626
Instruction Fuzzy Hash: DC319171F402159FDB50EBB985517EEB6F1AB48210F54802DE519EB380EB35DE018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2F10 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3ff9df33e88d19d5f8a6d1908086fb9149c58f756ed08b0957fdbfbd16e908
Instruction ID: 7abb2405442cc0f2a43587ba840c50e760ea3e6c3fbd295e96f23408637be2fe
Opcode Fuzzy Hash: fa3ff9df33e88d19d5f8a6d1908086fb9149c58f756ed08b0957fdbfbd16e908
Instruction Fuzzy Hash: 5B316D70E1025A9FDB55CF69D44069EF7B6BF89310F14851DE806EB340EB74AA86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2DF7 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf1846c3c5ec5e77762ec076a7716c2c38017baa690354331e97059aafe3c17
Instruction ID: 9759f55f8d9991573ef3e5d2aabe0148c36dea399731ded53aef8eb85badcd10
Opcode Fuzzy Hash: 7cf1846c3c5ec5e77762ec076a7716c2c38017baa690354331e97059aafe3c17
Instruction Fuzzy Hash: 32216B31E10209DFDB19CFA5C45469EB7B2AF89310F10852EE852FB291DB75AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCE008 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ddef7eb5d229f97df8f1acf054f9cc34d55704c30e71785587e32c5dc34ba
Instruction ID: 40d79fcaecd7ea0854b4710740a19ef2e94ffeb2325f338d663156150a5a968d
Opcode Fuzzy Hash: 944ddef7eb5d229f97df8f1acf054f9cc34d55704c30e71785587e32c5dc34ba
Instruction Fuzzy Hash: 5A219F30F001199FDB94AA69E5542AEB7F6AB89220F14442DE409DB344EF35EE0187C4

Uniqueness

Uniqueness Score: -1.00%

Function 06CCE995 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0802be05712ebb4075e43a06c9fa785e241fa8fe736e93d8c57055ecca1692
Instruction ID: 6290981d471134d804a1c63da103bf38df2300585b20d3180cf6de8b0df78b50
Opcode Fuzzy Hash: bc0802be05712ebb4075e43a06c9fa785e241fa8fe736e93d8c57055ecca1692
Instruction Fuzzy Hash: BD213B30F10219CFDB94EBA4C5956EEB7B2AF89321F20802DD809EB255DB74EE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2E10 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b97f4e0f76541817842ec23f7d882cbd0814f853b55acafd892fa7cb43ea768
Instruction ID: 0c7b2cb12f9a4d9bedae2dc1306bd95093d7184015fdfbc69f2f8d09512df2a5
Opcode Fuzzy Hash: 1b97f4e0f76541817842ec23f7d882cbd0814f853b55acafd892fa7cb43ea768
Instruction Fuzzy Hash: 23212F31E10219DFDB58CFA5D44569EB7B2BF89310F10852EE812F7390DB75AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB158 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214ed59af72e920749229234aa18efb0ebfec99359f24073e293a21fa2449a65
Instruction ID: 4c98371ff07dda4ea8b88b5e12db20d541c01edaa3689aa277b650717298fce1
Opcode Fuzzy Hash: 214ed59af72e920749229234aa18efb0ebfec99359f24073e293a21fa2449a65
Instruction Fuzzy Hash: E611C231F141159FDB54AAB888666AF72EB9BC8360F10407DE50AE7344EE35DE0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC7AF Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3843f50a05ff6f9c9f8e89bf14489e8b8663c91f2dbb72fe8faae0d90cba11
Instruction ID: aeef046fbe639218c425fcdbc2351fc2b1570217412fe3ee380817b7551ebb15
Opcode Fuzzy Hash: ef3843f50a05ff6f9c9f8e89bf14489e8b8663c91f2dbb72fe8faae0d90cba11
Instruction Fuzzy Hash: 29116A31E042058FDB60CEA9C881AAFBBB1EB85220F60496FD55DDB291D235DA42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB149 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d3fdaaed7c2c48da18293a1aed22bceef5feb2d554b287733848864233495e
Instruction ID: 1cfda31fa5e28a463c42df158a60ea81d1fa6ea7e854681da6676f1caa315e2e
Opcode Fuzzy Hash: 97d3fdaaed7c2c48da18293a1aed22bceef5feb2d554b287733848864233495e
Instruction Fuzzy Hash: ED11A132B101115BDB95A9FD8C667AF72DB8BC8270F10053DE91AD3380EE25DE0047D1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCF4C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2eba7430bd3afb705679226458e49cae72c82770e4676759b2ecbed3c8d63b
Instruction ID: 4a8c2071647b9b24182604da146329b33eee39388fedd9a829b7062ff857ce7e
Opcode Fuzzy Hash: bb2eba7430bd3afb705679226458e49cae72c82770e4676759b2ecbed3c8d63b
Instruction Fuzzy Hash: 53016632E182214BDF696FB544583AF77A79F801B0F21402EDA16E7540DA24DA05C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 06CCA4C5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c3dbd5898b89d7edb20067364400f73f20043a391111abffe30ad352ed5467
Instruction ID: 2c0db0ab1ce294d8904a869e85e3823f24a6754aff3035d39d53d265994d81e0
Opcode Fuzzy Hash: a4c3dbd5898b89d7edb20067364400f73f20043a391111abffe30ad352ed5467
Instruction Fuzzy Hash: 29116D31E0061C9FCBA8DFA9C9899DEB7F5EB48310F1044AED506E7310DA329A40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCADE8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5fa1146d5076edce32daacc2f99bd220dcc7b7410f0c2f5de7d8d047bff197
Instruction ID: e41f1af0dbf3f24d86d9a26c4a251fae7828607ba707d0d4d39dda12b8e9d1ff
Opcode Fuzzy Hash: 4f5fa1146d5076edce32daacc2f99bd220dcc7b7410f0c2f5de7d8d047bff197
Instruction Fuzzy Hash: 6E21A2B5D01219AFCB10CF9AD985ADEFBB8FB48724F10852AE518B7200C375A954CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06CC09E4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657177669a0e1e7ec1136b56d5a0fb661380ea4dca47a9a36f3a1a2500f96cd7
Instruction ID: 581480717d882b1b99ae1100365292a21c3b461d55812435319f4509acb962e9
Opcode Fuzzy Hash: 657177669a0e1e7ec1136b56d5a0fb661380ea4dca47a9a36f3a1a2500f96cd7
Instruction Fuzzy Hash: 8721C4B1D002199FCB10CF9AD988ADEFBB4FB48720F10856AE518B7200D374A954CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB3D3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75202f466565faa5f6d07756eb1b070a9804aa0c81674f639cd44790ed9d7dfb
Instruction ID: e446106d0b46c7427585fc1477e0b8143c0168410b640e75ea1fc8da6f80992e
Opcode Fuzzy Hash: 75202f466565faa5f6d07756eb1b070a9804aa0c81674f639cd44790ed9d7dfb
Instruction Fuzzy Hash: A301A231B144214BDBA4D5AEA45272FB2DADBC9620F14843EF20EC7344ED69ED0243D5

