Edit tour

Windows Analysis Report
DO9uvdGMde.exe

Overview

General Information

Sample name:	DO9uvdGMde.exe renamed because original name is a hash value
Original sample name:	9ea0a0d830d560e34c04870341fac3631ded5d423ec8104fe3d56b62ff0668ac.exe
Analysis ID:	1504107
MD5:	0ce8f39e540c12f1fb211f830b29d089
SHA1:	ab1ad00d47f2c0ef73713d5b8b3dcd2ec5fd71e4
SHA256:	9ea0a0d830d560e34c04870341fac3631ded5d423ec8104fe3d56b62ff0668ac
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Copy file to startup via Powershell

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

Contains functionality to log keystrokes (.Net Source)

Creates executable files without a name

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DO9uvdGMde.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\DO9uvdGMde.exe" MD5: 0CE8F39E540C12F1FB211F830B29D089)

powershell.exe (PID: 5040 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DO9uvdGMde.exe (PID: 3236 cmdline: "C:\Users\user\Desktop\DO9uvdGMde.exe" MD5: 0CE8F39E540C12F1FB211F830B29D089)

svchost.exe (PID: 7000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

.exe (PID: 5260 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe" MD5: 0CE8F39E540C12F1FB211F830B29D089)

powershell.exe (PID: 5500 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

.exe (PID: 1464 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe" MD5: 0CE8F39E540C12F1FB211F830B29D089)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3370082204.000000000231C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3366188626.0000000000537000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3369881312.000000000323C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DO9uvdGMde.exe PID: 6392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DO9uvdGMde.exe PID: 6392	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DO9uvdGMde.exe PID: 6392	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DO9uvdGMde.exe PID: 3236	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DO9uvdGMde.exe PID: 3236	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: .exe PID: 1464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: .exe PID: 1464	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DO9uvdGMde.exe.3ec0e10.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DO9uvdGMde.exe.3ec0e10.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DO9uvdGMde.exe.3ec0e10.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DO9uvdGMde.exe.3efb840.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DO9uvdGMde.exe.3efb840.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DO9uvdGMde.exe.3efb840.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31757:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31873:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd05:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd77:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de01:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de93:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6defd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df6f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e005:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e095:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df15:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df87:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa87a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e011:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0a3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa88c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e10d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa892d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e17f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa899f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e215:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x111d85:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x14c7b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x186fd5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x111df7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x14c827:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x187047:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x111e81:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x14c8b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1870d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x111f13:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x14c943:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x187163:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x111f7d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x14c9ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1871cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x111fef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x14ca1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x18723f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x112085:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x14cab5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1872d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DO9uvdGMde.exe", ParentImage: C:\Users\user\Desktop\DO9uvdGMde.exe, ParentProcessId: 6392, ParentProcessName: DO9uvdGMde.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 5040, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5040, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5040, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\DO9uvdGMde.exe, Initiated: true, ProcessId: 3236, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49713

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DO9uvdGMde.exe", ParentImage: C:\Users\user\Desktop\DO9uvdGMde.exe, ParentProcessId: 6392, ParentProcessName: DO9uvdGMde.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 5040, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7000, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DO9uvdGMde.exe", ParentImage: C:\Users\user\Desktop\DO9uvdGMde.exe, ParentProcessId: 6392, ParentProcessName: DO9uvdGMde.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 5040, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: DO9uvdGMde.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DO9uvdGMde.exe

Joe Sandbox ML: detected

Source: DO9uvdGMde.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: DO9uvdGMde.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: DO9uvdGMde.exe, 00000000.00000002.2136730282.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, DO9uvdGMde.exe, 00000000.00000002.2133513926.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000006.00000002.2265452072.0000000002591000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 198.54.122.135:587

Source: Joe Sandbox View	IP Address: 198.54.122.135 198.54.122.135
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 198.54.122.135:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.privateemail.com

Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3368027736.0000019145ACE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2250863931.00000000030EC000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3385871309.0000000006BB2000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3368571811.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000005.00000002.3368027736.0000019145ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: DO9uvdGMde.exe, 00000000.00000002.2129809023.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.000000000231C000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.000000000323C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: powershell.exe, 00000002.00000002.2131924595.0000000005D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000007.00000002.2252453666.0000000004D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2118630596.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252453666.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2252453666.0000000004D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DO9uvdGMde.exe, 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3366013811.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000002.00000002.2118630596.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252453666.0000000004C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: DO9uvdGMde.exe, 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3366013811.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000005.00000003.2130371833.000001914B200000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000007.00000002.2252453666.0000000004D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2131924595.0000000005D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: .exe, 00000006.00000002.2263371366.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wdcp.mi

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49719 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4
Source: 0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack, SKTzxzsJw.cs	.Net Code: mWXy4

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.DO9uvdGMde.exe.3ec0e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DO9uvdGMde.exe.3efb840.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 0_2_02D1D3DC	0_2_02D1D3DC
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_0094A960	4_2_0094A960
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_00944A98	4_2_00944A98
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_0094DBE0	4_2_0094DBE0
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_00943E80	4_2_00943E80
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_009441C8	4_2_009441C8
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F84570	4_2_05F84570
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F83520	4_2_05F83520
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F85D08	4_2_05F85D08
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F83C80	4_2_05F83C80
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F891C0	4_2_05F891C0
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F8A108	4_2_05F8A108
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F8E098	4_2_05F8E098
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F80308	4_2_05F80308
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F85628	4_2_05F85628
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_05F8C328	4_2_05F8C328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 6_2_0095D3DC	6_2_0095D3DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_0307B3C8	9_2_0307B3C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_03074A98	9_2_03074A98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_03073E80	9_2_03073E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_0307DCA8	9_2_0307DCA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_030741C8	9_2_030741C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC0FE0	9_2_06DC0FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC3C6B	9_2_06DC3C6B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC4570	9_2_06DC4570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC5D08	9_2_06DC5D08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC3520	9_2_06DC3520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC91B0	9_2_06DC91B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DCA108	9_2_06DCA108
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DC5628	9_2_06DC5628
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06DCC328	9_2_06DCC328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06F1A068	9_2_06F1A068
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06F1B900	9_2_06F1B900

Source: DO9uvdGMde.exe, 00000000.00000002.2136206395.0000000005610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2129809023.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000000.2106990287.00000000009EC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInterlop.exe2 vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2136730282.00000000056C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2133513926.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2133513926.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2133513926.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2133513926.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000000.00000002.2133513926.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000004.00000002.3366188626.0000000000537000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe, 00000004.00000002.3366095373.00000000004F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DO9uvdGMde.exe
Source: DO9uvdGMde.exe	Binary or memory string: OriginalFilenameInterlop.exe2 vs DO9uvdGMde.exe

Source: DO9uvdGMde.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.DO9uvdGMde.exe.3ec0e10.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DO9uvdGMde.exe.3efb840.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.DO9uvdGMde.exe.5610000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@13/11@2/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjxiqozw.dp0.ps1

Jump to behavior

Source: DO9uvdGMde.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DO9uvdGMde.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DO9uvdGMde.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\DO9uvdGMde.exe "C:\Users\user\Desktop\DO9uvdGMde.exe"
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process created: C:\Users\user\Desktop\DO9uvdGMde.exe "C:\Users\user\Desktop\DO9uvdGMde.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process created: C:\Users\user\Desktop\DO9uvdGMde.exe "C:\Users\user\Desktop\DO9uvdGMde.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: DO9uvdGMde.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DO9uvdGMde.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: DO9uvdGMde.exe, --.cs	.Net Code: CreateProvider
Source: .exe.2.dr, --.cs	.Net Code: CreateProvider

Source: DO9uvdGMde.exe

Static PE information: 0xBA207775 [Fri Dec 14 05:51:49 2068 UTC]

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_00940CCC push edi; retf	4_2_00940C7A
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Code function: 4_2_00940C45 push ebx; retf	4_2_00940C52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04BD6C70 push F4086279h; ret	7_2_04BD6E8D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04BD17C3 pushad ; iretd	7_2_04BD1842
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04BD7188 push ss; iretd	7_2_04BD7192
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04BD1C7B pushad ; iretd	7_2_04BD1C8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04BD1C6B pushad ; iretd	7_2_04BD1C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_07903932 push esi; retf	7_2_07903933
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_03070C45 push ebx; retf	9_2_03070C52
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_03070C77 push edi; retf	9_2_03070C7A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 9_2_06F1FCBC push es; retf	9_2_06F1FCC8

Source: DO9uvdGMde.exe	Static PE information: section name: .text entropy: 7.35517204613953
Source: .exe.2.dr	Static PE information: section name: .text entropy: 7.35517204613953

Persistence and Installation Behavior

Creates executable files without a name

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DO9uvdGMde.exe PID: 6392, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory allocated: 940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory allocated: 22A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory allocated: 42A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3206	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Window / User API: threadDelayed 2149	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Window / User API: threadDelayed 7221	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4551	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1104	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Window / User API: threadDelayed 1760	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Window / User API: threadDelayed 5052	Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 5880	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep count: 3206 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6792	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6916	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 3688	Thread sleep count: 2149 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 3688	Thread sleep count: 7221 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99662s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98542s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97123s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96868s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95943s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -94608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe TID: 6400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6776	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 5880	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2084	Thread sleep count: 4551 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 1104 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7284	Thread sleep count: 1760 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7284	Thread sleep count: 5052 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99669s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99560s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99331s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -99021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98903s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97920s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -97046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96910s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96435s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -95889s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -95780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99662	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99499	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99388	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99201	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98542	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98436	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97123	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96868	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96625	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96499	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96171	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95943	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95374	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 94608	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99669	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99331	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 99021	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98903	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97920	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96910	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96435	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 95889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 95780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: svchost.exe, 00000005.00000002.3368908104.0000019147059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3367205403.0000019145A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3368867777.0000019147047000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: .exe, 00000009.00000002.3368571811.0000000001516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, zOS.cs	Reference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
Source: 0.2.DO9uvdGMde.exe.56c0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.DO9uvdGMde.exe.56c0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.DO9uvdGMde.exe.56c0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Memory written: C:\Users\user\Desktop\DO9uvdGMde.exe base: 500000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Process created: C:\Users\user\Desktop\DO9uvdGMde.exe "C:\Users\user\Desktop\DO9uvdGMde.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Users\user\Desktop\DO9uvdGMde.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Users\user\Desktop\DO9uvdGMde.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DO9uvdGMde.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3ec0e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3efb840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3370082204.000000000231C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DO9uvdGMde.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DO9uvdGMde.exe PID: 3236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 1464, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\DO9uvdGMde.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DO9uvdGMde.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3ec0e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3efb840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3366188626.0000000000537000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DO9uvdGMde.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DO9uvdGMde.exe PID: 3236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 1464, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3ec0e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3efb840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3efb840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3ec0e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DO9uvdGMde.exe.3de2570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3370082204.000000000231C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3369881312.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DO9uvdGMde.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DO9uvdGMde.exe PID: 3236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 1464, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	12 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DO9uvdGMde.exe	66%	ReversingLabs	Win32.Spyware.Negasteal
DO9uvdGMde.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	66%	ReversingLabs	Win32.Spyware.Negasteal

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod1C:	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://mail.privateemail.com	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://wdcp.mi	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://go.mic	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.135	true	true		unknown
api.ipify.org	104.26.13.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2131924595.0000000005D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	DO9uvdGMde.exe, 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3366013811.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.5.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	DO9uvdGMde.exe, 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3366013811.0000000000436000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	DO9uvdGMde.exe, 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3367383037.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000009.00000002.3367193234.000000000150D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2252453666.0000000004D52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2118630596.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252453666.0000000004C01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2252453666.0000000004D52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2131924595.0000000005D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2268478290.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000005.00000003.2130371833.000001914B200000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000005.00000002.3368027736.0000019145ACE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wdcp.mi	.exe, 00000006.00000002.2263371366.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.privateemail.com	DO9uvdGMde.exe, 00000004.00000002.3370082204.000000000231C000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.000000000323C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2118630596.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, DO9uvdGMde.exe, 00000004.00000002.3370082204.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252453666.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000009.00000002.3369881312.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2252453666.0000000004D52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.mic	DO9uvdGMde.exe, 00000000.00000002.2129809023.0000000001109000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.122.135	mail.privateemail.com	United States		22612	NAMECHEAP-NETUS	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504107
Start date and time:	2024-09-04 14:50:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DO9uvdGMde.exe renamed because original name is a hash value
Original Sample Name:	9ea0a0d830d560e34c04870341fac3631ded5d423ec8104fe3d56b62ff0668ac.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@13/11@2/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 176 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5040 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5500 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: DO9uvdGMde.exe

Simulations

Behavior and APIs

Time	Type	Description
08:50:59	API Interceptor	48x Sleep call for process: DO9uvdGMde.exe modified
08:51:00	API Interceptor	5x Sleep call for process: powershell.exe modified
08:51:01	API Interceptor	2x Sleep call for process: svchost.exe modified
08:51:13	API Interceptor	37x Sleep call for process: .exe modified
14:51:04	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.54.122.135	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.KUK.gen.Eldorado.13479.2252.exe	Get hash	malicious	AgentTesla	Browse
	IMPORT PO2024-0961 ASTG.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Solicitud de precio Img_Quotation PO 202400931.exe	Get hash	malicious	AgentTesla	Browse
	PO N#U00b0202415-0004 CULTER-ASSOCIETES_pdf.exe	Get hash	malicious	AgentTesla	Browse
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	AgentTesla	Browse
	img_Zam#U00f3wienie - #20240716-A09461_pdf.com.exe	Get hash	malicious	AgentTesla	Browse
	Zam#U00f3wienie - #20240715-A09461_pdf.exe	Get hash	malicious	AgentTesla	Browse
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
104.26.13.205	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	Ransom.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ld.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.privateemail.com	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse	198.54.122.135
	SecuriteInfo.com.W32.MSIL_Kryptik.KUK.gen.Eldorado.13479.2252.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	IMPORT PO2024-0961 ASTG.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135
	Solicitud de precio Img_Quotation PO 202400931.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	PO N#U00b0202415-0004 CULTER-ASSOCIETES_pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	img_Zam#U00f3wienie - #20240716-A09461_pdf.com.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	Zam#U00f3wienie - #20240715-A09461_pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	198.54.122.135
api.ipify.org	fsqmM6GK7v.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	z17invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payment Confirmation Documents.vbe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	po89654.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	EVER V-2408 - VESSEL DETAILS.xlsx.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	CSC LEADER VOY.1 PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://ipfs.io/ipns/k51qzi5uqu5dhrye4cl9jgj17k94vzpzjxfa8oougs30gvfbtzu2d60vboy90p	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	JAE-2408001146..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyK	Get hash	malicious	EvilProxy	Browse	104.26.13.205
	Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	fsqmM6GK7v.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	9DP4y36Dlu.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QZyFrUDVA9.exe	Get hash	malicious	Unknown	Browse	104.26.10.3
	http://accounts.aptia365.com	Get hash	malicious	Unknown	Browse	104.17.31.174
	4wx72yFLka.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse	104.26.3.16
	9DP4y36Dlu.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	0U9NY2PzhK.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse	172.67.75.40
	icTynpKakZ.exe	Get hash	malicious	Unknown	Browse	104.26.11.3
	qlk8old6p9.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse	172.67.75.40
	04-09.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
NAMECHEAP-NETUS	https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3DJFt7SBpfnkz37NXTPycl%26rct%3DecYm4gDyqlWjNVTtaSh7%26sa%3Dt%26esrc%3DyN3TRjFzCWurgbW1vOG4%26source%3DzcMGnUNgngXYWBYW2c3r%26cd%3DqBH0Ch4Gn8VGtKfHcUPR%26cad%3D0q4c3js52qUrSH6rI5Ux%26ved%3DxpZpiH8kwVo72kkPvwUH%26uact%3DhzYhur4iRKYoiuCfwC6s%26url%3Damp%252Fareaazul.com.mx%252F.beans%252F&source=gmail&ust=1725454484963000&usg=AOvVaw2xy0LT_ByjSLCoEqCzpyxV#e3YsAE-SURELILYZmFiM3NtcF9wY0BnbG9iYWxmb3VuZHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	198.54.114.158
	https://urlz.fr/rXqt	Get hash	malicious	Unknown	Browse	63.250.43.13
	https://fvrihg-f42780.ingress-daribow.ewp.live/wp-content/plugins/sdnww/pages/region.php	Get hash	malicious	Unknown	Browse	63.250.43.14
	https://www.facebook-web.qatara.org/	Get hash	malicious	Unknown	Browse	199.188.200.104
	https://facebook-web.qatara.org/	Get hash	malicious	Unknown	Browse	199.188.200.104
	https://urlz.fr/rYuE	Get hash	malicious	Unknown	Browse	63.250.43.129
	https://ventra-f1bc7c.ingress-earth.ewp.live/wp-content/plugins/nwcalink/pages/region.php	Get hash	malicious	Unknown	Browse	63.250.43.129
	https://ventra-f1bc7c.ingress-earth.ewp.live/wp-content/plugins/nwcalink/	Get hash	malicious	Unknown	Browse	63.250.43.129
	file.exe	Get hash	malicious	Clipboard Hijacker, Stealc, Vidar	Browse	198.54.120.231
	file.exe	Get hash	malicious	Clipboard Hijacker, Stealc, Vidar	Browse	198.54.120.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	fsqmM6GK7v.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	9DP4y36Dlu.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	yuwPQpck2K.exe	Get hash	malicious	PureLog Stealer, WhiteSnake Stealer, zgRAT	Browse	104.26.13.205
	9DP4y36Dlu.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Dropper.bat	Get hash	malicious	LockBit ransomware	Browse	104.26.13.205
	PO0004092024.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse	104.26.13.205
	rDocumentPurchaseOrder202998.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	z17invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse	104.26.13.205