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB3D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31909fc74686f5544648b025e9bcf7668c95713665e5e963a9a0636165a3ceb3
Instruction ID: 6750e3647c1549aeea4bf41b7571c5a1e4423f01711cc1cc0f25c6d3ac88081c
Opcode Fuzzy Hash: 31909fc74686f5544648b025e9bcf7668c95713665e5e963a9a0636165a3ceb3
Instruction Fuzzy Hash: A401D630B140214BDB64D5AE945272FB2DADBC9620F10843EE20EC7344ED69EC0243D5

Uniqueness

Uniqueness Score: -1.00%

Function 06CC1310 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa47fdebf34e21ed27f4b0be09e115394c234b029e414d721b8920a822b0263c
Instruction ID: 4ae159c4c89a29e011487d36c2dca9e4390f57ae18d12f8337e06b1bedbc82cd
Opcode Fuzzy Hash: aa47fdebf34e21ed27f4b0be09e115394c234b029e414d721b8920a822b0263c
Instruction Fuzzy Hash: 3B01B530A19249EFC741EFB8D49069DBBB1EF84700F5048AED5869B255EB346E04ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC0560 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0c034e3aa8ade168fad2bf27f235db3f72541d4cc13809c8e1f18e6b218cb1
Instruction ID: 28442ffa4622e08779c7baca701affdcfa78ee62c7b5ece904815fa317561280
Opcode Fuzzy Hash: ea0c034e3aa8ade168fad2bf27f235db3f72541d4cc13809c8e1f18e6b218cb1
Instruction Fuzzy Hash: BC014B35B00208CFDB14EB74D599B6D77B2EF88725F1040A8E5069B3A0DF35AD42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06CC1320 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6992226a504005bce3f577238151389f7cddc908d2fe15245e04e632bcea29be
Instruction ID: 13b5d9ffc62d412c478f8f4f7f07500077bbfa36a64eea1fad26c1a1a20c7cda
Opcode Fuzzy Hash: 6992226a504005bce3f577238151389f7cddc908d2fe15245e04e632bcea29be
Instruction Fuzzy Hash: 8CF08130A15209EFCB80EFB8E49469DBBB1EF84700F6049AD95869B254EF345F04ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD6E1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.433423619.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bd0873b70239a30ddb041d7d04abe74efd2c7b6de77ae9aadd5bde6c362baa
Instruction ID: df61d0a60450b01f283fbc93c5776b51d309ad6be302400d2ad002fe1b9b540c
Opcode Fuzzy Hash: a8bd0873b70239a30ddb041d7d04abe74efd2c7b6de77ae9aadd5bde6c362baa
Instruction Fuzzy Hash: 69E09231E15285AFCF51CAB489187AA7B69DF42228F2185EEE44ACB142E136DB02E351

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ggh.exePID: 760, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	237
Total number of Limit Nodes:	12

Executed Functions

Function 064A7062 Relevance: 2.3, Instructions: 2279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056cd98038314b726086a68dc9d23af761494c5eb287c5a23595aede274cd347
Instruction ID: 5d14ccf6c41dfd484ccd04693e84400536ccd141e2419f487df0633f431f4a95
Opcode Fuzzy Hash: 056cd98038314b726086a68dc9d23af761494c5eb287c5a23595aede274cd347
Instruction Fuzzy Hash: 0C334C31D10B199ECB11EF68C8946AEF7B1FF99300F14C79AE459A7211EB70AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 064AC7C0 Relevance: 1.9, Strings: 1, Instructions: 611
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 064ACB52

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: fc45ae3dc3c7d708a32aab2b4b9d02ba44ad191aa1169a9f8837a107a7e5f5e3
Instruction ID: 442836f6d738c77716e91099ab60cf190444e33f570a15fd1878e2d02dde7cb1
Opcode Fuzzy Hash: fc45ae3dc3c7d708a32aab2b4b9d02ba44ad191aa1169a9f8837a107a7e5f5e3
Instruction Fuzzy Hash: D5229F31F002089FDFA1DBA4C8806AFB7B2EF94310F14856AE41AEB351DA35DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064A6C7F Relevance: 1.8, Instructions: 1816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029695a50f7bda5af4d752897bc702f0654065bdf1d111461394e662f67ce0af
Instruction ID: 40d9622f0faf7f0c7e25ea8903bc762707466a76f8178132d8b79ce229c00bdd
Opcode Fuzzy Hash: 029695a50f7bda5af4d752897bc702f0654065bdf1d111461394e662f67ce0af
Instruction Fuzzy Hash: 10131731D10B1A8ACB51EF68C894599F7B1FF99300F15D79AE458B7221EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 064A4570 Relevance: 1.4, Instructions: 1354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a66e223d459fc13619570f87cb3abed11b5549f6d05bbd6829ff253df7ed21
Instruction ID: 3c79b117721d756bbb2752f3acc0b554e86531b9bc2fa2d202719c7b763a3fac
Opcode Fuzzy Hash: 31a66e223d459fc13619570f87cb3abed11b5549f6d05bbd6829ff253df7ed21
Instruction Fuzzy Hash: C1E20671D10B1A8ECB51EF68C894699F7B1FF99300F15D69AE058B7221EB70AAC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 064AA4D8 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f55f1d8ee0974484d57c9ab74f6da3579ff8eea27bd0f49de482bc851c9e50
Instruction ID: 74d903a50789405c45803a4ed0aceba474276969cc898b40e003854b3a18a1d6
Opcode Fuzzy Hash: d0f55f1d8ee0974484d57c9ab74f6da3579ff8eea27bd0f49de482bc851c9e50
Instruction Fuzzy Hash: 83423031E10719DFCB54EB75C8516DEB7B2AFD9300F5086AAE409AB250EF74A9C5CB80

Uniqueness

Uniqueness Score: -1.00%

Function 064AF1B0 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778216380cf320676388b868a2cb48c5fccc740ed33d91426e81075b1d6451b5
Instruction ID: e51ab2cb6730aab68c3a38aba0df2ff6a36abb0a91c4a45c48ae5a161fc844d2
Opcode Fuzzy Hash: 778216380cf320676388b868a2cb48c5fccc740ed33d91426e81075b1d6451b5
Instruction Fuzzy Hash: BE02B030F04215AFDB94EB74C8516AEB7E2AF84700F64846AE416DB395DF38ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064D9EB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1, xrefs: 064D9FAF

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: b2a32b870f2ef613efb04384034c2d86fd7a783a483db27c6897ca2c02cff8b2
Instruction ID: 17c5160e9968a47f14551b17d740018fa93ba9db88dea7578976df4bad0af8ce
Opcode Fuzzy Hash: b2a32b870f2ef613efb04384034c2d86fd7a783a483db27c6897ca2c02cff8b2
Instruction Fuzzy Hash: 5B410172E103559FCB11CFAAD8146EEBBF5EF89210F04856BE405A7240DB749885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F8F764 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 00F8F8AB

Strings

1, xrefs: 00F8F795

Memory Dump Source

Source File: 00000004.00000002.648991316.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_ggh.jbxd

Similarity

API ID: NameUser
String ID: 1
API String ID: 2645101109-2212294583
Opcode ID: 0df17d907cf62563d874c895d77acff3138d0aa80c6216b4491ad269b5bc5f10
Instruction ID: 4c0318e2db165a980522f2ccc66f419b0e4d619d0a5e1bfbfe61c63a51fc8b3f
Opcode Fuzzy Hash: 0df17d907cf62563d874c895d77acff3138d0aa80c6216b4491ad269b5bc5f10
Instruction Fuzzy Hash: 05513370E002189FDB14DFA9D895BDDBBF1BF48310F15812AE815BB391D7B8A849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F8F1DC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 00F8F8AB

Strings

1, xrefs: 00F8F795

Memory Dump Source

Source File: 00000004.00000002.648991316.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_ggh.jbxd

Similarity

API ID: NameUser
String ID: 1
API String ID: 2645101109-2212294583
Opcode ID: d7f5d6afea6b2f27e3baca3bed41972b81773bb1a5527627dc4b3cb1f7e6b212
Instruction ID: 51578787820253d679c6cbda75502b6c175b5b66983e768596c690406bf8fdd4
Opcode Fuzzy Hash: d7f5d6afea6b2f27e3baca3bed41972b81773bb1a5527627dc4b3cb1f7e6b212
Instruction Fuzzy Hash: 42512370E002188FDB14DFA9C895BDDBBB1BF48310F148129E815AB391D778A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00F8F1F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 00F8F8AB

Strings

1, xrefs: 00F8F795

Memory Dump Source

Source File: 00000004.00000002.648991316.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_ggh.jbxd

Similarity

API ID: NameUser
String ID: 1
API String ID: 2645101109-2212294583
Opcode ID: a1ceb2b68f8f60d80942859faa531538233f668394f624eee485475bfeb39acd
Instruction ID: 81968dce1909aecad71a62dff94eae7ea047af7a38e4b31ccfd6a2d6904cc427
Opcode Fuzzy Hash: a1ceb2b68f8f60d80942859faa531538233f668394f624eee485475bfeb39acd
Instruction Fuzzy Hash: 6C511271E002188FDB14DFA9C895BDDBBB1BF48310F14812AE815AB391D7B8A849CF95

Uniqueness

Uniqueness Score: -1.00%

Function 064DE0C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064DE1E2

Strings

1, xrefs: 064DE0FE

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: CreateWindow
String ID: 1
API String ID: 716092398-2212294583
Opcode ID: 79ed18031e20870a2c04c740e6fd6df156ce40e14cefd2504f2af675532eb7e8
Instruction ID: 826d5cc0ce1c3932eb193307ac08589d173b333c5ca5fb373fbacdc21654986c
Opcode Fuzzy Hash: 79ed18031e20870a2c04c740e6fd6df156ce40e14cefd2504f2af675532eb7e8
Instruction Fuzzy Hash: F751C0B1D10309DFDB15CFA9D894ADEBFB5BF48350F24852AE819AB210D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064DE0D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064DE1E2

Strings

1, xrefs: 064DE0FE

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: CreateWindow
String ID: 1
API String ID: 716092398-2212294583
Opcode ID: 15d012f607b9fb111a4ba0e0a80b4c84a5edd0cc1fc71fa93005decdda9c343e
Instruction ID: 315ebe85ca81e2f30a1aca05cc70d38cdb8c5abf9c9dd932bcaf5cf99c5df742
Opcode Fuzzy Hash: 15d012f607b9fb111a4ba0e0a80b4c84a5edd0cc1fc71fa93005decdda9c343e
Instruction Fuzzy Hash: 9241B1B1D00309DFDB15CF9AD894ADEBFB5BF48314F24852AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F876A4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F87797

Strings

1, xrefs: 00F876D2

Memory Dump Source

Source File: 00000004.00000002.648991316.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_ggh.jbxd