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.726307331501471
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0L:9JZj5MiKNnNhoxu+
MD5:	365A730627BD19D7ABF626DACBF8214C
SHA1:	431A6D9BD9969B6B48742A21B9CC2F34E3638AF3
SHA-256:	B2E4A3194D69BD108B3E8B633C8B821364BAFB1C9181004C0EC0F1A3C05163B2
SHA-512:	5D8966CA05FC69045DFF2804D904FBDEA1A20FFD6EBD21ADFE767307E46204C8BED39F5F02C7DB414BF119979BF4EA6759ACE6594FA13E2C147EA9805D21E0D4
Malicious:	false
Reputation:	low
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x9d870a1c, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7556005821171399
Encrypted:	false
SSDEEP:	1536:tSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:tazaSvGJzYj2UlmOlOL
MD5:	BE4F98F138268950E4FB8B29CF1087CC
SHA1:	2C8791AD7AD9CF654BFCCFF995F7001D92D034A1
SHA-256:	B1AB6DD57C93E78AF0C2040DF937D3BB7812C75200074131E010DA1D0622845B
SHA-512:	93B328A6F720203636D3A25AAE44B0F39302C6E59B58070BF7DAD696C840E7B33800EF87556CE40F277673539ABB429B3E77A339E7E7B07829BDD3ACE7DA6EF2
Malicious:	false
Reputation:	low
Preview:	....... .......7.......X\...;...{......................0.e......!...{?..3...\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................j._.3...\|....................Y..3...\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08054355096943144
Encrypted:	false
SSDEEP:	3:KlKYeTusijEENaAPaU1lTzRxlYlluxmO+l/SNxOf:KlKzTzENDPaUGgmOH
MD5:	E48E35644F0B4A2DE20C1F076267D1B7
SHA1:	F41CE85EA02CB4DD4C42CE0AEEFDF1264F589E01
SHA-256:	F180726A58F02B1E0B955B82E059758D206EE34B7EA81A1E766E4A6E562FD0B9
SHA-512:	8E3BF3C99D2F4C3B821A666937DC4F77A7C5DC3F0B28BF74EF62ABC5CC13CB02E42635BB5CBEBC563B8A5E59FC1F4DED8877B21EC83471C63F1EE77BFD726E31
Malicious:	false
Reputation:	low
Preview:	.i&......................................;...{...3...\|...!...{?..........!...{?..!...{?..g...!...{?...................Y..3...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.374225325640587
Encrypted:	false
SSDEEP:	24:3vZ4WSKco4KmZjKbm51s4RPT6moUebIKo+mZ9tXt/NK3R8UHr2:SWSU4xymI4RfoUeW+mZ9tlNWR8Wi
MD5:	E3101FAB39034FDB798D8EFA107C0065
SHA1:	1F70F289500E531F56DA4C271A4B2B78FCD4D70A
SHA-256:	C47ECA48C797627128BF0614E6BA82C8924B0C762A06ADD7EFF09764916FDA07
SHA-512:	772587C9FDBEB376892DC144BA5AEAD3EC9E1B00E2CB2F9D2507E0950A5ACC4ED5582A77E6AB63A09DE121C2FF2693A830A1537B8401C18F67B5EB353F43C724
Malicious:	false
Reputation:	low
Preview:	@...e.................................:..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hfpmjoh.3po.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5wrc2wf.iwg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjxiqozw.dp0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fp4axhbv.oq5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	825344
Entropy (8bit):	7.347490812109814
Encrypted:	false
SSDEEP:	12288:9hpUdvndmMPW31fFnBD3UvELOEG5hLESBRiZSg9nRzlMQeYJV0SdbmmRsGCN:94Fng91fl6vVPYqI9ntqWySsmRw
MD5:	0CE8F39E540C12F1FB211F830B29D089
SHA1:	AB1AD00D47F2C0EF73713D5B8B3DCD2EC5FD71E4
SHA-256:	9EA0A0D830D560E34C04870341FAC3631DED5D423EC8104FE3D56B62FF0668AC
SHA-512:	073DDE0AD37C89E26DF133A2E5488B22F2FD1ACFCD038EEEDF1331BC36E774F22077663BC96E92150BE313F84E241FB20C3F2E8B8BC7E8D80AAD2DAE8D453DC9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uw ...............0.................. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........v...5..........T...................................................( ) ....&.(1.....".......".(6....Vs....(7...t............}.....(8.....~5...tv...(9...&.(........(.........".s....&.r...p.4...(Z...(%...o[...o\....#..5....(]....0.......}3....(1.......{3....X.....}2...z.(1.......}6.....}7.....}8...z.()...-..(...,.r...p.(c...."..(+...2~9....od.....oe..../....of...._3...of...._3...of...._........(i....~:....(/...,.r...p......%...%...(n.....(o...*.(/

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.347490812109814
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DO9uvdGMde.exe
File size:	825'344 bytes
MD5:	0ce8f39e540c12f1fb211f830b29d089
SHA1:	ab1ad00d47f2c0ef73713d5b8b3dcd2ec5fd71e4
SHA256:	9ea0a0d830d560e34c04870341fac3631ded5d423ec8104fe3d56b62ff0668ac
SHA512:	073dde0ad37c89e26df133a2e5488b22f2fd1acfcd038eeedf1331bc36e774f22077663bc96e92150be313f84e241fb20c3f2e8b8bc7e8d80aad2dae8d453dc9
SSDEEP:	12288:9hpUdvndmMPW31fFnBD3UvELOEG5hLESBRiZSg9nRzlMQeYJV0SdbmmRsGCN:94Fng91fl6vVPYqI9ntqWySsmRw
TLSH:	D905CE593BE4087AC53E86BBF4E140381AB0B51225E2CA1918CE3DFC6DD7B91895367F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uw ...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cacfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBA207775 [Fri Dec 14 05:51:49 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcaca4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x5a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc8d04	0xc8e00	30d4e54c29ebbdadd387e40a8be47cbb	False	0.5977194500622277	data	7.35517204613953	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x5a6	0x600	50a8cc83b8ef9669e19f3643b815f04a	False	0.4140625	data	4.059206514635826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	e7cf008b3b9b20124dc1413088f5b1fc	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc0a0	0x31c	data			0.42336683417085424
RT_MANIFEST	0xcc3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 14:51:02.950974941 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:02.951014996 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:02.951108932 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:02.957391024 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:02.957406998 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.456953049 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.457170010 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:03.461205959 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:03.461219072 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.461570024 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.502734900 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:03.510337114 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:03.556499958 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.629656076 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.629725933 CEST	443	49712	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:03.629822016 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:03.639408112 CEST	49712	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:04.202230930 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:04.207048893 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:04.207274914 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:05.838196039 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:05.838411093 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:05.843388081 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.144074917 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.146624088 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:06.151691914 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.438324928 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.438926935 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:06.443769932 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.732594967 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.732618093 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.732631922 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.732644081 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.732656956 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:06.732665062 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:06.732716084 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:06.760888100 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:06.766906023 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.055286884 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.058489084 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:07.065732002 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.358938932 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.404167891 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:07.409491062 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.697976112 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.699135065 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:07.703924894 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.993705034 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:07.994004965 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:07.998850107 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.288562059 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.288938999 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:08.293754101 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.617438078 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.617655993 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:08.622759104 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.910018921 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.910840988 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:08.910948992 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:08.911027908 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:08.911051989 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:08.915822029 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.915890932 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.915899992 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:08.915910006 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:09.588355064 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:09.643315077 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:15.929467916 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:15.929537058 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:15.929670095 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:15.933310986 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:15.933326006 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.418093920 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.418170929 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:16.419995070 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:16.420017958 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.420259953 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.471436977 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:16.479564905 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:16.520504951 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.593954086 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.594053030 CEST	443	49719	104.26.13.205	192.168.2.6
Sep 4, 2024 14:51:16.594105005 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:16.596540928 CEST	49719	443	192.168.2.6	104.26.13.205
Sep 4, 2024 14:51:17.181515932 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:17.186618090 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:17.186693907 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:17.935452938 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:17.937712908 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:17.942487955 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.221385002 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.222395897 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:18.228812933 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.505697966 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.506109953 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:18.510956049 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.791261911 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.791277885 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.791290998 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.791325092 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.791331053 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:18.791338921 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:18.791359901 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:18.793211937 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:18.797990084 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.077799082 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.083772898 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:19.088716984 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.374330997 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.374716997 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:19.380048037 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.660769939 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.661269903 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:19.666189909 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.948513985 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:19.948849916 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:19.953691006 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.235172033 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.235630989 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:20.240679979 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.547689915 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.550353050 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:20.555222988 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.834726095 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.835494041 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:20.835544109 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:20.835560083 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:20.835582972 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:51:20.840336084 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.840378046 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.840456963 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:20.840476990 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:21.490576029 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:51:21.533977985 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:44.221997023 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:44.227869034 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:44.511979103 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:44.512026072 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:44.512128115 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:44.512569904 CEST	49713	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:44.517302036 CEST	587	49713	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:57.206446886 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:57.211396933 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:57.495517015 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:57.495683908 CEST	587	49720	198.54.122.135	192.168.2.6
Sep 4, 2024 14:52:57.495793104 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:57.496171951 CEST	49720	587	192.168.2.6	198.54.122.135
Sep 4, 2024 14:52:57.504785061 CEST	587	49720	198.54.122.135	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 14:51:02.937597036 CEST	55324	53	192.168.2.6	1.1.1.1
Sep 4, 2024 14:51:02.945146084 CEST	53	55324	1.1.1.1	192.168.2.6
Sep 4, 2024 14:51:04.193612099 CEST	50710	53	192.168.2.6	1.1.1.1
Sep 4, 2024 14:51:04.201461077 CEST	53	50710	1.1.1.1	192.168.2.6
Sep 4, 2024 14:51:19.760016918 CEST	53	62779	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 4, 2024 14:51:02.937597036 CEST	192.168.2.6	1.1.1.1	0x2ddc	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 4, 2024 14:51:04.193612099 CEST	192.168.2.6	1.1.1.1	0xb5e5	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 4, 2024 14:51:02.945146084 CEST	1.1.1.1	192.168.2.6	0x2ddc	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 4, 2024 14:51:02.945146084 CEST	1.1.1.1	192.168.2.6	0x2ddc	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 4, 2024 14:51:02.945146084 CEST	1.1.1.1	192.168.2.6	0x2ddc	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 4, 2024 14:51:04.201461077 CEST	1.1.1.1	192.168.2.6	0xb5e5	No error (0)	mail.privateemail.com	198.54.122.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	104.26.13.205	443	3236	C:\Users\user\Desktop\DO9uvdGMde.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 12:51:03 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-04 12:51:03 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 12:51:03 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8bde1bdb48a743ab-EWR
2024-09-04 12:51:03 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49719	104.26.13.205	443	1464	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 12:51:16 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-04 12:51:16 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 12:51:16 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8bde1c2c4f588cb9-EWR
2024-09-04 12:51:16 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 4, 2024 14:51:05.838196039 CEST	587	49713	198.54.122.135	192.168.2.6	220 PrivateEmail.com prod Mail Node
Sep 4, 2024 14:51:05.838411093 CEST	49713	587	192.168.2.6	198.54.122.135	EHLO 114127
Sep 4, 2024 14:51:06.144074917 CEST	587	49713	198.54.122.135	192.168.2.6	250-mta-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Sep 4, 2024 14:51:06.146624088 CEST	49713	587	192.168.2.6	198.54.122.135	STARTTLS
Sep 4, 2024 14:51:06.438324928 CEST	587	49713	198.54.122.135	192.168.2.6	220 Ready to start TLS
Sep 4, 2024 14:51:17.935452938 CEST	587	49720	198.54.122.135	192.168.2.6	220 PrivateEmail.com prod Mail Node
Sep 4, 2024 14:51:17.937712908 CEST	49720	587	192.168.2.6	198.54.122.135	EHLO 114127
Sep 4, 2024 14:51:18.221385002 CEST	587	49720	198.54.122.135	192.168.2.6	250-mta-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Sep 4, 2024 14:51:18.222395897 CEST	49720	587	192.168.2.6	198.54.122.135	STARTTLS
Sep 4, 2024 14:51:18.505697966 CEST	587	49720	198.54.122.135	192.168.2.6	220 Ready to start TLS

Target ID:	0
Start time:	08:50:59
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\DO9uvdGMde.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DO9uvdGMde.exe"
Imagebase:	0x920000
File size:	825'344 bytes
MD5 hash:	0CE8F39E540C12F1FB211F830B29D089
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2134026177.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:51:00
Start date:	04/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\DO9uvdGMde.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Imagebase:	0x1f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:51:00
Start date:	04/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:51:01
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\DO9uvdGMde.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DO9uvdGMde.exe"
Imagebase:	0x50000
File size:	825'344 bytes
MD5 hash:	0CE8F39E540C12F1FB211F830B29D089
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3370082204.000000000231C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3370082204.0000000002324000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3370082204.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3366188626.0000000000537000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:51:01
Start date:	04/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:51:12
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Imagebase:	0x140000
File size:	825'344 bytes
MD5 hash:	0CE8F39E540C12F1FB211F830B29D089
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:51:13
Start date:	04/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Imagebase:	0x1f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:51:13
Start date:	04/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:51:14
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Imagebase:	0xd90000
File size:	825'344 bytes
MD5 hash:	0CE8F39E540C12F1FB211F830B29D089
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3369881312.0000000003244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3369881312.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3369881312.000000000323C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	6

Executed Functions

Function 02D1A690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D1A8E6

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a2f94c5b0f24641d5050174141929ecb6c50d371201d1b6eb62586f9bdb02838
Instruction ID: e5ffe049dbebbd2391a9daa40a491b29461ce6a88bf6f3d7d3122d2dcc765653
Opcode Fuzzy Hash: a2f94c5b0f24641d5050174141929ecb6c50d371201d1b6eb62586f9bdb02838
Instruction Fuzzy Hash: AA7132B0A01B059FDB24DF2AE05475ABBF1FF88204F10892DD48AC7B50DB74E949CB90

Function 02D1FAF8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02D1FB90

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bb4c9926f15e105b5bf6db4d21bd234e8bb663504f88cdcb5fd90e6c3e6c3262
Instruction ID: 4f9dc008a32b3ef3d7fd2c2314aa380e39b56dbfe37e13ec0cb3575b4d1fbc50
Opcode Fuzzy Hash: bb4c9926f15e105b5bf6db4d21bd234e8bb663504f88cdcb5fd90e6c3e6c3262
Instruction Fuzzy Hash: 172115B69003499FDB10CFA9C985BDEBBF5FF88310F108429E958A7740C7789954CBA5