Similarity

API ID: LibraryLoad
String ID: 1
API String ID: 1029625771-2212294583
Opcode ID: 4a03222fba73d864cdd69b6679f0c8836460934810db86c55b7e3517ec2a8907
Instruction ID: aa0a8fbb0c92059297ad22d547de61a942d83841800814d2ce7c40326e8acc79
Opcode Fuzzy Hash: 4a03222fba73d864cdd69b6679f0c8836460934810db86c55b7e3517ec2a8907
Instruction Fuzzy Hash: 584157B1D043088FDB10EFA9C9857DEBBF1AB48714F20852AE815E7254D7789882CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F85ADC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F87797

Strings

1, xrefs: 00F876D2

Memory Dump Source

Source File: 00000004.00000002.648991316.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_ggh.jbxd

Similarity

API ID: LibraryLoad
String ID: 1
API String ID: 1029625771-2212294583
Opcode ID: f938156545e7c1538ed35664373d665c75c409674bdee0cd49ea27fca4844501
Instruction ID: 4a59489fd0c94c9705e546d63c5d2ac6554fa5f1d75df31da38ba946828cd8d6
Opcode Fuzzy Hash: f938156545e7c1538ed35664373d665c75c409674bdee0cd49ea27fca4844501
Instruction Fuzzy Hash: 2B4168B0D043489FDB10EFA9C8847DEBBF1EB48714F20812AE815AB351D7B49881DF91

Uniqueness

Uniqueness Score: -1.00%

Function 064DFBB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064DFC3F

Strings

1, xrefs: 064DFBD7

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: DuplicateHandle
String ID: 1
API String ID: 3793708945-2212294583
Opcode ID: 125a75b6cf8e28e95fce74f7978640a1caa4b669bb551e206baa494501cb0a34
Instruction ID: f107b74c8a21ca1a3c0d52fe821d6140de623d3179891a33c4086524389cc1a2
Opcode Fuzzy Hash: 125a75b6cf8e28e95fce74f7978640a1caa4b669bb551e206baa494501cb0a34
Instruction Fuzzy Hash: FC21F4B5D00208AFCB10CFAAD984ADEBFF8EB48720F14841AE855A7310C374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 064DFBB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064DFC3F

Strings

1, xrefs: 064DFBD7

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: DuplicateHandle
String ID: 1
API String ID: 3793708945-2212294583
Opcode ID: b88305531fdf5cf401542f3ab729cea44c1073c9285a9cb1858085abfae98d1f
Instruction ID: 04ac4374f0db168041e4d03d7ffafd9f5f392a33c3083fdddf12cad48a14d290
Opcode Fuzzy Hash: b88305531fdf5cf401542f3ab729cea44c1073c9285a9cb1858085abfae98d1f
Instruction Fuzzy Hash: F221F3B5D00209AFDB10CFAAD984ADEBFF8FB48720F14841AE955A7310D374A954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 064D9F88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,064D9F0A), ref: 064D9FF7

Strings

1, xrefs: 064D9FAF

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: 1
API String ID: 1890195054-2212294583
Opcode ID: 3c1a1afef0159b38818d32408c197b709e86472234ff768004c989983509fe90
Instruction ID: fc8436ef850cc7781c37e98a4cda1834d0fa49f1d15e1cd3f2b24a22f80b9c94
Opcode Fuzzy Hash: 3c1a1afef0159b38818d32408c197b709e86472234ff768004c989983509fe90
Instruction Fuzzy Hash: 9D1103B1C006599FCB10CF9AD844BDEFBB8EB48720F15856AE414B7240D378A985CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 064D8A28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,064D9F0A), ref: 064D9FF7

Strings

1, xrefs: 064D9FAF

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: 1
API String ID: 1890195054-2212294583
Opcode ID: 57c227cc2f6a2b6c95da6c3753b1b4c2fcb37bb1efcc20556eb82a5cb740e3bc
Instruction ID: 7b017b52c04d92593b95df1cc66502958656755d94d9065a973ee8b0f56528f6
Opcode Fuzzy Hash: 57c227cc2f6a2b6c95da6c3753b1b4c2fcb37bb1efcc20556eb82a5cb740e3bc
Instruction Fuzzy Hash: 9F11F2B1D006599FCB10CF9AD9447DEBBF4EB48320F14816AE818B7240D378A945CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 064DC144 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064DD156

Strings

1, xrefs: 064DD10F

Memory Dump Source

Source File: 00000004.00000002.660362184.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64d0000_ggh.jbxd

Similarity

API ID: HandleModule
String ID: 1
API String ID: 4139908857-2212294583
Opcode ID: 1e3e8e44472e38e66af6c1d4b4772fe812b0711bdc0c28570c93cb058b079e94
Instruction ID: b9b196aa738063f9eb5794ea03722cde5edb0220264345868b7c0253d627d215
Opcode Fuzzy Hash: 1e3e8e44472e38e66af6c1d4b4772fe812b0711bdc0c28570c93cb058b079e94
Instruction Fuzzy Hash: 9611E2B1C002498FCB10CF9AD844BDEBBF4EF89214F10846AD859A7600C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064A9550 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

P@Gp, xrefs: 064A95E7

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID: P@Gp
API String ID: 0-1978594688
Opcode ID: bfa92fb2442b41f65d2c3475f701cfc01ca7d639c78b66f427563e14863950ab
Instruction ID: a99c4f01787dbce134c66c73aa38be7b3bc838546345e3a3cbdb7854dd4d60ab
Opcode Fuzzy Hash: bfa92fb2442b41f65d2c3475f701cfc01ca7d639c78b66f427563e14863950ab
Instruction Fuzzy Hash: D1319F31B20200AFDB95AB74C82526F76E3AF99600F14846DE006DB391DF39DC46CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 064A09E4 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

1, xrefs: 064AAE12

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: b66dddbb7b55625d99cb00570008b398e092ff7c1618040d9ba5285f64140ec0
Instruction ID: 2a771ddfa1859d9a8bde903c7c44e0a4fcfd5d171772ff40f77b47b157bf0f9f
Opcode Fuzzy Hash: b66dddbb7b55625d99cb00570008b398e092ff7c1618040d9ba5285f64140ec0
Instruction Fuzzy Hash: 2121C4B1D00219AFCB40DF9AD884ADEFBB4FB49310F50852AE918B7240D374A994CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 064AADE8 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

1, xrefs: 064AAE12

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 80d87816c11b4c27ac6b17a1022024ed37acc1fee6dd3f101a75e19bc3128ef2
Instruction ID: 213b1267d99d878c8af7af9361149b2eaec671673a443b651b2b43b02504ed06
Opcode Fuzzy Hash: 80d87816c11b4c27ac6b17a1022024ed37acc1fee6dd3f101a75e19bc3128ef2
Instruction Fuzzy Hash: 7D21CFB5D01219AFCB00CF9AD984ADEFBB8FB4C310F10852AE518B7200D374A694CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064A96E0 Relevance: 1.1, Instructions: 1064COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cbce13d15213f361ed84d9dfda5f48670a3a7b32e43f89d3f8328d05609371
Instruction ID: 655ffbfc34df658ae98f25f6405047a6bd9151a82e3308ff9a21090854f642b5
Opcode Fuzzy Hash: 69cbce13d15213f361ed84d9dfda5f48670a3a7b32e43f89d3f8328d05609371
Instruction Fuzzy Hash: 02922830E10304DFDBA4DF68C584A9EB7F2EB49314F5484AAE4099B396DB35EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064A09F0 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eccb90df58baab97343062d5b96fe559dfaaa1064f6dd5a7b568d570eb90d88f
Instruction ID: b9bef12d5a6bf993885b73507ac496a2f1c30b4693e54f579413b6baa8fccc2d
Opcode Fuzzy Hash: eccb90df58baab97343062d5b96fe559dfaaa1064f6dd5a7b568d570eb90d88f
Instruction Fuzzy Hash: 67328D70B10200EBCB957B78C45526E36E3EBC9750BA4086EE406CB351DF39ED46EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 064AD878 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f0429e1beb917349206a64e824b7b81f7f664e91c02da1a4acca03be7c74af
Instruction ID: 15eaeb11f069ea99fda7d345fe629a4b6fd57c8069abc699ef26f24d340e56d6
Opcode Fuzzy Hash: 81f0429e1beb917349206a64e824b7b81f7f664e91c02da1a4acca03be7c74af
Instruction Fuzzy Hash: 6322BF30F00204AFDBA4EB68C4546AEB7F2AF94310F54846AE416DBB51DF35ED46DB90

Uniqueness

Uniqueness Score: -1.00%

Function 064AE3B8 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c95d32a91fb719c48d3be35b18f498a031ce1aade67cea08d0d78c46fdea78
Instruction ID: 8dfb7692b2a0e97b422a4951cd73b2a7813755bc8b74dc04f8c3c9e70a4b6a5d
Opcode Fuzzy Hash: 84c95d32a91fb719c48d3be35b18f498a031ce1aade67cea08d0d78c46fdea78
Instruction Fuzzy Hash: 5BF14D30F04308DFDB94EBB4C5516AEB7E2AF84700F60842AD41AAB395DF75AC46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 064A3030 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c1dd888dde871d8283e86edbc17c3888811cf04dc1c1efa1545a4aafa2be2d
Instruction ID: 97286c28db4412f3f76f437390fc02687881d9f10098de7066de9c2b879f92d2
Opcode Fuzzy Hash: 89c1dd888dde871d8283e86edbc17c3888811cf04dc1c1efa1545a4aafa2be2d
Instruction Fuzzy Hash: 5DE18130B142049FDB96EF68D85566EBBF2AF89310F54446AE406DB351EF35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064ABFB9 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2d9ed3b738c6c547246d4c3ebaa897afcb481e7008a41d85868a046df1ac9c
Instruction ID: cdd60fe3658fbb77ea427a734f0a458f9f8f313ee79c95ad6137922c3c5c12ab
Opcode Fuzzy Hash: be2d9ed3b738c6c547246d4c3ebaa897afcb481e7008a41d85868a046df1ac9c
Instruction Fuzzy Hash: 43D13F30B002149FDB94EBA8C855B6EB7F6BF89B00F208069E505EB3A1DF759D45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 064AB469 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5588858be12d7f4ba6d89833f5b458bf38d3cde5cf8b7a54bce599cbbafa859a
Instruction ID: 2a0492559356500953a7501eb55eb18ecea0f2778840e96d294fcfd1527b9ccc
Opcode Fuzzy Hash: 5588858be12d7f4ba6d89833f5b458bf38d3cde5cf8b7a54bce599cbbafa859a
Instruction Fuzzy Hash: 4A914E70F102099FDB54EBA8C45176EB7E2AF99300F148529E40ADB385EF38EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 064AD448 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8308ac169a2311c5d899a99389cb88a1c68b2625c3df2cc9d87298205c6a895e
Instruction ID: 0309b313b3f7ee34aae79c8ead2ca0c3eb298b3673664b2c61aef590c5c59a80
Opcode Fuzzy Hash: 8308ac169a2311c5d899a99389cb88a1c68b2625c3df2cc9d87298205c6a895e
Instruction Fuzzy Hash: 51610671F101114BEB60AB7DC85066FB6EB9FD4620B25443AE80EDB361EF69EC0283D5