Function 02D1FB00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02D1FB90

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8f3e476c10ef3ad6cb835f5c548b89798aa9e1ac26c620b5e6d926edf5a4aaaf
Instruction ID: dce482877c50b61b2a62a79c93e6cdf94087730b1921a054e1deb88f31675443
Opcode Fuzzy Hash: 8f3e476c10ef3ad6cb835f5c548b89798aa9e1ac26c620b5e6d926edf5a4aaaf
Instruction Fuzzy Hash: 902124B59003499FDB10CFAAC981BDEBBF5FF88310F10842AE958A7740C7789954CBA5

Function 02D1FA20 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D1FAA6

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b96e48b3c1d1250950ee4ffb2f501871b4f1bd80c925e29353ce8927a928c595
Instruction ID: 6b83ffaa38c0f7285f1a60409d3e7890e34eeb8e10df15de109a3c9b6abc444b
Opcode Fuzzy Hash: b96e48b3c1d1250950ee4ffb2f501871b4f1bd80c925e29353ce8927a928c595
Instruction Fuzzy Hash: 7D2157729003099FDB10CFAAC4817AEBBF4AF88314F148429D518A7740CB789944CFA5

Function 02D1CB58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D1CB26,?,?,?,?,?), ref: 02D1CBE7

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f1b1a2afe621f8cb8c1166cf3c0a7dfd467fa614aef8580aa3a8ed71e87899f
Instruction ID: ced1154e2a948d839f1a2111b0e338c25df87f352cd48f6a24da8bdaf7d73b4a
Opcode Fuzzy Hash: 7f1b1a2afe621f8cb8c1166cf3c0a7dfd467fa614aef8580aa3a8ed71e87899f
Instruction Fuzzy Hash: 9421E3B5900249EFDB10CFAAD985ADEBBF9EB48310F14841AE918E3310D378A954CF65

Function 02D1BDE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D1CB26,?,?,?,?,?), ref: 02D1CBE7

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bb18dd897900234e6c5a717388cfd8eb1ee35c010f9cf0325a65e2ca7dddd55b
Instruction ID: 95b2585a951820bf048af634834b1793a143f66a50bd4d35bb38af6c79746514
Opcode Fuzzy Hash: bb18dd897900234e6c5a717388cfd8eb1ee35c010f9cf0325a65e2ca7dddd55b
Instruction Fuzzy Hash: ED21E3B5900249EFDB10CFAAD984ADEBBF8FB48310F14801AE954B7310D378A954CFA5

Function 02D1FA28 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D1FAA6

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3f5aa173eb4022080de49c5bcc2ef8e647e7b9ddef4b13a72b17d2f52bb71e66
Instruction ID: 4f650a9445ec955b383b2f6a3c49610f285acf4efde83d2292d4ec4d44ed6e14
Opcode Fuzzy Hash: 3f5aa173eb4022080de49c5bcc2ef8e647e7b9ddef4b13a72b17d2f52bb71e66
Instruction Fuzzy Hash: A2213571D043099FDB10DFAAC485BAEBBF4AF88314F14842AD559A7740CB789944CFA5

Function 02D1A100 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D1A961,00000800,00000000,00000000), ref: 02D1AB72

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92a09c81a4b80491874ab4a77bf571611fdbf4d8d3da4e9f25186346f07d6360
Instruction ID: bcd752052be351ff2bf9f796c34dc3923b6b178dccdd63865068fbd92c0a65a0
Opcode Fuzzy Hash: 92a09c81a4b80491874ab4a77bf571611fdbf4d8d3da4e9f25186346f07d6360
Instruction Fuzzy Hash: 99217CB6804388DFDB10CFAAD544ADEBBF4EF99320F14805AD558A7311C3789944CFA6

Function 02D1FBE9 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02D1FC5E

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 23c33e3040f5b75b5938117ed8bec9d494ef878be80f62fb9e1aabac80de620c
Instruction ID: 2ce97beb832a420f9158e468824cb67e41f972829b58b3b31343f4256e0141e2
Opcode Fuzzy Hash: 23c33e3040f5b75b5938117ed8bec9d494ef878be80f62fb9e1aabac80de620c
Instruction Fuzzy Hash: 861144728003499FDB10CFAAC845BDFBBF5EF88720F148419E919A7650C739A940CBA5

Function 02D1A118 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D1A961,00000800,00000000,00000000), ref: 02D1AB72

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eb6281cbc3da08288be091975e833e64844335186dd6d68fb2105860fcca8c69
Instruction ID: 067b42967e899ad2b97c57429e3053aba1964b313d0a77aec5fc74b3a35f23b3
Opcode Fuzzy Hash: eb6281cbc3da08288be091975e833e64844335186dd6d68fb2105860fcca8c69
Instruction Fuzzy Hash: B21114B6900349DFDB10CF9AD544A9EFBF5EB98310F10842AE519A7700C379A944CFA5

Function 02D1AB00 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D1A961,00000800,00000000,00000000), ref: 02D1AB72

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 054159f568dcfd0ca8b6a9061a0b474200f65c34ec278f95fc407c482f763d1b
Instruction ID: 2efce27376ec527eb257dc387780f47f15d94b40387633dc737de938d3ee2663
Opcode Fuzzy Hash: 054159f568dcfd0ca8b6a9061a0b474200f65c34ec278f95fc407c482f763d1b
Instruction Fuzzy Hash: 371142B6801349DFDB10CFAAD544A9EFBF4AB88320F10802AE518A7700C379A944CFA5

Function 02D1FBF0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02D1FC5E

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81023a944cd168f7d9e77459ac02d6f16a3595d8253480813ac3984ac59d352b
Instruction ID: a12e47278966005ec1a1657931e6c976534cdec7c0a1c1f07aa4b8fff1bbc5ff
Opcode Fuzzy Hash: 81023a944cd168f7d9e77459ac02d6f16a3595d8253480813ac3984ac59d352b
Instruction Fuzzy Hash: 13115371800349DFDB10CFAAC845BDFBBF5EF88320F208419E919A7250CB39A940CBA5

Function 02D1FCA8 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 02D1FD12

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 23ad645eaeedac11e27af5cbe5014a83e1d8b4287ac3a5ab2c41f5a77d45513a
Instruction ID: d8978dd5bb974264fd5e12579ce73633c4ffaaacd9367193648c13f6c65ca450
Opcode Fuzzy Hash: 23ad645eaeedac11e27af5cbe5014a83e1d8b4287ac3a5ab2c41f5a77d45513a
Instruction Fuzzy Hash: CA1146719003489FEB10DFAAC8457AEFBF4EF89610F248419D519A7740CB39A940CBA5

Function 02D1FCB0 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 02D1FD12

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8b12fc2ef56a61e4eda9ad43b74e77cb4f8cbc5a4959d85917ce6b72dc4ab928
Instruction ID: 186adc7ae398536c98580574d3a9b4a6deb92ec30023c4b0d4c4ca1e705e17c3
Opcode Fuzzy Hash: 8b12fc2ef56a61e4eda9ad43b74e77cb4f8cbc5a4959d85917ce6b72dc4ab928
Instruction Fuzzy Hash: D81155B19003488FDB10DFAAC4457AEFBF4AF88220F20841AD519A7740CB39A940CBA5

Function 02D1A880 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D1A8E6

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7f14e9cd8f565ec16c8644bc1f04225c2c0b4fa5c89c69419f211a4b3d8892bd
Instruction ID: 42903f2cb4b793196e2f3f8b85f3360567f81577fe818ada6fe93e9a9bc50bfc
Opcode Fuzzy Hash: 7f14e9cd8f565ec16c8644bc1f04225c2c0b4fa5c89c69419f211a4b3d8892bd
Instruction Fuzzy Hash: 2111FDB5C006499BDB10CF9AD444A9EFBF4AB88224F10842AD418A7710C379A945CFA5

Function 05F90040 Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0707cc849f124dd36cc8bf22ef4b6b1cefdaa46e047574c1bd7fbac80f35d97f
Instruction ID: cb5e4906145a180087556d46e8bf52cfad47d8bf2652c087dbb216619a6f8494
Opcode Fuzzy Hash: 0707cc849f124dd36cc8bf22ef4b6b1cefdaa46e047574c1bd7fbac80f35d97f
Instruction Fuzzy Hash: 4362D2B0E01F458AEF785FB4D44C3AD7A95BB46304F604A1ED0BACA381DF799486CB19

Function 05F90006 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a4fde81bcfe36e7fe338a223ee6177342f0c720ea94f7d8e48372dab9ab90f
Instruction ID: 7fe5349560e01bc0e647c5d854f2231f6099f1f32163709b62b4bb76fb211397
Opcode Fuzzy Hash: 80a4fde81bcfe36e7fe338a223ee6177342f0c720ea94f7d8e48372dab9ab90f
Instruction Fuzzy Hash: 2C2250B0E06F424AEB785FA4C48C39DB694BB06314F704A5BC0FACA355DB399087CB49

Function 05F93C80 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8632ce11e438c8a5abf190788d10a9a45df73a5c2f72616f73140c0d779a4279
Instruction ID: 9265f821e96dc6d5962443172f84cb48a7a925774c1be6e5f65dec59de1d49b3
Opcode Fuzzy Hash: 8632ce11e438c8a5abf190788d10a9a45df73a5c2f72616f73140c0d779a4279
Instruction Fuzzy Hash: C3B15D75B006148FDF18EB79C5689AEB7F2AFC9204B244469D802EB7A0DF35DC46CB61

Function 05F93408 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ded3848d082f746735860f7efb06bb1756c1db7840cbb85e9c227ad474bdc6
Instruction ID: 6ebe0654c2f9be99fd3fd2631f07724a47f9109b98daf4e8a30f0d0da13cf606
Opcode Fuzzy Hash: 57ded3848d082f746735860f7efb06bb1756c1db7840cbb85e9c227ad474bdc6
Instruction Fuzzy Hash: B191D275A0060A9FDF15CFA8D984AAEB7F2BF48310F048929E929D7390E734E955CF50

Function 05F91228 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e63339642cbb093cb6d779898c64b5de258695a40d8b9cecbbdc68eea9c5e2a
Instruction ID: de4e402c5ce4172fb92d057901024c1ef17fc1efc234a57fb014c748866af9e7
Opcode Fuzzy Hash: 2e63339642cbb093cb6d779898c64b5de258695a40d8b9cecbbdc68eea9c5e2a
Instruction Fuzzy Hash: FF41D534A046198FDB58EBA8C854FDDB7B2BF89314F114069E905AB7A1DB799801CFA0

Function 05F92AC0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48198ec3c4e8fbb8268022bea562b336622cd6386f48b9f5916b151ddf775110
Instruction ID: f8270ff6d8f1ede39a395c2234d9aad88e085010a270cdd2550ffa1f3097bf12
Opcode Fuzzy Hash: 48198ec3c4e8fbb8268022bea562b336622cd6386f48b9f5916b151ddf775110
Instruction Fuzzy Hash: 8221F836B10A109FEF28CE25C88167EB7E7FBC4215F14846AD146D3794C638ED418761

Function 05F92AD0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56213d1b245b437e08aaf6031c27ff1b9416f1e505bd779b026cd1610ccdd975
Instruction ID: d7138088e4b241f3579f6b38e38ff56b805c72f09ca1d12c330d29a44114a792
Opcode Fuzzy Hash: 56213d1b245b437e08aaf6031c27ff1b9416f1e505bd779b026cd1610ccdd975
Instruction Fuzzy Hash: C821C936B10A105FEF28CE65C88197EB7E7FBC4264F14856AD54793794C638ED408761

Function 05F914E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3db3988ed9cac54c3a3683c25b06a4f8187eee4fd123736505375e9f73f668
Instruction ID: b195ff250e67aff70034c2c00523639361d648b9fdc039cadeb05fde940f899e
Opcode Fuzzy Hash: 3a3db3988ed9cac54c3a3683c25b06a4f8187eee4fd123736505375e9f73f668
Instruction Fuzzy Hash: AD215734711A118FDB289A28C814E2973AAFF89714B25817DE507CB3A0DB76EC42CB50

Function 02A6D4CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131851887.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a6d000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91aa16a1d7639fb54b54051bf89b249e567100f19a099278cbd51c179fe66145
Instruction ID: f4bbc2d1d277d24d940e5bf68a3efe15b9f964b1e28367e0593571c68abfd0ad
Opcode Fuzzy Hash: 91aa16a1d7639fb54b54051bf89b249e567100f19a099278cbd51c179fe66145
Instruction Fuzzy Hash: 152145B2600600EFDB05DF14D9C8B36BF61FB88358F20856CE9090B656C736D856CAA2

Function 02A7D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132518421.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a7d000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04752c4b2d0cc7fa792404ae8b15938a192e14d8bc9dce88c4d19c5ea6c10e0d
Instruction ID: c71873191cb915d6a405c1abde43f24f8a40dffe941e43f87c21f9e36d19df4b
Opcode Fuzzy Hash: 04752c4b2d0cc7fa792404ae8b15938a192e14d8bc9dce88c4d19c5ea6c10e0d
Instruction Fuzzy Hash: D121D0B1604604EFDB04DF24D9C0B26FB65FF94314F24C56DD9094B252CB76D846CAA5

Function 02A7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132518421.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a7d000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e461f630691cf0c83e11cf974d68b79695f87eb2810540307d6918298326db
Instruction ID: cd8b29ab70977762ae18081d2b7951637ccfa6fae0693cfbdc670c69fad9b11b
Opcode Fuzzy Hash: a0e461f630691cf0c83e11cf974d68b79695f87eb2810540307d6918298326db
Instruction Fuzzy Hash: 2421F275604604EFDB14DF24DDC0B26BB65FF84314F24C56DD90A4B246CB3AD847CA65

Function 05F914F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa14425a0fdb1538a696c0aa4753e079f5f4cac55267940648c7018568b0ffb2
Instruction ID: 3fc880e91edd08526b51fa5a7789be14e9f87c7172221a5dbd861d3784cdab00
Opcode Fuzzy Hash: fa14425a0fdb1538a696c0aa4753e079f5f4cac55267940648c7018568b0ffb2
Instruction Fuzzy Hash: 6C2107347116118FDB28EA69D454E2973AAFF89714B21847DE507CB3A0DB76DC42CB50

Function 05F93C71 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c741a3e07d8f9a853c65dbdb3ebba26e80603b1ee234d294ee9a6406f13980e8
Instruction ID: be405e4eacc8b7eab0de2241f222888ac3f1a290cfd871e919c5e4fd7517b93e
Opcode Fuzzy Hash: c741a3e07d8f9a853c65dbdb3ebba26e80603b1ee234d294ee9a6406f13980e8
Instruction Fuzzy Hash: 9A214F39701B008BEF2CAB79956493773E7AFC5204B144C39CA138B7A8EF75D806CA51

Function 02A7D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132518421.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a7d000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee4102e2a09224e9c8c70a50a328748e1fa53fde45118b373adec4297b6f978
Instruction ID: ba9d86b0e4e2c4c367c569a4babb520aa8bbde1f0bbb34f244f052f49dd309ee
Opcode Fuzzy Hash: 9ee4102e2a09224e9c8c70a50a328748e1fa53fde45118b373adec4297b6f978
Instruction Fuzzy Hash: D8214C755097809FCB12CF24D9D4715BF71EF46214F28C5DAD8498B6A7C33A980BCB62

Function 05F916A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350f64b7ac37037e1b60f8a7492b0c42ee108b4c6575df15e33899c853363396
Instruction ID: acf275559da1abcf8211fe711bfb1748ad5972ab9663e02eca082b25178df84e
Opcode Fuzzy Hash: 350f64b7ac37037e1b60f8a7492b0c42ee108b4c6575df15e33899c853363396
Instruction Fuzzy Hash: 8F01C071B052185FDB18EBB8A81576FBAE79FC5600F148479A90AC7384EE308D4687E5

Function 02A6D4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131851887.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a6d000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: bda36fdcfa9c0d20b85177325c7158043c55f8faf29f30946de13ca874c7541c
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: E511E676504684DFCB16CF10D5C4B26BF72FB84314F24C6A9D8094F656C33AD45ACBA2

Function 05F92C13 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a79942cd173179880f87b94378f8d7fc01fe4c39f964b9ec5883062c72c6e8
Instruction ID: 2dbbfc15bc76d8999ecfa7e2db128cfaa9047614fd0f027f13691b8213b8b5e3
Opcode Fuzzy Hash: d2a79942cd173179880f87b94378f8d7fc01fe4c39f964b9ec5883062c72c6e8
Instruction Fuzzy Hash: 8511A7B5E0021A9FCB44DFADC9409AEBBF5FF88310B10856AE918E7315E7349911CFA0

Function 02A7D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132518421.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a7d000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 022f4dfcf1a04e754ff4ea3bccf2aaa1fa8c00fe2e378d0ec2dc95d6278e7e15
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: BE118B75904684DFCB05CF50D9C4B15FBA2FB84214F28C6A9D8494B656C33AD44ACBA2

Function 05F92C20 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed726a8f4896c561337524d131e053ad30d9a0d86db6c963de2d80b847abc7e
Instruction ID: 2c3c49b8d897f8082140288f42a99a10202e77cd587e67994e55783e13ab222d
Opcode Fuzzy Hash: 7ed726a8f4896c561337524d131e053ad30d9a0d86db6c963de2d80b847abc7e
Instruction Fuzzy Hash: DD1189B5E0011A9FCB44DFADD9449AEFBF5FF88310B10816AE919E7315E7309911CBA0

Function 05F91AB1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e595a065cb26ece9ae04da39a2e0145d1b3868a3b3b3243ef371ff4aa3a34a
Instruction ID: e7b322a4ab454c7a9908d19eea682088c98c526bb9e27e556f445905f79ef55a
Opcode Fuzzy Hash: b9e595a065cb26ece9ae04da39a2e0145d1b3868a3b3b3243ef371ff4aa3a34a
Instruction Fuzzy Hash: 92F022227093601BC7166539E859B5AABAB9BC3A60B0981BBE405C7386DC648C06C3A1

Function 05F91090 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4136a9328a48e109ebf0305e2a674ffce9b7efdbe1af7cfff12c70153e4c8b14
Instruction ID: 8ed4521cf35b400cb93193351163e48c492759a417978793cec4260523b47d51
Opcode Fuzzy Hash: 4136a9328a48e109ebf0305e2a674ffce9b7efdbe1af7cfff12c70153e4c8b14
Instruction Fuzzy Hash: 3401DF35204641CFDB18DA2AD811E26B3AAFF85610F10C17DD90A8B360DB72EC06CB80

Function 05F910A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689b95ca2cc034978d73e75dd038ba5bfbd26a6efa06f491f32399dd909715b1
Instruction ID: 12c1e8cca4fa48b17096ead93638efe06e39425b3e36968b60801be73005f101
Opcode Fuzzy Hash: 689b95ca2cc034978d73e75dd038ba5bfbd26a6efa06f491f32399dd909715b1
Instruction Fuzzy Hash: D1018135704601CFDB18DB2AD451E26B3AAFF85620B10C57DD50ACB360DB72EC06CB90

Function 05F92BAB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877e627b53b5bfd73203231f27100ce77ef659540e2ed45501239e8a98757702
Instruction ID: 549e5c91fae37c019f525e08247eb033f654d286f4bc704d62d9af35b9a3b792
Opcode Fuzzy Hash: 877e627b53b5bfd73203231f27100ce77ef659540e2ed45501239e8a98757702
Instruction Fuzzy Hash: 07F09676A10618DFC710EF6AD844D8EFBF8EF85310B50462BE50597320EB30A945CBA5

Function 05F911D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817f2c836a8402e78b75dec80e05e3e431b87b05e21e80c065e00128d55f6f8e
Instruction ID: d070886d86ac6773e1a395457d793e83ff96832ca1ee1a3a5821bce6299f3668
Opcode Fuzzy Hash: 817f2c836a8402e78b75dec80e05e3e431b87b05e21e80c065e00128d55f6f8e
Instruction Fuzzy Hash: 20E020317082505BC706D26DE85094BBFB7DFC57103458A7FE1488B225EE606C068BE0

Function 05F91AC0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a83e83f40301bcc0da410f466016912c20bf15fc423232abe3661d4bd30e79
Instruction ID: 55f5e3ed249df8789ba7f4745f9718fa5873634ff495e9d6b50009ae1d808f9e
Opcode Fuzzy Hash: 27a83e83f40301bcc0da410f466016912c20bf15fc423232abe3661d4bd30e79
Instruction Fuzzy Hash: ACD01237B4873853472935AF641896FB6DFAAD1B61209403FE50AC33889DA58C0292E5

Function 05F92A98 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb27272dc21dbdd3a4667f08397e11ed6dac72b15a8d9ffff804834d52f87f7b
Instruction ID: b9be2e408ae229c45262f3a8df9fe1277515faf9454bb08a8f7beff15c1c4506
Opcode Fuzzy Hash: fb27272dc21dbdd3a4667f08397e11ed6dac72b15a8d9ffff804834d52f87f7b
Instruction Fuzzy Hash: 8DD05230208248AFC701EF24C888C857B74EB2A220B488096E8488B263C632E802CBA0

Function 05F92A6E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8b81cd6340b0b3f63b8c71432ea022c55141a3b24af5e97fd6fe62d5433b9c
Instruction ID: 562917f2b1023b958fdf12a7edd7536888a3ff97ee0975434c292b1997bfb78a
Opcode Fuzzy Hash: ef8b81cd6340b0b3f63b8c71432ea022c55141a3b24af5e97fd6fe62d5433b9c
Instruction Fuzzy Hash: 19D0126AD05B860BE721A6348845BCEBF60AF73264F4953BA80D0045C1EA041491C601

Function 05F92AA8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137357694.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f90000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Non-executed Functions

Function 02D1D3DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133126077.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b64f7b8636414d846b70f4a5b8e560cf05b2eab1840c0505a0060e28818807d
Instruction ID: 5d024f554962986e267a535829614fd4c4ba87e88c5da2c128ec99eca8a7ed4a
Opcode Fuzzy Hash: 7b64f7b8636414d846b70f4a5b8e560cf05b2eab1840c0505a0060e28818807d
Instruction Fuzzy Hash: 5CA16732A002199FCF09DFA4E88459EB7B3FF84300B15856AE806AB365DB71AD55CF50

Analysis Process: powershell.exePID: 5040, Parent PID: 6392COMMON

Executed Functions

Function 04B46CC3 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2118467216.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ac70c9940fada28f2985a139a1c2de91d40c4c7e4b9bbd0e97787c85d1279c
Instruction ID: e9c3bc5e928f1c5e156e6117cfff88f29e9247b4c3b5745d80c6b2e6c4a588fc
Opcode Fuzzy Hash: d3ac70c9940fada28f2985a139a1c2de91d40c4c7e4b9bbd0e97787c85d1279c
Instruction Fuzzy Hash: 2D417234A05258DFCB05DFA4D490AECBBB2FF8A300F2584E9E944AB362C735AD55DB50

Function 04B429F0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2118467216.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73370db0150f736235e06a3f42a99e15bbe1bd43d980c6734edf2c427dc7479e
Instruction ID: fa021c07599304c7b00654a31bf651ca7ac20347ed38ed966d90c9a81a14ee48
Opcode Fuzzy Hash: 73370db0150f736235e06a3f42a99e15bbe1bd43d980c6734edf2c427dc7479e
Instruction Fuzzy Hash: 3891A074A00205CFCB19CF59C4949AEFBB1FF88310B258599E915AB3A5C735FC91DB90

Function 04B42B00 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2118467216.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e2d8aed8948736b750fd2407f3118f46cfe4ee7e7537f8b2ef11cdeabbda73
Instruction ID: 8fc55f621a4c04dd494147d2a7b82f924362bb84d42afca32e4fde2f8d2fbcb8
Opcode Fuzzy Hash: 69e2d8aed8948736b750fd2407f3118f46cfe4ee7e7537f8b2ef11cdeabbda73
Instruction Fuzzy Hash: 62415974A00105CFCB09CF59C198DAAFBB1FF88314B118599E915AB365C736FC91EBA0

Function 0328D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2118240747.000000000328D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0328D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_328d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a42f36fdaee976b34951da2f1bbd5ec7eb3b4e76cd98624207126302d914a9
Instruction ID: b0db5cb441499d24ea43c1de2465daad946506d82ff27706e19aaa9a61cc9310
Opcode Fuzzy Hash: 57a42f36fdaee976b34951da2f1bbd5ec7eb3b4e76cd98624207126302d914a9
Instruction Fuzzy Hash: 7901F731016344EAE710AB25DD80B66FFD8EF81324F0CC459DD080A2C2C6799889C6B2

Function 0328D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2118240747.000000000328D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0328D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_328d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a41f2252610b0d2d23f38776aff27363148fec31c0856c7cc52c33fbd1a319c
Instruction ID: 9583e6a46c4e289cd450daed67e1bb23b4d49c661150d105edb4ab0b7074c0db
Opcode Fuzzy Hash: 9a41f2252610b0d2d23f38776aff27363148fec31c0856c7cc52c33fbd1a319c
Instruction Fuzzy Hash: AD01ED7244E3C49EE7128B25CC94B56BFB49F53224F1D81DBD9888F2E3C2695849C772

Analysis Process: DO9uvdGMde.exePID: 3236, Parent PID: 6392COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	25
Total number of Limit Nodes:	4

Executed Functions

Function 0094A960 Relevance: 3.1, Instructions: 3069COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb7fe2b7845719b7635920456d38189faf6d75e21138b620eebfbf7930236ae
Instruction ID: 50cecbcb0c47890439102de39cca6617e20359065e096c28f0a3c876d641a27d
Opcode Fuzzy Hash: 8bb7fe2b7845719b7635920456d38189faf6d75e21138b620eebfbf7930236ae
Instruction Fuzzy Hash: 5A630C31D10B5A8ADB51EF68C8809A9F7B1FF99300F11C79AE45977121FB70AAD4CB81

Function 0094DBE0 Relevance: 2.3, Instructions: 2301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc8a1d8c948e07cd732031027b5e6c4b4a61f22e377fde111e6040d0435a17d
Instruction ID: 632b5c2aed0df079230503ce33d755d29c789dde6e14ec4ba75499d96667b609
Opcode Fuzzy Hash: 6fc8a1d8c948e07cd732031027b5e6c4b4a61f22e377fde111e6040d0435a17d
Instruction Fuzzy Hash: 9E332131D1071A8EDB11EF68C890AADF7B1FF99300F15C79AE458A7251EB70AAC5CB41

Function 00943E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vvk, xrefs: 009440CB

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: \Vvk
API String ID: 0-1806392228
Opcode ID: 8154d8e59c0aaf078b3343b47dbc238640931d11a940488519eab8133094a269
Instruction ID: d5bfa37b20db9c6edbfdde6043276d17ec63e7ae8c308f8c986206fe8412b5e7
Opcode Fuzzy Hash: 8154d8e59c0aaf078b3343b47dbc238640931d11a940488519eab8133094a269
Instruction Fuzzy Hash: 96917C70E00209CFDF10CFA9C985B9EBBF2AF98304F148129E815A7254EB749985CF91

Function 00944A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfecb3ba3ce0fa010e025b135543d50c6ba91e5713e3075969e89c005dba87e
Instruction ID: 89eda38d7a30821449d556b3c1c440183eed3b8d216bf0f84d9b149166de140d
Opcode Fuzzy Hash: bdfecb3ba3ce0fa010e025b135543d50c6ba91e5713e3075969e89c005dba87e
Instruction Fuzzy Hash: 40B15D70E002098FDF10CFA9D885BDDBBF6AF88314F148529D855EB294EB749845CB81

Function 05F8E931 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3387073038.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f80000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9ab43a1d4db5db0d157fa4a9df2e15ec380d1cea8bf4cb9e0cf10295183ecd
Instruction ID: fea58ac5a82e514482cd65b429b5cc036cd6d78ddc9e1bc370fd7f31f517887e
Opcode Fuzzy Hash: bf9ab43a1d4db5db0d157fa4a9df2e15ec380d1cea8bf4cb9e0cf10295183ecd
Instruction Fuzzy Hash: 79415672D043958FDB00DFA9D8043AEBFF5AF89210F04856AD509E7381DB789845CBE1

Function 05F8EA18 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 05F8EA7F

Memory Dump Source

Source File: 00000004.00000002.3387073038.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f80000_DO9uvdGMde.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d544b60cda972da865232f4eee9f25ed3fc0144f333b724593a33957ecd14bcc
Instruction ID: df3b17aa88b8924eb54c15c2c483882af76a50581c80f7e5cc7a6f1c34454acc
Opcode Fuzzy Hash: d544b60cda972da865232f4eee9f25ed3fc0144f333b724593a33957ecd14bcc
Instruction Fuzzy Hash: 3911E2B1C0065A9BDB10DF9AC445B9EFBF8BF48720F15816AD918A7240D378A944CFA5

Function 00943E74 Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vvk, xrefs: 009440CB

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: \Vvk
API String ID: 0-1806392228
Opcode ID: 512c4750a68d9ec4a106738f5e53365c27a953c5bcac7e1586ba6b91545d3956
Instruction ID: d927c1d5f1137eb571b5b8afdc590225851d0a786eca11d6338dc0ad6ae0daa0
Opcode Fuzzy Hash: 512c4750a68d9ec4a106738f5e53365c27a953c5bcac7e1586ba6b91545d3956
Instruction Fuzzy Hash: 19915A70E00209DFDF10CFA8C985BDEBBF2AF98714F148129E815A7254EB749995CF91

Function 00947D28 Relevance: 1.4, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 00947D95

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 9c9bac4a249dbaab78f172cac1cdfe5c2daf96c3b9addf892cd6ae205b891ed8
Instruction ID: e9bd775ca2c4ccb54b56f0a044101e1d0b5e672ecd7fe48cd29939792973828a
Opcode Fuzzy Hash: 9c9bac4a249dbaab78f172cac1cdfe5c2daf96c3b9addf892cd6ae205b891ed8
Instruction Fuzzy Hash: 99316B70E14249CFEB15CFA4C440BAEF7B6EF86300F204969E902EB290EB749C428B50

Function 00941488 Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 00941495

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: c1cbade45c2cd76c6de4dcbf8c118db5487fc5896e67e1654a9aa0ed523cad89
Instruction ID: 9c897a29b5cc50a80bada0f440709aa7fa0d67ed3b27a028f0c90b1867c1c6c6
Opcode Fuzzy Hash: c1cbade45c2cd76c6de4dcbf8c118db5487fc5896e67e1654a9aa0ed523cad89
Instruction Fuzzy Hash: E821DE74A002158FDF21EFBC9444BBD77A9EB88325F24087AE50AE7251E739CD81CB95

Function 00946BA1 Relevance: 1.3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0My, xrefs: 00946C41

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: 0My
API String ID: 0-3072640082
Opcode ID: b974240e5c11b2d57690791d440b28c3e1abcd1d527e22ace9bb3d8a1f49fa2d
Instruction ID: 3a6b020456955dacf6c559eb0f175b1296edf8ba17a4f24d8329590ffcd76a30
Opcode Fuzzy Hash: b974240e5c11b2d57690791d440b28c3e1abcd1d527e22ace9bb3d8a1f49fa2d
Instruction Fuzzy Hash: 1221AF707053819FD715AB78A05476E7BE2EF86301F0188AED585CB295DF358C458B92

Function 009407F9 Relevance: 1.3, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 00940894

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 36ac1765b39307784b336e88a97026a4c096b589fdb8e4853909e093f1d78b8b
Instruction ID: df2899589ccddb2e73eb9771145343787a04dec7c429a9eede67f0f4fd8c7be1
Opcode Fuzzy Hash: 36ac1765b39307784b336e88a97026a4c096b589fdb8e4853909e093f1d78b8b
Instruction Fuzzy Hash: 54110831A04218CBEF25A779E520BB93395EBD2314F10492ED305CF342E535CC458BC5