Uniqueness

Uniqueness Score: -1.00%

Function 064ABFC2 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef99f73618eddbcd74b44edf943cebcf3312cc27efe19ab266fa6356e88274a
Instruction ID: 40e77996d20dbab11fba3667813f8dcf68325dd32928276acdb73ad8a351a453
Opcode Fuzzy Hash: cef99f73618eddbcd74b44edf943cebcf3312cc27efe19ab266fa6356e88274a
Instruction Fuzzy Hash: EF813F30B102189FDB54EFA8C855B6EBAF6BF89B00F244169E505EB3A5DF759C41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 064AB7CB Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d854018c609259bf1824f0637949b62194c1602bbc8831ccb539f66ecaa977d4
Instruction ID: 264424d199cf5e2a14ac2792f9ea735f3923891ba1e94c528fa3bc09d3c44048
Opcode Fuzzy Hash: d854018c609259bf1824f0637949b62194c1602bbc8831ccb539f66ecaa977d4
Instruction Fuzzy Hash: E6913E30E10219DFDB60DF68C850B9DB7B1FF99300F20859AE549AB391DB75AE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064AB7E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d188d03442fc40731adb4abedc25372ad7505c3dad28c948df87c72e0d41e5
Instruction ID: 8cbda6301cf94fe2bd1ac25c7ebe5fd6315194c8f75b7e8a49010c80e9cbfd3c
Opcode Fuzzy Hash: 10d188d03442fc40731adb4abedc25372ad7505c3dad28c948df87c72e0d41e5
Instruction Fuzzy Hash: 3E913E30E10219DBDF60DF68C850B9DB7B1FF99700F20859AE549AB351DB71AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064AE3A8 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b95c7c908a2d9b847330d5221cc560ddf70e1d28ecb69616ccd0e609958d27
Instruction ID: 37014bd5f8e2918c50104d08dc7bc6b978853ef85b57d07317a9eb818c633273
Opcode Fuzzy Hash: 14b95c7c908a2d9b847330d5221cc560ddf70e1d28ecb69616ccd0e609958d27
Instruction Fuzzy Hash: 38618C70E00318DFDB54EBA8C9557AEB7F6BF84300F604429E41AAB795DB74AC41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 064ABD78 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f23f827982fbbd96b1e0ccefece4aa856237d246edb549bb765dabc783e4a1
Instruction ID: ce1ff66ff1dcb812db32dc53480938a9e7e59b35437529289e7a52af29a1ce14
Opcode Fuzzy Hash: a3f23f827982fbbd96b1e0ccefece4aa856237d246edb549bb765dabc783e4a1
Instruction Fuzzy Hash: F751B570F102189FEF94ABA4C8157AEBAF6EB88710F24442EE105EB391DE749D01CF95

Uniqueness

Uniqueness Score: -1.00%

Function 064A33C8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1776bb767afeca59d0971219405dd1804c39f13b5d3fd41dee0abd31e5298eb8
Instruction ID: 62c987522669d62324a0c0b764191c593b149212f065875353b7a4f731cf6ba3
Opcode Fuzzy Hash: 1776bb767afeca59d0971219405dd1804c39f13b5d3fd41dee0abd31e5298eb8
Instruction Fuzzy Hash: EC51B570F142459FDFA7AF68C88136FB7A2EB95214F60482FE50ACB341EA29DC458791

Uniqueness

Uniqueness Score: -1.00%

Function 064A35A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08faae60c1ba2f8430c495232d01c687bec415e38f6b7018e9e33bba336f16e
Instruction ID: 843bf23fb4b858edc7e41da610fe932c56b7eaf3577430750cc5bc7b2ac54485
Opcode Fuzzy Hash: e08faae60c1ba2f8430c495232d01c687bec415e38f6b7018e9e33bba336f16e
Instruction Fuzzy Hash: E2518B71A00204DFDB55DF68E88069DFBB1FF88310F14C1AAE909DB356EB74A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064AC632 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba073ecbeb3aa212e10c462c34c42df91467b36ea43ffbdb4b2376f2d999485d
Instruction ID: 38b25adc05aaf1157568c449699ef8ccceed391417598f22983b204011d55a76
Opcode Fuzzy Hash: ba073ecbeb3aa212e10c462c34c42df91467b36ea43ffbdb4b2376f2d999485d
Instruction Fuzzy Hash: 11414D39A0070A9FDBA1DEA9C8C0AAFFBF1FB99310F10492BE155D7250D731A9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 064ABD68 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ac221e63f3c350a6d401bbc309205a075456670cd013938317ea27e4c264dd
Instruction ID: f7dff3ab353af4b78e6bce3885c8bb88fd194f35c82223d2ff19f5264a85d2b3
Opcode Fuzzy Hash: e6ac221e63f3c350a6d401bbc309205a075456670cd013938317ea27e4c264dd
Instruction Fuzzy Hash: D241B630B102189FEB54ABB4C82576E7AE7EF88710F24452DE505EB3D1DE748C02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 064A33B8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c180b34cafb5a7e0d77c30d0f4126bde3a47cf369f4a6d1b9e82d9ca0f09f7
Instruction ID: 472ddc8ad7660c7c5625e684b1b29902844b313d368d30fcd3f8b0c5b3d156de
Opcode Fuzzy Hash: 73c180b34cafb5a7e0d77c30d0f4126bde3a47cf369f4a6d1b9e82d9ca0f09f7
Instruction Fuzzy Hash: 8341D670F042419FDFA79F68C89136FB762EB95210F60482FD50ACB381EA29DC458791

Uniqueness

Uniqueness Score: -1.00%

Function 064A041F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb21b8be4577f69b8d1050100b2084deec8a9f88ce48b64a9277179ce71f64f
Instruction ID: 2af1ce57cdc1afa216ab0dc065c87ac4aae3bdc8c22cbe1757ab1c26d563b8b6
Opcode Fuzzy Hash: 0fb21b8be4577f69b8d1050100b2084deec8a9f88ce48b64a9277179ce71f64f
Instruction Fuzzy Hash: 4E31C330E20309AFEB55CF64C45079EB7F1FF55704F24856AE801EB290DB74A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 064A0448 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844061f2e238773249955e070a757c34f740bf006711996e7437e0cd84ede733
Instruction ID: e2708f5d367a93f0b2aa90c65f7431706120cb427c8edac6f60ef6036831a62a
Opcode Fuzzy Hash: 844061f2e238773249955e070a757c34f740bf006711996e7437e0cd84ede733
Instruction Fuzzy Hash: E2316F30E20309EFEB55DBA4D85479EB7B2FF55B04F50852AE905EB340EB74A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064A9402 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a2200aefb1e2bb5230d8eb1a7b770b377aab4502e709db9b7cf23c1dfeb7ad
Instruction ID: 51769ac5545a8055f7e344e90da6e358c9e3bc87cdba29e143fc7a180f89477c
Opcode Fuzzy Hash: e7a2200aefb1e2bb5230d8eb1a7b770b377aab4502e709db9b7cf23c1dfeb7ad
Instruction Fuzzy Hash: EE318E31E24705AFCB55DF64C49569EBBB2AF89310F60851AE856EB390DB70BC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 064A9410 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea31de4502491b73625b0f22fd62f58dee1bef206490c99f0733aff9ff9541da
Instruction ID: 8a5212e6e9a8c3ffe5fbba5f66ca4c36fd036aae7f55fc96a3f98447dff1eed7
Opcode Fuzzy Hash: ea31de4502491b73625b0f22fd62f58dee1bef206490c99f0733aff9ff9541da
Instruction Fuzzy Hash: BA316B31E203059FCB59DF65C49569EBBB2BF89300F60851AE816EB340DB70BC42CB84