Function 00940848 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 00940894

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 851290126a7c1695875808b66ec8ac519bcd11f15cb510989cde63f7d1d051c4
Instruction ID: 9772a741804abbcb4eda38a9653cb36aff141e4836ce6d733a4c5796a41b99c5
Opcode Fuzzy Hash: 851290126a7c1695875808b66ec8ac519bcd11f15cb510989cde63f7d1d051c4
Instruction Fuzzy Hash: CF114230B002088BEF65A779DA54F693269EBD6314F204939E706CF355E936DC418BD1

Function 00940838 Relevance: 1.3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 00940894

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: b6438d66ec7fdb5910b6c1c0071367ef741c944b8e5f524feeef0059c75ec59a
Instruction ID: f17c8498111af8e80235b47a6e560b633b9748b6af085170155b2be73fbbf404
Opcode Fuzzy Hash: b6438d66ec7fdb5910b6c1c0071367ef741c944b8e5f524feeef0059c75ec59a
Instruction Fuzzy Hash: 641194306043048BEF25A775AA14F693765EBD6314F10493ED746CF342E636CC418BC1

Function 0094868F Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b776d2e5a833bd5b0564538004ab2e1ec2421906cf35a43d294ddef63fb08b
Instruction ID: 03fd5cf24670031eb32fcf03cdc0eaf683b5b0fb4612638bdb204c3a699b01ef
Opcode Fuzzy Hash: 62b776d2e5a833bd5b0564538004ab2e1ec2421906cf35a43d294ddef63fb08b
Instruction Fuzzy Hash: 1A229D30701242DBDB16AB38E49862D77A6EBCA314B609D3DE205CB355DF79EC46CB90

Function 00948728 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b612b7d597be6d90bef48cf0f7558e37cff6431b5f2f1388f8906c67bebc6c2
Instruction ID: 9c774c51157d81f02885132c56faf49ba2d4c63ad2b2ae4425d0d52da4aa57f7
Opcode Fuzzy Hash: 3b612b7d597be6d90bef48cf0f7558e37cff6431b5f2f1388f8906c67bebc6c2
Instruction Fuzzy Hash: 29126C34701202DBDB16AA38E49866D77A7EBCA314B609D3CE205CB355DF79EC46CB90

Function 0094A22C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c017c7dcba074027f762627281bb50172685f05ee620140a457357b1fe24f1
Instruction ID: 9628c180a27ed3976666528f94dd531f702d70c7db95a3fcea2b420e24d5e3f0
Opcode Fuzzy Hash: 08c017c7dcba074027f762627281bb50172685f05ee620140a457357b1fe24f1
Instruction Fuzzy Hash: 5AE19134B00205CFDB14DFA8D594AAEBBB6EF88310F24846AE506DB395DB75DC42CB81

Function 00944A8D Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb02aedcb54b5211c9e436cf9eb04ff5e50d0f926f6c4d1043436d44dd3c610c
Instruction ID: ef938ecc3802c6eebb0361875dc7ca1401a4d9d1979a1ce790b152e20294cc2b
Opcode Fuzzy Hash: eb02aedcb54b5211c9e436cf9eb04ff5e50d0f926f6c4d1043436d44dd3c610c
Instruction Fuzzy Hash: C8A15A70E002498FDF10CFA8D885BDDBBF6AF88354F248529D859EB294EB749845CF81

Function 00946ED7 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48fb0bd2b7493f44689233107978d4f3e5788f52b5aaaffe703a797ee7c6e5f
Instruction ID: 38b77d1043f6651a591fe459a6f210a3a78bae9f13cfaecac8a65e5307155974
Opcode Fuzzy Hash: e48fb0bd2b7493f44689233107978d4f3e5788f52b5aaaffe703a797ee7c6e5f
Instruction Fuzzy Hash: 22518C30704218CFDB14EBA8D458AAD7BF6FF8A704F2044A9E406EB3A1CB359C45CB91

Function 0094A6C0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071286bf388162f9ac0cd385d8750c027dde90c98a416117a53c360ee82b437c
Instruction ID: fcd667d2d7b13bfc65932066d8f3af69931dce9470613746948c724a1ec940be
Opcode Fuzzy Hash: 071286bf388162f9ac0cd385d8750c027dde90c98a416117a53c360ee82b437c
Instruction Fuzzy Hash: 70515B75A00205CFDB14DF69E884B99FBB6FF88310F14C2A9E9089F395E7719945CB90

Function 00946CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900297a1efba6813e927b2e0ef6a5c004a0cf6b23885f6ff3a297c32297fb1c5
Instruction ID: 9f1e82a3eb1a358d9687a22d70b1f2cc1630bfa35317e537cd980df4a2e1336f
Opcode Fuzzy Hash: 900297a1efba6813e927b2e0ef6a5c004a0cf6b23885f6ff3a297c32297fb1c5
Instruction Fuzzy Hash: F45104B5E002188FDB18CFA9C894BAEBBF5BF49310F148529E815BB391D774A844CF95

Function 00946CDD Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090a34e248a5f96d37d243ff672e732094a38e7544576bd396366d3735ad6cc9
Instruction ID: 883596b5a163f538356941a5694a380e7f14e4f220b92182efb02a06d4d8d688
Opcode Fuzzy Hash: 090a34e248a5f96d37d243ff672e732094a38e7544576bd396366d3735ad6cc9
Instruction Fuzzy Hash: F45134B4E002188FDB18CFA9C894BAEBBF5BF49300F14852AD815BB391DB749844CF95

Function 0094112B Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1709949635fad9a0c502f999a44019f6af214a6f00b1caebe5354814eaf2e781
Instruction ID: c03e74342e70555154eefc1856a711b4f562629d410f551b636d5c2cbba69251
Opcode Fuzzy Hash: 1709949635fad9a0c502f999a44019f6af214a6f00b1caebe5354814eaf2e781
Instruction Fuzzy Hash: 1F51CF31215B42CFD705FF3CF899AA63BB6F79B305704D969D20447A2AEAA06945CB40

Function 009417C0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5abdd0d95145dc18ebc0d51cfc4d9dae570cebd6a6edaab75b723f7ce70a7ca
Instruction ID: e9b322d84be7c5741c302ae5e3c5c40f23e369abe7ee9e597c9c7de882449da2
Opcode Fuzzy Hash: f5abdd0d95145dc18ebc0d51cfc4d9dae570cebd6a6edaab75b723f7ce70a7ca
Instruction Fuzzy Hash: B941B279A006428FDB51FB78F898B9E7BA6EB89340F108965E605C7355FB34CC85CB81

Function 00941138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dbb8b16e0b45892b2627a348044e8c4cd106b996c1a60c67a0bde3b3dcf462
Instruction ID: 31d9672fc8e67db450de553eecfc9d8d55d87828ee955c5240fa3a9914adbdca
Opcode Fuzzy Hash: 80dbb8b16e0b45892b2627a348044e8c4cd106b996c1a60c67a0bde3b3dcf462
Instruction Fuzzy Hash: B951BE31211B42CFD705FF2DFC99A663BB6F79B305704D969D2044BA29EAB06905CF80

Function 00947D98 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770bccf58b246de7c771e4228a29ee8bae10cda1b6fd5011640a338892224e49
Instruction ID: eda1a38983685f62153d26bb595745d480488ab757b44462210bd4d91b8dc0aa
Opcode Fuzzy Hash: 770bccf58b246de7c771e4228a29ee8bae10cda1b6fd5011640a338892224e49
Instruction Fuzzy Hash: F7316131E1025DDBEB14CFA4D444AAEF7B6EF85310F208969E506EB250DB70ED41CB50

Function 009426DC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8acd9722ad59613731185079330667506d729981b534b94d459bf0ac1feae15b
Instruction ID: c391b76c46ad26a5b9c5c8f3f2629ce08fa936e4799a35fe8d2ea3da5812918d
Opcode Fuzzy Hash: 8acd9722ad59613731185079330667506d729981b534b94d459bf0ac1feae15b
Instruction Fuzzy Hash: DA41EDB0D00349DFEB10DFA9C584ADEBBF5BF48314F648429E819AB250DB75A949CF90

Function 009426E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861bae502a54075cf50eeca6d73b5136522c5a0804cb5940072e3b3ae2079027
Instruction ID: db545ce568c6d64b979a5995f38be0f29a771a686dc8406b5831cb92a989eba7
Opcode Fuzzy Hash: 861bae502a54075cf50eeca6d73b5136522c5a0804cb5940072e3b3ae2079027
Instruction Fuzzy Hash: 6941FEB0D00348DFEB10CFA9C484ADEBBF9FF48710F608029E809AB250DB75A945CB90

Function 0094A070 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd81509e9bcb6997bd6ffe57dda88883f03331c47739dabb04c3ef34da8d53ce
Instruction ID: 20093a4568117d2af913059f2caf6cded81c9afdbf122c143c98e6990059bcd7
Opcode Fuzzy Hash: bd81509e9bcb6997bd6ffe57dda88883f03331c47739dabb04c3ef34da8d53ce
Instruction Fuzzy Hash: 4F318134E0464A9BDB15DF69D894A9EF7B6EF8A304F20C619E905FB340DBB09C41CB91

Function 0094A080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d6a0dc81eb4ed110ec7de0a3126e5833596e9d676ffccc5301725ca14655eb
Instruction ID: 62d81407200436db4b3ed282980e5ae369c5f8b589999ab66fb94be5c3413dd4
Opcode Fuzzy Hash: 30d6a0dc81eb4ed110ec7de0a3126e5833596e9d676ffccc5301725ca14655eb
Instruction Fuzzy Hash: DA215E34E0460A9BDB19DFA5D994A9EF7B6EF89300F20C619E905AB340DB719C41CB51

Function 006FD006 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3367096771.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fd000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cb7d478b3717c7f0274ffe84aa3d3cf2f5b5a5e16b92c0791bb0a549b7b95a
Instruction ID: e1aa1fb4ff754e14de48cfe2105f65b19e521e18941d63b1e6e546a7ef266b5d
Opcode Fuzzy Hash: 66cb7d478b3717c7f0274ffe84aa3d3cf2f5b5a5e16b92c0791bb0a549b7b95a
Instruction Fuzzy Hash: 8D313C7150D7C49FC7038F20D9A4751BF72AB47214F2985DBD9898F2A3C67A980ACB62

Function 0094A858 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf729c4fb370779288a831ad18886db1a9b5aec761908a97fa6b646ff90e7d2
Instruction ID: f79fbc546cb5cdeb46d2b9a837a8354db7d537d23dc3c27077a37f57bcb201e8
Opcode Fuzzy Hash: 0bf729c4fb370779288a831ad18886db1a9b5aec761908a97fa6b646ff90e7d2
Instruction Fuzzy Hash: 95219F71B401049FEB14DBA9C854FAE7BFAEF88720F258169E505EB3A4DA75CD008B91

Function 00941383 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a374805de06da29bed12e24fce7eeb9cd4048ee867cc1b0f58f47361345352
Instruction ID: 61060dc9f1525546f732e1da68dd60c3398d9fc7d1b624e70d6c878f98c15b0a
Opcode Fuzzy Hash: 61a374805de06da29bed12e24fce7eeb9cd4048ee867cc1b0f58f47361345352
Instruction Fuzzy Hash: 702184386016418BEB31A778E498B7D3769E797315F14082EE507C7B91DA69CCC5C782

Function 006FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3367096771.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fd000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e951be9c4acaf68a815a1c266645edfca841c24ba7c6fde568bad7a790de248
Instruction ID: c45292e778ef6b3f226c704ee3c46640210878e82b116f42609ab963ead328ee
Opcode Fuzzy Hash: 5e951be9c4acaf68a815a1c266645edfca841c24ba7c6fde568bad7a790de248
Instruction Fuzzy Hash: 4B21C271604208EFDB14DF24D9C4B26BB67FB84314F24C56DEA494B352CB7AE847CA62

Function 0094A852 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b05d7b05c1a946ab63bbac8d7cf98f3069b4a5e3fa0ec89afead4ee8424a460
Instruction ID: 666c459d362b071e98417dff7ccd3bc7c35e3a99a1a3495df2bf9ec97aa1f96d
Opcode Fuzzy Hash: 8b05d7b05c1a946ab63bbac8d7cf98f3069b4a5e3fa0ec89afead4ee8424a460
Instruction Fuzzy Hash: CD21BB71A402058FEB14CBA8C854BAE7BFAFF88710F248469E501EB3A4DA75CD008B91

Function 00944F89 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594e1d4e7ede4386b3607a63e41eb5b749c1de1536d42e1402961bb5c5447cf6
Instruction ID: 8a0b090ab4d02cb6dc1a115d692a35e5d3fca871702e9fd1af0d0d8f18938fd0
Opcode Fuzzy Hash: 594e1d4e7ede4386b3607a63e41eb5b749c1de1536d42e1402961bb5c5447cf6
Instruction Fuzzy Hash: A9212834A00609CFDB14DF75D558BAD77F1AF89314F104568E406EB3A1EB3A9D41CB90

Function 00949F70 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f466a5a1272b778f44c0be88732c3d9a9107af948153b3ba927239ccdbf2bcbb
Instruction ID: d716ec3be0d18a52e418c190bce832a79f069ba849566f27196275ed6bbb5c3d
Opcode Fuzzy Hash: f466a5a1272b778f44c0be88732c3d9a9107af948153b3ba927239ccdbf2bcbb
Instruction Fuzzy Hash: 37215675E007099BCB19CFA4D550A9EB7B2BF89310F248A5AE816F7390DBB09C45CB41

Function 00941888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae4a3fec0eeae45cea23ec3f45f60e3e1e2d692f8bd062f12d0338042716254
Instruction ID: 68794830dd9cbfe974d6ecc8f8bf271ceb0cff7e3a0295bbce3b69c1900dd7cd
Opcode Fuzzy Hash: fae4a3fec0eeae45cea23ec3f45f60e3e1e2d692f8bd062f12d0338042716254
Instruction Fuzzy Hash: 9B212130700205CFDB28EB78D565BAE77F6AF89345F200868D506EB350EB359D80CBA1

Function 00949F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c8fe1d6c7642d32f1c49e49638870bf70fd58740c78ab3b86761639fa605ba
Instruction ID: a2c27c84d8d303b8c7c8f5ead4372688718279f4be4200f5b96f34d6876947d0
Opcode Fuzzy Hash: 38c8fe1d6c7642d32f1c49e49638870bf70fd58740c78ab3b86761639fa605ba
Instruction Fuzzy Hash: 01215034E007099BCB19CFA4D954A9EB7B6BF89310F20861AE816F7390DBB0AC45CB51

Function 009416B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45731085fc34255edb9fc0adc76f43cd075eb68e0b441b5bd5d93de97215e061
Instruction ID: 97db5bc13e71e0200bf4d2f7ca8f7e34751eea68de53df687678d9f020f3dc70
Opcode Fuzzy Hash: 45731085fc34255edb9fc0adc76f43cd075eb68e0b441b5bd5d93de97215e061
Instruction Fuzzy Hash: F92115386015018BDF15FB7CF898B5A776AE79A314F108A25D206CB255EB34DC85CB91

Function 00944F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e4316e1a40a4504a3d652a18978dbbf7d0f31a6457150a5c4909c40be16c82
Instruction ID: e4c22cd2f7e270d1742a2f65db6fcffa98732b93c2471e558e3283d8c617f0e6
Opcode Fuzzy Hash: 18e4316e1a40a4504a3d652a18978dbbf7d0f31a6457150a5c4909c40be16c82
Instruction Fuzzy Hash: 6A213934700608CFDB54EB78D958BAD77F5AF89314F104968E40AEB3A1EB369D01CB94

Function 00941878 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b620bba60ea310c419b1d672cafafd856d56984e08efc339d54c66058425e1c9
Instruction ID: e5d78cd87f2c21bd12d7b28bfc70faf5e6586a410b014af383792dd8f72b4e72
Opcode Fuzzy Hash: b620bba60ea310c419b1d672cafafd856d56984e08efc339d54c66058425e1c9
Instruction Fuzzy Hash: B7213C30B00245CFDB28EB78D565BAD77F6AB89345F200869D505EB3A1EB3A8D80DB51

Function 00941498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d973a7c5489c21451f462b3d29c369637a7a7e319ebe646c6c23f07793962c8
Instruction ID: bf3e7163afe66d856db9effb3a605d7b8a981e2b5ec0660dbc7130e405aeed3d
Opcode Fuzzy Hash: 7d973a7c5489c21451f462b3d29c369637a7a7e319ebe646c6c23f07793962c8
Instruction Fuzzy Hash: BB014031E012159FCF25EFB98451AAE7BF9EBC8350B240479E505E7301E736D981CB95

Function 0094A6B8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291ba9d903c2cada9bcac875865f8a5f4bc080744f8507f1bfa7f55004d86c1d
Instruction ID: 78f11f5782d9e567676bac05eb76e49289d51e2e34ecac61ee2664f9d1dc7b90
Opcode Fuzzy Hash: 291ba9d903c2cada9bcac875865f8a5f4bc080744f8507f1bfa7f55004d86c1d
Instruction Fuzzy Hash: EB019231A002048BDB14DFA5E994B89BBB6FF85311F54C668C9085F29AE770AD46CBA1

Function 00948F10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a22d0c8d96590c0fa60a0a5e6c9b89d64b0bcfcae74b5a5c73dae7b036ebbf4
Instruction ID: 18e9908d204769384b812c6ac3c77dddf0e98195c325ae9a47d4941b399fe01d
Opcode Fuzzy Hash: 1a22d0c8d96590c0fa60a0a5e6c9b89d64b0bcfcae74b5a5c73dae7b036ebbf4
Instruction Fuzzy Hash: 6901843050528ADFCB02FBB8F9956DD7BB1EF46304F1046ACC5815B296EA312A02CB92

Function 00941524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711f76afb7969d7f3de925d3b15496aac832cd639355439b66d76f4dcd5206f7
Instruction ID: 63d25fbbeefd607d279ba7e30f63cb11e5a865a5836bf268f9e4db8a2c6a4f23
Opcode Fuzzy Hash: 711f76afb7969d7f3de925d3b15496aac832cd639355439b66d76f4dcd5206f7
Instruction Fuzzy Hash: 13F02B37E04110CFD7228BE89491AECBF74EAD931171844E7E802DB212D235E886C751

Function 00947EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436eaf6a98953a17e1b62fe6ca14ecbb6fe4691b33a5c46135e58d56ab69a191
Instruction ID: 663eec8e83c7e31fdb50eae6a10de33cf02a50597762471afbb4297ee7d58afb
Opcode Fuzzy Hash: 436eaf6a98953a17e1b62fe6ca14ecbb6fe4691b33a5c46135e58d56ab69a191
Instruction Fuzzy Hash: 3DF0E739B00118CFC714EB78D5A8B6D77B2EF88715F6044A8E5069B3A0CB35AD42CF40

Function 00948F20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3369627001.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_940000_DO9uvdGMde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24588c1b5f7d4cba309b35954154222babc97cadc9dfbe9430b5cb428596cbe0
Instruction ID: 0a7a5e7e01522fb74ece2e9c70d59e59b823c21cbd0e37544296cbfac5106c56
Opcode Fuzzy Hash: 24588c1b5f7d4cba309b35954154222babc97cadc9dfbe9430b5cb428596cbe0
Instruction Fuzzy Hash: 11F03C3090124AEFDB41FBB8F9956DD7BB1EB49300F5086B8C6059B254EA712E058B91

Analysis Process: .exePID: 5260, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	8

Executed Functions

Function 0095C909 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0095C996
GetCurrentThread.KERNEL32 ref: 0095C9D3
GetCurrentProcess.KERNEL32 ref: 0095CA10
GetCurrentThreadId.KERNEL32 ref: 0095CA69

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ec52fdc035b1c03cede8092ffbd8e375f35e3616e9696b2f7a735c1e07d313a9
Instruction ID: 20ef647fb0e83e55f660aa0cf4af85789a00d91713b3b8b5a771c2922ab811f6
Opcode Fuzzy Hash: ec52fdc035b1c03cede8092ffbd8e375f35e3616e9696b2f7a735c1e07d313a9
Instruction Fuzzy Hash: A25157B0901709CFEB54DFAAD548BEEBBF1EF88304F208459E409A7350D7789945CB66

Function 0095C918 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0095C996
GetCurrentThread.KERNEL32 ref: 0095C9D3
GetCurrentProcess.KERNEL32 ref: 0095CA10
GetCurrentThreadId.KERNEL32 ref: 0095CA69

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6a64b00e220b024ec5eecd3979a0f1cd5ef5f25e39de9dc3886f69a7455a77bd
Instruction ID: cd3f6085c2771bc14a48774f4e6ffdbd0f6be21cb6c4e85a0b8b85b1d18454d3
Opcode Fuzzy Hash: 6a64b00e220b024ec5eecd3979a0f1cd5ef5f25e39de9dc3886f69a7455a77bd
Instruction Fuzzy Hash: CB5167B0901709CFEB54DFAAD548BAEBBF1EF88304F208459E409A7350D778A945CF66

Function 0095A690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0095A8E6

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6f1de1afcd468d30dadc69af74ca37cf7995205c01df7691a0505bc6f2c2d138
Instruction ID: c2bb657f556b2dc973b0d1ec1a1f2630792a2f3006335a999fe151beae0719c2
Opcode Fuzzy Hash: 6f1de1afcd468d30dadc69af74ca37cf7995205c01df7691a0505bc6f2c2d138
Instruction Fuzzy Hash: 28713570A00B058FD724DF2AD45075ABBF5FF88300F108A2ED94AD7A50DB75E94ACB96

Function 0095FAF8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0095FB90

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e844bd2024e3d844462f827360fd0a28a3903f1b7799af4d33f240a4ec4c399d
Instruction ID: 92b817584a09be8cfc77eb1233cf4a83675cddf2f5a4198c20b00d19b4e8b6af
Opcode Fuzzy Hash: e844bd2024e3d844462f827360fd0a28a3903f1b7799af4d33f240a4ec4c399d
Instruction Fuzzy Hash: 8E212671900349DFDB10CFAAC881BDEBBF5FF48310F108429E918A7250D7789944CBA4

Function 0095FB00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0095FB90

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f939a976d65fb3aef97df6d2c69fee15f2d8f5f46ef7bb20930c9db440bcda28
Instruction ID: e0957c39b9cb6060f98bea2b5bd4e2856db03e2ea8b8e061c15f7abdc54331bb
Opcode Fuzzy Hash: f939a976d65fb3aef97df6d2c69fee15f2d8f5f46ef7bb20930c9db440bcda28
Instruction Fuzzy Hash: 7521E471900349DFDB10CFAAC885BDEBBF5FF48310F108429E959A7240D7799954CBA4

Function 0095FA20 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0095FAA6

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2375a6d369ef2d5e1c4f4d6e015e8ced3786c074f82a3baeefe9e42ecca7e447
Instruction ID: 8a358b976fb2ed35a7627e6ab4d820f9b8c1452b318c718dd59305eb3181e1e6
Opcode Fuzzy Hash: 2375a6d369ef2d5e1c4f4d6e015e8ced3786c074f82a3baeefe9e42ecca7e447
Instruction Fuzzy Hash: 68213871D003099FEB10DFAAC485BEEBBF4EF88324F148429D959A7240D7789945CFA5

Function 0095CB58 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0095CBE7

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d5abb7ec74ebb99b960588ebfafe0c4c9b72c97c2bd97704b93b1568fd7db06d
Instruction ID: 8596d9abd2ad024d193f0661636ec69656e8a19d03a341e43ea765e3fad2de91
Opcode Fuzzy Hash: d5abb7ec74ebb99b960588ebfafe0c4c9b72c97c2bd97704b93b1568fd7db06d
Instruction Fuzzy Hash: F421D2B5D00349DFDB10CFAAD585ADEBBF8EB48310F14841AE918A3350D378A954CF65

Function 0095FA28 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0095FAA6

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 543e769d6d800823817e147d317f024221738e742bb6173ad6dd924ddccbed2c
Instruction ID: 74ee24e35403b35a818b1df5e7ee7fbe079b10773f754ca53a2e1cc398ae3448
Opcode Fuzzy Hash: 543e769d6d800823817e147d317f024221738e742bb6173ad6dd924ddccbed2c
Instruction Fuzzy Hash: 3F215B71D003098FEB10DFAAC4857EEBBF4EF88320F148429D919A7240D7789945CFA5

Function 0095CB60 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0095CBE7

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c203dd337fa6e96921d61d87fc50f524a0724905806d870c4b2cb2adf4f7f426
Instruction ID: 4f5ffc3bdc38dc16256ae513eb00331d75815be74b76c654c49551622f5e5154
Opcode Fuzzy Hash: c203dd337fa6e96921d61d87fc50f524a0724905806d870c4b2cb2adf4f7f426
Instruction Fuzzy Hash: A521C4B5D00349DFDB10CFAAD985ADEBBF8EB48310F14841AE914A7350D378A954CFA5

Function 0095A118 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0095A961,00000800,00000000,00000000), ref: 0095AB72

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8938f790489de9782ceedf7c1dae44d3aa7aea9934e5388e41b4cbbe3a7936de
Instruction ID: b0b11f7cac776d203de2de587f31ad1d81d43cde7d27b0e651d8a02cb7bfa8ef
Opcode Fuzzy Hash: 8938f790489de9782ceedf7c1dae44d3aa7aea9934e5388e41b4cbbe3a7936de
Instruction Fuzzy Hash: DC11E7B5D00349DFDB10CF9AD444A9EFBF9EB48311F14851AD919B7200C379A945CFA5

Function 0095AB00 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0095A961,00000800,00000000,00000000), ref: 0095AB72

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b9fb5faacf7946c998fd6dca9ee257ac57e5d86b1050ce6261ee6f74725136b4
Instruction ID: daa2c2f366598b70e2eec800422b3b1ad45790fdcefa44d2a315861be432c004
Opcode Fuzzy Hash: b9fb5faacf7946c998fd6dca9ee257ac57e5d86b1050ce6261ee6f74725136b4
Instruction Fuzzy Hash: 261114B6C00349DFDB14CF9AC484ADEFBF9EB88710F10851AD929A7200C379A945CFA5

Function 0095FBE9 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0095FC5E

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd5e730a0a197ee13218ab63500542f8981a3ced5c5ec9f78d660755f3ea8d62
Instruction ID: f64191214bbe45a320eed179357c53d2c04b609cd13c0c747995a90b527a0753
Opcode Fuzzy Hash: fd5e730a0a197ee13218ab63500542f8981a3ced5c5ec9f78d660755f3ea8d62
Instruction Fuzzy Hash: E4114771800349DFDF10DFAAC845ADEBBF5EF88320F108429D919A7250C7759505CFA0

Function 0095FBF0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0095FC5E

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eb945900b982e2c3da4ee980a0753b6897ad47377b7e950d23aeef0ab3fd2a5d
Instruction ID: 3052f284c965a8ab13565e882a443db9a35392f3a46b9cff1d2294a23c9c6aaf
Opcode Fuzzy Hash: eb945900b982e2c3da4ee980a0753b6897ad47377b7e950d23aeef0ab3fd2a5d
Instruction Fuzzy Hash: 0C1114718003499FDF10DFAAC845ADEBBF5AF88720F148429E915A7250C779A944CBA4

Function 0095FCA8 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0095FD12

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c00a5a583d6996231e76cb11279f091633bdb7957b426c4ba619b6719a5a97ff
Instruction ID: 34e4502a2b439edc8044161e6eb5c1e73175792724f1efcf9a4f6f55f26b753e
Opcode Fuzzy Hash: c00a5a583d6996231e76cb11279f091633bdb7957b426c4ba619b6719a5a97ff
Instruction Fuzzy Hash: 251146B19003498FEB20DFAAC445BAEBBF4EF89320F248429D519A7240C7796905CBA4

Function 0095FCB0 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0095FD12

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aefd9445c3448d31e2ba748cc7ec6d53493e9186536fc20d8d1fdef2b68c76a4
Instruction ID: e52f6c9cd3ddedf5d22b04761c31eda68a8c0f40e0e2cf974e6d2b735cfe006c
Opcode Fuzzy Hash: aefd9445c3448d31e2ba748cc7ec6d53493e9186536fc20d8d1fdef2b68c76a4
Instruction Fuzzy Hash: B1112871D003498FDB10DFAAC44579EFBF8AF89720F248419D519A7240C7796944CBA4

Function 0095A880 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0095A8E6

Memory Dump Source

Source File: 00000006.00000002.2262620698.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_950000_UNK_.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: afa53e329f338e0e367d67e88ea1a3b252aa924b7734309879d4ab51bde72b5b
Instruction ID: 00dae0249c0d6c476a0bdab27c609ddca9d81c71ecaac42ec0a1e66e35df9e1a
Opcode Fuzzy Hash: afa53e329f338e0e367d67e88ea1a3b252aa924b7734309879d4ab51bde72b5b
Instruction Fuzzy Hash: 0511DFB5C00749CFDB10DF9AD444A9EFBF8EB88310F10852AD929B7210C379A54ACFA5

Function 008FD5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2260810949.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8fd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a349a73b8ce05dc8286b24c4e4062fd3460511e1c31ec13282c3bb2fa6a8bcac
Instruction ID: f0869f8f4c9544befd36d4899102df3e2ae4595135916a468ae71167f83c8f54
Opcode Fuzzy Hash: a349a73b8ce05dc8286b24c4e4062fd3460511e1c31ec13282c3bb2fa6a8bcac
Instruction Fuzzy Hash: 7521FB71504308DFDB05DF24D5C4B26BF66FBA8318F24856DDB098B256C33AD855C6E1

Function 0090D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2261146707.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e969bde21004836da66382fbfa2354efc62782800b876563eed84c0ef9b8320c
Instruction ID: c9edafec50a395f981fa40b87cff89ec0dca825ca29d8ab1380ab4c47c874419
Opcode Fuzzy Hash: e969bde21004836da66382fbfa2354efc62782800b876563eed84c0ef9b8320c
Instruction Fuzzy Hash: 1121F271604204EFDB14DF64D9C0B26BBB5FB84314F20C96DD90E4B286C33AD847CA62

Function 0090D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2261146707.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d1468dbb0ca9a447345d8ffe29506d5738c43ee6d3fba94ce6e9223d383be4
Instruction ID: 0c08a29096f4480543d3d1c1b3a645a67d197789e275a89004ca42b298441dac
Opcode Fuzzy Hash: 60d1468dbb0ca9a447345d8ffe29506d5738c43ee6d3fba94ce6e9223d383be4
Instruction Fuzzy Hash: 52212675605304EFDB04DF98D5C0B26BBA5FB84324F20C96DD8194B3D2C37AD846CAA1

Function 008FD5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2260810949.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8fd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: a44a1a8aef52df5e2aa8093622d4ee0f000f68c74c7622a758b32fceb0748b13
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 4011B176504344DFCB15CF10D5C4B26BF72FBA4314F24C6A9DA098B256C33AD85ACBA2

Function 0090D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2261146707.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 31c5b95ebb25bd85c74fa99a67c04f9cff734577a195a10c27fa945b54ebfeda
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 8811BB75504280DFCB11CF50D5C4B15FBB2FB84314F24C6AAD8094B696C33AD80ACBA2

Function 0090D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2261146707.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 7a72a7ee19293f47ed3cc12be61bdffe84904e11a9d2e19a9c32a9c36c22471d
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: DE11BB75905280DFCB01CF54D5C0B15FBA2FB84324F24C6A9D8094B296C33AD84ACFA2

Analysis Process: powershell.exePID: 5500, Parent PID: 5260COMMON

Executed Functions

Function 04BD9229 Relevance: 1.4, Instructions: 1396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe509d05fc7afe36f0a556542208cfb380fc7f09c7635cf45351458ec3f4062
Instruction ID: 88cb7ee17e167c9e3aa8a656d51cb3bbfa58040d2a4cfc989acf7d7c8a94ab5a
Opcode Fuzzy Hash: bfe509d05fc7afe36f0a556542208cfb380fc7f09c7635cf45351458ec3f4062
Instruction Fuzzy Hash: C0F10974A00219DFDB15CFA8D494AADFBB2FF89314F248199E805AB365D731ED81CB90