Uniqueness

Uniqueness Score: -1.00%

Function 064AB010 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877c999d61ee49a1566745005f9ead1ee4a184bb9fa9af08ea0d319a8011972a
Instruction ID: 141bbd2ed5c7901da03d535841372feb27360136a477eef3ac839d775b5932a6
Opcode Fuzzy Hash: 877c999d61ee49a1566745005f9ead1ee4a184bb9fa9af08ea0d319a8011972a
Instruction Fuzzy Hash: B331C371F042549FEB84EFB989113EE77E1DB8C310F54802AE515E7381EE299D468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 064AB020 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e8abffc403b6232e307d9bcbc0585a67868802d8a54795bcfe75b8a9f4c91e
Instruction ID: 9672cd27a2a9ed7eb4224a2b99fd6115dcb20a30ed250d2dd58755bfbf76f8da
Opcode Fuzzy Hash: b9e8abffc403b6232e307d9bcbc0585a67868802d8a54795bcfe75b8a9f4c91e
Instruction Fuzzy Hash: 2231BF71F04314AFDB90EBB989117EEB6E1EB48310F54802AE519E7381EA389D458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 064A2EFF Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935a203b7fc84968d80c7508ba9d886f59e8a9b2ea4e09f4eb395b383adf80de
Instruction ID: f0fef0569fda36cc4e3843f20c3512caaaa38d891fcb95dbe023377b3577ec4e
Opcode Fuzzy Hash: 935a203b7fc84968d80c7508ba9d886f59e8a9b2ea4e09f4eb395b383adf80de
Instruction Fuzzy Hash: FC31B430E1434AABCB56DF64C84079FFBB2AF8A310F54861AF845EB391DB70A941D790

Uniqueness

Uniqueness Score: -1.00%

Function 064A3B22 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9656e2315666166edf2220eec30fe4204eedea08d58e0276f4a795170af898e
Instruction ID: ad949fb050d889dbb3b5b35e765682a1a8387714494245f86525b8107310b499
Opcode Fuzzy Hash: d9656e2315666166edf2220eec30fe4204eedea08d58e0276f4a795170af898e
Instruction Fuzzy Hash: F131D471A142549FEB529F78CC14B9E7BF5AF89724F1481AAE401EB3E2EA718C44C790

Uniqueness

Uniqueness Score: -1.00%

Function 064A2F10 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ea317a31fee7f4a8c93a7624a164d9dde615549e4b3cb05e002d50baae2422
Instruction ID: d53bb84084b2aad255a91754eaff93ec3574c8d5e6bbb60e0db5edde93c5c795
Opcode Fuzzy Hash: f6ea317a31fee7f4a8c93a7624a164d9dde615549e4b3cb05e002d50baae2422
Instruction Fuzzy Hash: FF317131E1020AABDB5ADF64C48069FF7B2BF99300F64851AF805EB341EB70A945DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 064AE008 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26feeb5bd996ec2031a6937f9649e5434e2787ecada22c63e4ae2e25f436cc7
Instruction ID: 0bdfe467115c06ed0390257c1d978d94a499f6a387ca0bd5473138198d9fb298
Opcode Fuzzy Hash: c26feeb5bd996ec2031a6937f9649e5434e2787ecada22c63e4ae2e25f436cc7
Instruction Fuzzy Hash: 8E21DE30F04218AFDF94EA78E8502AEB7E3EB95210F14842AE419DB381EF25ED4197C4

Uniqueness

Uniqueness Score: -1.00%

Function 064A2E01 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3d3cfa80d81b3ec258ddf839b2269783ec65b8edbf05202a36d246b77f1891
Instruction ID: c0a9d4bbc24b58e5fea4feee43d1aa6ff4742c64bd836b1ecc0911d1a35ca752
Opcode Fuzzy Hash: 7a3d3cfa80d81b3ec258ddf839b2269783ec65b8edbf05202a36d246b77f1891
Instruction Fuzzy Hash: C1215E31E10309EFDB09CBB5C5546AFB7B2AF99300F54851AE811EB350DBB1A986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064AE995 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f55a7d630614332247c5cf25cb17bf0f3ad76c53bd85b2fc379b72e7bd4606
Instruction ID: d40ef651c8ab72f75d7c73d0472103e0c1c81c2a0a70d8518ef36071151074ed
Opcode Fuzzy Hash: b9f55a7d630614332247c5cf25cb17bf0f3ad76c53bd85b2fc379b72e7bd4606
Instruction Fuzzy Hash: 6D212A30E00308DFDB94EBA4DA516EEB7B2AF84301F64842AD829AB751DB74ED45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 064A2E10 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee220967685c54b05bdc5c5bc62d64243c309f85dd735b1d475289b28e5454b
Instruction ID: 32122aa8eb8d386b787db335addc8ace016d2d16a494c88f9a0db95e1c6dbeb5
Opcode Fuzzy Hash: 6ee220967685c54b05bdc5c5bc62d64243c309f85dd735b1d475289b28e5454b
Instruction Fuzzy Hash: A2214F31E10309DFDB19CFA5C54569FB7B2AF99300F54851AE811EB350DBB0A986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064AB158 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364fbd4ab4b7c64eef27522005a7aeba6b37df63357385f1d4637af00e7133c0
Instruction ID: b0b171f371bacbb64a285a5c01d0d4822d0a4ec976781f5975e4c68a567a4c2a
Opcode Fuzzy Hash: 364fbd4ab4b7c64eef27522005a7aeba6b37df63357385f1d4637af00e7133c0
Instruction Fuzzy Hash: 3A118232B14214AFDB95AAB888566BF77DBDBD8350F10407AE906E7340EE35DD018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 064AF4C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f587939239f1f1fdfc5f81258f39ae4716bd6506d960a2cfbc93938454ba4298
Instruction ID: 69357b0f9a7b3dc8fe23ca3ffc048f4375c93e62c758a61af005a3f3483d86f3
Opcode Fuzzy Hash: f587939239f1f1fdfc5f81258f39ae4716bd6506d960a2cfbc93938454ba4298
Instruction Fuzzy Hash: 5D116B32B183286F9BE52AB50C542EF779ADB901A0F50412AE905E7242DE14DD0EC3E2