Function 04BD6C62 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

L, xrefs: 04BD6CD6

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: d11cc130c690133b4b1a6959dc1fd402a78ddb96f4bcd9c1c7b2d062e9a0e815
Instruction ID: b634aa656b682ca5e0dd3f5e293558ac606a65e99a0152394153cfc637d43aa2
Opcode Fuzzy Hash: d11cc130c690133b4b1a6959dc1fd402a78ddb96f4bcd9c1c7b2d062e9a0e815
Instruction Fuzzy Hash: 59514A35A05248DFCB09CFA9D4909ADBFF2EF4A310F1981E9E850AB362D735A945CF50

Function 04BD29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1af90b475ad087de63669ccb02df08407c4d5ec16aec13ee6fc0acb892fa293
Instruction ID: 9c7c754f4a2e9bb70f7a19d2495d0ee816426034fd3a5e09d98b1f7651644a41
Opcode Fuzzy Hash: d1af90b475ad087de63669ccb02df08407c4d5ec16aec13ee6fc0acb892fa293
Instruction Fuzzy Hash: 01918A74A00649CFCB19CF59C494AAAFBB1FF88310B2486D9E915AB365D735FC41CBA0

Function 04BD6C70 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27821bf000d92ee55576a60b135c915fd6c17e9170f0da721e60906c3bfecd27
Instruction ID: 8aa761b1e90d745841fd092ca71131b44dabec38c5820f3607d611965db5e012
Opcode Fuzzy Hash: 27821bf000d92ee55576a60b135c915fd6c17e9170f0da721e60906c3bfecd27
Instruction Fuzzy Hash: E7515A34A05248DFCB09CFA9D4909ADBBF2FF89301F1580A9E944AB362D735AD45CF50

Function 079018C5 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2276062449.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d35d44b722344cd5fc8569df3bf0f932701042c03f166ccf9288c09fc07392
Instruction ID: 2d2b3d8a049011467cb892736c49c70aa9e9381f856ccf451d954b6f334d30df
Opcode Fuzzy Hash: 74d35d44b722344cd5fc8569df3bf0f932701042c03f166ccf9288c09fc07392
Instruction Fuzzy Hash: 3D414AF17502189FDB109BA894107AEBBE6AFD271DB10807ED9558F781D931C90183E2

Function 04BD2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2deee939f8a5f67b2b26bbd2b4d920740e21d602326a0a88dc8b4414f2aade
Instruction ID: 6505fde5554e24f6f6c7314a3d63f0eadd57e588c507b7fe692c133e64532094
Opcode Fuzzy Hash: 0c2deee939f8a5f67b2b26bbd2b4d920740e21d602326a0a88dc8b4414f2aade
Instruction Fuzzy Hash: 9C416974A00645DFCB09CF59C1989AAFBB1FF88310B2581D9D915AB364D736FC51CBA0

Function 04BD7680 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0322a88074c0e82058a2e8cf46a755a2f0d22f99d0673cc9e692f279a950dd56
Instruction ID: 47a2111aff8a9403c8fe5da87f48756aa6a6027ffbb4233f13e82225de0d3dc2
Opcode Fuzzy Hash: 0322a88074c0e82058a2e8cf46a755a2f0d22f99d0673cc9e692f279a950dd56
Instruction Fuzzy Hash: 41217C74A04249DFCB05DF68C8909AABBB0FF4A300B1580AAD949DB352D735F801CBA1

Function 04BD7670 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ed10740729e94b28a0a9c0989515ffb402e1ef72e09ca1307905898de1d4ef
Instruction ID: 29d1f892d8bc19249c15b7a126259a7e2d375797ac15f3a6f01600a4b882cbfc
Opcode Fuzzy Hash: 09ed10740729e94b28a0a9c0989515ffb402e1ef72e09ca1307905898de1d4ef
Instruction Fuzzy Hash: 1221F374A05209CFCB00DF98D9909AEBBB1FF89310B1585A9E909AB352D735ED41CBA1

Function 04BD2C5C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04d2e2b3d2d4b0b9e023207881d612cf95c439a071c3142546823be100bca08
Instruction ID: e95602586fb06d6e55d3e99db5b7a67c9e19dcf9002f65dbe339750b016ccb7c
Opcode Fuzzy Hash: f04d2e2b3d2d4b0b9e023207881d612cf95c439a071c3142546823be100bca08
Instruction Fuzzy Hash: 43112930504294DFCB02DF6CD8A46E9BFB0FF4A324F1481CAD590AB262C732E811CB55

Function 04A3D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2251763526.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5347ca2a393e135eff0bd0f334a521bb9212d9dd096f6e2ac13bddbbe7d6754d
Instruction ID: c507a35a948466e307df8e634b07dc96c2879115dfa412d01da4bdcf8349169e
Opcode Fuzzy Hash: 5347ca2a393e135eff0bd0f334a521bb9212d9dd096f6e2ac13bddbbe7d6754d
Instruction Fuzzy Hash: 9F01F771504340EAF7104F25E980B67FFA8EF43B21F08C029FD0A1B242E278A945C6B1

Function 04A3D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2251763526.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda0588db36309d5af93ef796634aec8b14318ec17eeca66debd2e84a8882f57
Instruction ID: 1efbb9015941e7969eedff3ee4e8488e0f49c2ca78465225812e67cf0777ebfc
Opcode Fuzzy Hash: dda0588db36309d5af93ef796634aec8b14318ec17eeca66debd2e84a8882f57
Instruction Fuzzy Hash: 7A015E6240E3C09EE7128B25D894B52BFB4DF43625F1980DBE9889F1A3C2695849C772

Function 04BD91C2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252310673.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3906cd3df795138e15b563b05178454c9690ed3fef96a53b88689ae9862e7b
Instruction ID: 5f761397bd332a2660931d553a1a5ecdbc0bd491fc8319908d3fd5832f14b7a0
Opcode Fuzzy Hash: 9f3906cd3df795138e15b563b05178454c9690ed3fef96a53b88689ae9862e7b
Instruction Fuzzy Hash: 04F06235A00204DFCB04CF99C884AA9F776FF892107248599D94AA7751CB35AC53CB91

Analysis Process: .exePID: 1464, Parent PID: 5260COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	7

Executed Functions

Function 0307DCA8 Relevance: 2.2, Instructions: 2222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd339881b2cb4a6d9b2869aae20324c679c1d6efe67d8d230f37fdba6cbbbdd
Instruction ID: bec86e12c89eb65f9442d836d1abdb177df5244d94e18ba91e86549aa72db9bb
Opcode Fuzzy Hash: bdd339881b2cb4a6d9b2869aae20324c679c1d6efe67d8d230f37fdba6cbbbdd
Instruction Fuzzy Hash: A3231F31D1071A8EDB11EF68C8806ADF7B5FF99300F15C79AD459A7221EB70AAC5CB41

Function 0307B3C8 Relevance: 2.2, Instructions: 2167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579da88fbecd7df47c29eba39842be939fa728379d8b03fe0fb95c364920eaf9
Instruction ID: b63019e5c1c7b4228a7efe0c11afa1942547a0ae9dc47b29492a6232a970d840
Opcode Fuzzy Hash: 579da88fbecd7df47c29eba39842be939fa728379d8b03fe0fb95c364920eaf9
Instruction Fuzzy Hash: D0330731C10B5A8ADB51EF68C8905A9F7B1FF99300F15D79AE45877221FB70AAC4CB81

Function 03073E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vvk, xrefs: 030740CB

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID: \Vvk
API String ID: 0-1806392228
Opcode ID: 653666d8a4f4be916381acdddd4c84cc018647d1e3510aede67a1b6f026807b5
Instruction ID: 5e008d0ef221ab18f086c058a5555317c08ff4abb71cca68bd6609e30498a92d
Opcode Fuzzy Hash: 653666d8a4f4be916381acdddd4c84cc018647d1e3510aede67a1b6f026807b5
Instruction Fuzzy Hash: E3918C70E01209DFDF50DFAAC9817DEFBF2AF88344F188129E405AB254EB749846CB95

Function 03074A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95eed5ed254c1bbbc85918b5b13d49c755d067f5778e495cde5b099bd9ccfd8
Instruction ID: 8e089d243963d1b8d34dad24262267e01cd1412321cfb7aa5d03224152154ea9
Opcode Fuzzy Hash: d95eed5ed254c1bbbc85918b5b13d49c755d067f5778e495cde5b099bd9ccfd8
Instruction Fuzzy Hash: C0B17E70E01209CFDB50CFAAC8857ADFBF2BF88314F198529D855EB294EB749845CB85

Function 06F1D7B0 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F1D922

Memory Dump Source

Source File: 00000009.00000002.3387224005.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_UNK_.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 712a0480ff2e7f367b9f35b890efead02b2820fc29d9f8af0680d9ae7ec51c27
Instruction ID: 22ccce2ecd0fca4eceebf5500e525a56029a75e2355e9494259711e441b4a14b
Opcode Fuzzy Hash: 712a0480ff2e7f367b9f35b890efead02b2820fc29d9f8af0680d9ae7ec51c27
Instruction Fuzzy Hash: DA5110B2C00249AFDF05CFA9C994ADDBFB1BF49350F24816AE808AB220D7319845CF90

Function 06DCE931 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3386686940.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dc0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c914850a3ba644438e80a493bffd3d30f9400deb26d675e14b880b325b9785
Instruction ID: 2bc5b54afe40e32f9c8e11f4ec29d7c98650f2f055a63b6ce7c6aa20c11d6f26
Opcode Fuzzy Hash: 27c914850a3ba644438e80a493bffd3d30f9400deb26d675e14b880b325b9785
Instruction Fuzzy Hash: A0411472D0439A9FCB10CF69D8106AEBBF5AFCA220F15856ED509A7241DB349845CBE1

Function 06F1D810 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F1D922

Memory Dump Source

Source File: 00000009.00000002.3387224005.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_UNK_.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 799114e99709348ef0ba596637a61cdddd299bd22de3b78321acd74bc7e080fd
Instruction ID: 4b8ca777da04b6b7ea15c8cd1877e7d9e850184f250ca8a3342b207c72f076d4
Opcode Fuzzy Hash: 799114e99709348ef0ba596637a61cdddd299bd22de3b78321acd74bc7e080fd
Instruction Fuzzy Hash: 8541B0B1D00349DFDB14CFAAC894ADEFBB5BF48350F64812AE818AB250D7759845CF90

Function 06F1CD6C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06F1FE91

Memory Dump Source

Source File: 00000009.00000002.3387224005.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_UNK_.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9a60f722828dfad77b5e3f434c1cb790d432f8b5e0fc83a6b00b1ada1cea4a83
Instruction ID: fbda2c9da03d50c7c0562635009d5aec99e8a62c3117542dcc26d8d3da75766f
Opcode Fuzzy Hash: 9a60f722828dfad77b5e3f434c1cb790d432f8b5e0fc83a6b00b1ada1cea4a83
Instruction Fuzzy Hash: 414127B5D00349DFDB54CF99C448AAABBF5FB88314F248459E519AB321D734A941CFA0

Function 06DCEA18 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 06DCEA7F

Memory Dump Source

Source File: 00000009.00000002.3386686940.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dc0000_UNK_.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ef04fdd499796f58291725520fb5ed9156c01aa26a80dbfa04767f95c0fd9e57
Instruction ID: 4e9f845fd5f1a2e431fa0662a192a45adad864e0c4c4b0160d9d27966eb365fc
Opcode Fuzzy Hash: ef04fdd499796f58291725520fb5ed9156c01aa26a80dbfa04767f95c0fd9e57
Instruction Fuzzy Hash: CE1112B1C0065A9FDB10CFAAC444B9EFBF4BF48320F15812AD918A7240D378A944CFA5

Function 03073E74 Relevance: 1.5, Strings: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vvk, xrefs: 030740CB

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID: \Vvk
API String ID: 0-1806392228
Opcode ID: e00acface8030175f71af2d1d13d9612feaa6ab54ffb878ce427da6592d9f7a2
Instruction ID: 23bbcaeb627107b609546a65bcb323c3ab2503154b3d99463ae691f7a2d148ba
Opcode Fuzzy Hash: e00acface8030175f71af2d1d13d9612feaa6ab54ffb878ce427da6592d9f7a2
Instruction Fuzzy Hash: 42A18A70E01209DFDB50DFAAD9817DDFBF2BF88354F188129E414AB294EB349846CB95

Function 0307A070 Relevance: 1.3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 0307A075

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 70df57afa5ce66c1ecb246b0fb75deba7a7c5b9d3fd3cd931af0586a723c0e59
Instruction ID: 049d757cb5d4e8a677fa23aa40f518b7b22c70e5875d740a2f5e29d9904ec742
Opcode Fuzzy Hash: 70df57afa5ce66c1ecb246b0fb75deba7a7c5b9d3fd3cd931af0586a723c0e59
Instruction Fuzzy Hash: FF31B435F0124A9BEB15CF68D850A9EFBF6FF89300F14C669E805AB341DB719941CB90

Function 03070848 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 03070894

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 01a7d9b7c4572fb79bc7802aeeee34110890818d9f410ba9c826b24fec43935c
Instruction ID: 418c4de9e05b2160c1b17f6b74d2fe518bbb5ec4207a27ec51e6c9f9ee704633
Opcode Fuzzy Hash: 01a7d9b7c4572fb79bc7802aeeee34110890818d9f410ba9c826b24fec43935c
Instruction Fuzzy Hash: 4E119430F0220D8BEFE4EB7AD8147693699EB46214F248B7AD556CF241DA21CC858BD9

Function 03070838 Relevance: 1.3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 03070894

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 73e590e1b8dea225475106f756234df845d1678067fb5d6240f6d54b5a25c5e3
Instruction ID: 4794f9a264bd9fb314ebc561fac37be6780556a9d977c6dd511766efd4fd700d
Opcode Fuzzy Hash: 73e590e1b8dea225475106f756234df845d1678067fb5d6240f6d54b5a25c5e3
Instruction Fuzzy Hash: 0A11C670F0220D9BEFE4EB75D81077A3298E786314F148B7ED556CB281EA25CC858BD9

Function 03078728 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eabf21c3f98ffb0c8e5714c8df2ba894c674d032567ec99d1cb1895e08ff3f0
Instruction ID: 995af94bc8db150aad160da37f48bcf551a08e85af7f2e79e217ff9b0f5900ab
Opcode Fuzzy Hash: 6eabf21c3f98ffb0c8e5714c8df2ba894c674d032567ec99d1cb1895e08ff3f0
Instruction Fuzzy Hash: DE12E330B01206DBEB699B38E85535D77A2FB8A711F24A97DE002CB354DE75DC86CB81

Function 0307A22C Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e65580fe6b3cbcca944cecf473fa56b63be49acdcc36d43e630a55d2991eb3c
Instruction ID: c11c1fca3f09da871953a92966cacedae2041ed92bc6392eef8bec5a457fe7d3
Opcode Fuzzy Hash: 2e65580fe6b3cbcca944cecf473fa56b63be49acdcc36d43e630a55d2991eb3c
Instruction Fuzzy Hash: 7DE19E35F02205CFDB64CB68D584AAEBBF2EB88310F248469E906DB350DB35DD42CB94

Function 03074A8D Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cacc5b0dd671fe11affbc3378407400dca5838826fff947514c368ef6c73e9
Instruction ID: a4d1288976b475543605c977533c31424d091cccac6c53d0205719c28dded7cf
Opcode Fuzzy Hash: 45cacc5b0dd671fe11affbc3378407400dca5838826fff947514c368ef6c73e9
Instruction Fuzzy Hash: FFB17C70E01209DFDB50CFAAC8857DDFBF2AF88314F198129D858EB254EB749845CB85

Function 0307A6C0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf633444c3ae42487d04407b3fea159ea171d3ac9661513bd4a7e14d4d47ccd
Instruction ID: ae4a0594368d6664713b8b07059e2bfcf00d280b8a68ba15ab10e1c9171b9d0d
Opcode Fuzzy Hash: acf633444c3ae42487d04407b3fea159ea171d3ac9661513bd4a7e14d4d47ccd
Instruction Fuzzy Hash: 89716871B01205DFDB54CFA9E884B9DBBF6FF88310F1481A9E9089B395EB719941CB90

Function 03076ED7 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cc2cab53a1241f028d26387a56a90ec537ce97a370329db12b0d102ba977fd
Instruction ID: dc36f95c3000de09e5b11caba18d3a07cbf06970169c7b1cc2ec210a0086b0df
Opcode Fuzzy Hash: 82cc2cab53a1241f028d26387a56a90ec537ce97a370329db12b0d102ba977fd
Instruction Fuzzy Hash: A4618C34B11609CFDB14DB68C458AAD7BF2AF89700F2444A9D406EB3A1CB76DC41CBA5

Function 03077D28 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcda39d300449c91bd96fef944a3508c13f22ae2977030675428327069325bed
Instruction ID: 31ba51152259ab25e55538c8eda231535b99620690b78b05598593043d1a182b
Opcode Fuzzy Hash: bcda39d300449c91bd96fef944a3508c13f22ae2977030675428327069325bed
Instruction Fuzzy Hash: 8A317071E1124ACFDB55CF65C8407AEB7B6EF49B40F64886AE402EB290EB709C41CB54

Function 03076CDD Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d262ce6297b170bcad09615ff00d1a82986a3c2b1438f2e1657d833e0a8634c
Instruction ID: 4b1fa30e3d7b1db3e4ced690daf023f9c443de7bc6c7d93b23de0b37ff297e18
Opcode Fuzzy Hash: 5d262ce6297b170bcad09615ff00d1a82986a3c2b1438f2e1657d833e0a8634c
Instruction Fuzzy Hash: 43513270D116198FDB14CFA9C844BEDBBF1BF48300F188429E816BB390D775A844CB95

Function 03076CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2210f19307a53cfd891b097a8c3b62877a9a5e7caa3e6ca9e92fb7bdd6c9fad3
Instruction ID: 25d9acb9d9802663904aa93fe3380431ae95b8c6c87b35c78afa01aca301aff3
Opcode Fuzzy Hash: 2210f19307a53cfd891b097a8c3b62877a9a5e7caa3e6ca9e92fb7bdd6c9fad3
Instruction Fuzzy Hash: 77512371D116188FDB14CFA9C894BADFBF1BF48310F188529E816BB390DB75A844CB99

Function 0307112A Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6075a962cefc0c72f2143df5f364b7208ba88f1392563c6b7be24eef4cde6f
Instruction ID: 753ad44f5889b3c87dbca147719a61421a49eccbbc82f4816bd7d8357ac0f40e
Opcode Fuzzy Hash: 3b6075a962cefc0c72f2143df5f364b7208ba88f1392563c6b7be24eef4cde6f
Instruction Fuzzy Hash: E4510C31611346CFD705DF2AFEA1A943FB1F79A304704A1A9D1244B226EA786DC9DFC1

Function 03071138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221135db60a720d1fc3ef71b90e00302ae3f286e41cd83d9ebe1ab9a14975356
Instruction ID: 5bd67085c91122bce799c2d7b1d400e6195a0636ba6ca519af3cd52d9a8deecf
Opcode Fuzzy Hash: 221135db60a720d1fc3ef71b90e00302ae3f286e41cd83d9ebe1ab9a14975356
Instruction Fuzzy Hash: F351EB30611346CFC719DF2AFEA1A943FB1F79A305304A1A9D1254B225EA782DCADFC1

Function 03077D98 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef26445efa0d550827b3abd5cc323349a28c9e5baa8f289c3ba3a7e8986ba4c9
Instruction ID: b9dc2444a3773ec5415cb5f415a605b9daf781d83cec72e442521f523d949a93
Opcode Fuzzy Hash: ef26445efa0d550827b3abd5cc323349a28c9e5baa8f289c3ba3a7e8986ba4c9
Instruction Fuzzy Hash: 1F317031E11219CFDB55CFA5C8407AEB7B6FF89B50F248966E402EB240DB70AC41CB94

Function 030726DC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b53a2f8f62e126120488e444b0abc7e81025eb121760093b9d9cbe07d796c70
Instruction ID: fb435eedad8106f2541a96c0aa1ba6cd12dd5494a89384fbc4ae2f8cb63d4915
Opcode Fuzzy Hash: 3b53a2f8f62e126120488e444b0abc7e81025eb121760093b9d9cbe07d796c70
Instruction Fuzzy Hash: C941EFB1D01349DFEB10CFA9C584ADEBBF9BF48310F248429E819AB250EB359945CF94

Function 030726E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea33c5df09bf834ffabc99a1916a1a31cc2c4780081b204db2370ca4c1a0195
Instruction ID: c7757e042e50f897b60395a8f30f3b5a6e2ec23d136863beacd41bd60ab4b466
Opcode Fuzzy Hash: 7ea33c5df09bf834ffabc99a1916a1a31cc2c4780081b204db2370ca4c1a0195
Instruction Fuzzy Hash: 28410EB0D01348DFEB10CFA9C584ADEBBF9FF48310F248429E809AB250DB35A945CB94

Function 0307A080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7606d533fa0e59e6a9fed59d6ff2a90ef0d9d7b259a97c7cc34ee6efa4198c45
Instruction ID: 694f521b8c2c7c79cefdab29efd7ef5adb5506fc92476a554803e58a79c4b744
Opcode Fuzzy Hash: 7606d533fa0e59e6a9fed59d6ff2a90ef0d9d7b259a97c7cc34ee6efa4198c45
Instruction Fuzzy Hash: AF217E31F0120A9BDB19CFA9D95069EF7B6FF89300F14C659E805AB340DB719881CB90

Function 0307169F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3fbbb277a455a44baf05d63afd2e68a7559a5490290fe7107fc1bb51959912
Instruction ID: 23a059cff78026b80199c08e4a66fafc250f6d1f6e1f849f7bddc458d347a363
Opcode Fuzzy Hash: 0a3fbbb277a455a44baf05d63afd2e68a7559a5490290fe7107fc1bb51959912
Instruction Fuzzy Hash: 4421B334A011498BEF64EB39FC8579A3BB9E789304F148A74E415CB281EB38DC81CF95

Function 03076BA1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279efcb620b344e283b420785ae4e6e6186a8471e268bc700bca2382422c8f33
Instruction ID: dac78605925bc01b1ca13725f99a89f94ebdfee6e13494f1df6d4cccc59139ea
Opcode Fuzzy Hash: 279efcb620b344e283b420785ae4e6e6186a8471e268bc700bca2382422c8f33
Instruction Fuzzy Hash: B6210232B012459FD715AB79D8507AE3BB7FF8A600F1484AED009CB394EE798C42CB91

Function 03079F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d644539dab1e75d7b8e781ec641e33a5928fdc87f4c3c8947e51b4072dfcace2
Instruction ID: 61117bab1ec5a5a15928d057821bdaf9a4234501bca1ad8532fb4014fce7dad9
Opcode Fuzzy Hash: d644539dab1e75d7b8e781ec641e33a5928fdc87f4c3c8947e51b4072dfcace2
Instruction Fuzzy Hash: 1921C571E01205DBCB15CFA4C9506EEB7B2BF89310F248A1AF812FB390DB709846CB54

Function 03071382 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5d341e564e3ae2eb610608e293eb27b23972636bfee9d9964c761e179e3e73
Instruction ID: adb728c62679b20cb738ad77de58aa4628ab4cbf6d80eefcbc79d8411fc3c318
Opcode Fuzzy Hash: fb5d341e564e3ae2eb610608e293eb27b23972636bfee9d9964c761e179e3e73
Instruction Fuzzy Hash: ED21DA70E121049BEFBC9768D89936D3BA9E742315F18046DF506C77C0DB28C885CB8A

Function 03071878 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b040017f91c232aebf8280e66bdc9984105498694ecbfde48e52258629852080
Instruction ID: ba66ddb843f4a65a635f6c998e91810c6d6d87bb64dcd3884bdc09fcf035d1c0
Opcode Fuzzy Hash: b040017f91c232aebf8280e66bdc9984105498694ecbfde48e52258629852080
Instruction Fuzzy Hash: AE217C30F01249CFDB68DB78C9156AE77F6AF49245F2408A9D406EB2D0EB398D41CB95

Function 03074F89 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a6720dde08b18e629bb8e0cc9f3a6f8c28370a2ea1d3800b76c007abac36aa
Instruction ID: 14b6b300fc4a45c6f5f14416f9bbd4c5af8eb41d917d9dae8ebb85f7eba0491a
Opcode Fuzzy Hash: 91a6720dde08b18e629bb8e0cc9f3a6f8c28370a2ea1d3800b76c007abac36aa
Instruction Fuzzy Hash: FD212A34B00208CFCB54DF79D958AAD77F1EF8E214B1044A8E406EB3A0DB759D01CB95

Function 0155D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369105208.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_155d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82936f204e3dd72604ca06e00102d7451e081946626f2378ce14a9b232bbc667
Instruction ID: 682cecb9515fd573f269b38d124f2e9a7eca6b972fda079042d574e195ca661d
Opcode Fuzzy Hash: 82936f204e3dd72604ca06e00102d7451e081946626f2378ce14a9b232bbc667
Instruction Fuzzy Hash: 35212572504204EFDB51DF64D9D0B26BBB1FB84314F20C96EED090F262D736D446CA61

Function 03071888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59735868f3f1029f12a881fed95b6524f8b409e2cbf26df98c6b09b70a81553c
Instruction ID: 4cece47b5a5e9d83bc1271821c03b9129914ae3aa839098c53baae7bd6deb113
Opcode Fuzzy Hash: 59735868f3f1029f12a881fed95b6524f8b409e2cbf26df98c6b09b70a81553c
Instruction Fuzzy Hash: 77216D30F01209CFDB58DB79C9156AE77F6AF89241F1404A9D406EB390EB398D41CBA5

Function 03079F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88fd53e49da6ef5694af55d07bbcb80561748f42dd22c4c1bdc924dda92a5ca
Instruction ID: 0b12bad94707b29ff3b69cbd3f11de0dd4a68810e14507d20b8fc00b2d1b96e0
Opcode Fuzzy Hash: b88fd53e49da6ef5694af55d07bbcb80561748f42dd22c4c1bdc924dda92a5ca
Instruction Fuzzy Hash: A8218330E01205DBCB14CFA4C8505DEB7B6BF89310F108A1AF812FB380DB70A846CB54

Function 030716B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01aa1351eaa34b7e81caff066c46f244bb266e25d22115c47067c2e30b7221b3
Instruction ID: 674c8c9018bd4cd5c4b3d2442d0f988d079f2e8675eab583066a2bc8fbedb95a
Opcode Fuzzy Hash: 01aa1351eaa34b7e81caff066c46f244bb266e25d22115c47067c2e30b7221b3
Instruction Fuzzy Hash: 73218134A011498BDB64EB39FC8479A3BBAE749304F148665E416CB291EB38DC81CFD5

Function 03074F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44a7eeeb2732c1f1aeadf7a28b5c2b107201b6ccee96063ed4518b37c919a67
Instruction ID: d2c63f39f5ca4fcd825c3f47425643090093711ecd5d1312fe5f182207ce7ae8
Opcode Fuzzy Hash: e44a7eeeb2732c1f1aeadf7a28b5c2b107201b6ccee96063ed4518b37c919a67
Instruction Fuzzy Hash: 4B213C34B00208CFCB64DB79C958AAD77F1EF8E214B1004A8E406EB3A4DB769D05CBD5

Function 030717C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7665a15cc0f497731e6c6bd44cfbff0c30d6470ad9c6eefafa16920db1623bf
Instruction ID: 4bbbb2c8dd96173ce1311c9ca50d8727b12c0629eb287d05dd7716532a7fc38c
Opcode Fuzzy Hash: c7665a15cc0f497731e6c6bd44cfbff0c30d6470ad9c6eefafa16920db1623bf
Instruction Fuzzy Hash: 64113276F022155BCB909FB99C4426F7FF9EB88690F140471E906D3380EE38C802CB81

Function 03071488 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383d9aa78dd542f6a01892501a54a05fd7b04b27c348b0e197b058950b89369e
Instruction ID: 47f2d40c9a007e431dda0407274429aca922cdaf30f399b022959ecb0b1591ad
Opcode Fuzzy Hash: 383d9aa78dd542f6a01892501a54a05fd7b04b27c348b0e197b058950b89369e
Instruction Fuzzy Hash: F511A175E023159FCF69EFB888502ADBAF9EB88250F180479D805EB341E635D942CB99

Function 03071498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767a16b6d80eba0ad8143ef28c85a126cfd1cf7a80b35815f3b51eb4b4d08dd7
Instruction ID: 3740e61ede239eb673359961ec7524f079ab0d3d02ef955b8cc3d56f0accc0fb
Opcode Fuzzy Hash: 767a16b6d80eba0ad8143ef28c85a126cfd1cf7a80b35815f3b51eb4b4d08dd7
Instruction Fuzzy Hash: 7B018075E023159FCF69EFB884502AEBBF9EB88250B180579D405EB340E735D942CB99

Function 0155D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369105208.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_155d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 4143979b289e065911e125c59bf6375103c1b9f15e9b0cd3426d22a3cad246f5
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 28119776504284DFCB12CF54C9D4B19BBB2FB84214F24C6AAD8494F262C33AD44ACB62

Function 0307A6B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d6027453cdd16b6e9014466f0060edbc02b277900c91899b8434cc3b95cec4
Instruction ID: f4674b6cfcae6446fd470501f9064f8b591b648fdb3447e8510441d69c93d163
Opcode Fuzzy Hash: 38d6027453cdd16b6e9014466f0060edbc02b277900c91899b8434cc3b95cec4
Instruction Fuzzy Hash: A2018431A012058BDB14DFA5E994B8ABBB6FF95310F548178C9085B299EB709D05C7A1

Function 03078F10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da42482b94cfdabf9104fad8a57523d8a46231430714be7c349697da32d0c3e9
Instruction ID: b25df74a1fc11e018954e98d46607f5fb46389ffbbdc194059ec7601e4205cf5
Opcode Fuzzy Hash: da42482b94cfdabf9104fad8a57523d8a46231430714be7c349697da32d0c3e9
Instruction Fuzzy Hash: 1F01697090110EEFEB40EBB9FC50BDD7BB1EB54700F1082B9C50697354EA746E468B91

Function 03071524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078a0d0ae53a62966a9ff8c76df1f872875d452385216647589182550068a885
Instruction ID: b24a92855820d821411363392ca546c177bfab2c57d3ae4fa08bf59ccacaf8fb
Opcode Fuzzy Hash: 078a0d0ae53a62966a9ff8c76df1f872875d452385216647589182550068a885
Instruction Fuzzy Hash: A1F0F637E06250DFC71ADBA898901ACBBB1EA9825171C4097D802DB781D232D442CB59

Function 03077EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5bec94ced302f0a4387e69c04ac41b2d89dd8860e3601ae7d0c65347cee7b3
Instruction ID: 6c176f248697d5dce89cc6a05d4e6a51267ea9e0646593f7c2e7c09cd185e3a7
Opcode Fuzzy Hash: 0f5bec94ced302f0a4387e69c04ac41b2d89dd8860e3601ae7d0c65347cee7b3
Instruction Fuzzy Hash: C7F0C439B011188FC754DB64D9A8B6C7BB2EF88615F6040A8E5069B3A0CF35AD42CF40

Function 03078F20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3369532843.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1b980d2a0208076299a603623f082885512edf744c89f5575f44c63dc97779
Instruction ID: 90bd10990933708762a56c6ba97ed9d3fe7e385dcb486f047c61aa6a060a11ff
Opcode Fuzzy Hash: 4d1b980d2a0208076299a603623f082885512edf744c89f5575f44c63dc97779
Instruction Fuzzy Hash: C2F03770A0110EEFEB44EBB9FD60ADD7BB1EB84700F1082B9C5069B254EE752E458B91

Non-executed Functions

Function 06F12E07 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 06F12E86
GetCurrentThread.KERNEL32 ref: 06F12EC3
GetCurrentProcess.KERNEL32 ref: 06F12F