Uniqueness

Uniqueness Score: -1.00%

Function 064AC7AF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55bd9184823474951541d55861f60c35215e094f02ad710b84c6064bf2458d8
Instruction ID: 79af96d682efebf529b22bdab7a580511715dcb55f0f9e7eb4ac5b9c3cd3d05a
Opcode Fuzzy Hash: a55bd9184823474951541d55861f60c35215e094f02ad710b84c6064bf2458d8
Instruction Fuzzy Hash: AB11A930E003099FDBA18FA984C06ABBBB1FB45221F60496FC559DB381C2309841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064AB148 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a1f7030f3d91af28e817935af20af909d57963611d2ddfd7432b9666d36a76
Instruction ID: 2794f01a838a62babad93c3a18827b98365e270a66688bd5a72d468621912af2
Opcode Fuzzy Hash: 10a1f7030f3d91af28e817935af20af909d57963611d2ddfd7432b9666d36a76
Instruction Fuzzy Hash: F801C072B04214ABEB55A6B84C123AF77DACBC82A0F10023AE91AD7380EE259D0147D1

Uniqueness

Uniqueness Score: -1.00%

Function 064AB3D6 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e04a680893038be0304e404c4c219bb2f5c6e7846d0e62cbc7f5a358ab5cded
Instruction ID: e5929569c2a55f9e5ea0d5cff6596f434cd73e101a7ed9c055e51f53b14620ea
Opcode Fuzzy Hash: 4e04a680893038be0304e404c4c219bb2f5c6e7846d0e62cbc7f5a358ab5cded
Instruction Fuzzy Hash: 4801D131B106105BDBA4916D9465B2FB7DADBC9A10F64883AF10ECB345ED69EC0243D4

Uniqueness

Uniqueness Score: -1.00%

Function 064AB3D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79a02f2a83ae61a2a3be3b30e3a0aaab9c56608b70b81312b6ba71d1c73ed45
Instruction ID: c08b431139a5c0515840fb56ca79c4abf13747ad0b6c414bdd20f1672c2dadc6
Opcode Fuzzy Hash: e79a02f2a83ae61a2a3be3b30e3a0aaab9c56608b70b81312b6ba71d1c73ed45
Instruction Fuzzy Hash: 0001F431B106105BDBA4916DD465B2FB7DADBC9A10F64883BF10ECB345ED69EC0243D4

Uniqueness

Uniqueness Score: -1.00%

Function 064A1310 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618d459f3d417c100c7c6b1e752e592851b3d17fea875125dbbd2d2d664eb50b
Instruction ID: 629e9d50a5ecd846ce9c83b3ecebd3c6e4b427cc9a1c2c19e6dbbbff4cd68462
Opcode Fuzzy Hash: 618d459f3d417c100c7c6b1e752e592851b3d17fea875125dbbd2d2d664eb50b
Instruction Fuzzy Hash: A301B530A18249DFC740FFB8D4A159D7BB19F80700F50489D95899F256EB341E04ABD5

Uniqueness

Uniqueness Score: -1.00%

Function 064A0560 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95189f7a652e05d1c167906348c9f9d32d1c9d57acb19d77dc6b69d8a2927f7b
Instruction ID: 24184212eb96192f209bf6e565aadcb6a2737cd70ea28389b3abfa83e072c88b
Opcode Fuzzy Hash: 95189f7a652e05d1c167906348c9f9d32d1c9d57acb19d77dc6b69d8a2927f7b
Instruction Fuzzy Hash: D3014B75B00208CFDB04EB74D899B6D77B2EF89715F504069E5069B3A0DF34AC42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 064A1320 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ef757445ff95d50e99fb170420928b9f74ae73ed262c843a384c4cb9e5eebb
Instruction ID: a70b54e44b14dbc9b46e8aaf9d4529302d9510a160df3b83bccabd341ac2b42a
Opcode Fuzzy Hash: e7ef757445ff95d50e99fb170420928b9f74ae73ed262c843a384c4cb9e5eebb
Instruction Fuzzy Hash: 81F08630A14149EFC740FFB8D49199D77B1AF80700F9048AD95899F255DF342E04BB95

Uniqueness

Uniqueness Score: -1.00%

Function 064AD6E1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.660226182.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_64a0000_ggh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a448107d449e4cf5408b901374a920756502b1c1855e46c6e79a90934dd945
Instruction ID: a75248f0587855b2eb4c872cb40847473c50c7161c6a5220bbd242e5ba8f2b4d
Opcode Fuzzy Hash: 95a448107d449e4cf5408b901374a920756502b1c1855e46c6e79a90934dd945
Instruction Fuzzy Hash: 43F06D35E19289AEDB52CFB489586AABF69DF56208F2445EBD449CB242E131CD019350

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Disable_automatic_email_errors.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\ggh\ggh.exe

C:\Users\user\AppData\Roaming\ggh\ggh.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Disable_automatic_email_errors.exe

Function 0249F1DC Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Function 0609A138 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Function 0249F1F4 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Function 0249F764 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Function 0609C4B4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 0609E344 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 024976A4 Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Function 02495ADC Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Function 0609FE21 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 0609F7D4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0609B837 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0609A208 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 06098620 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 0609B854 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre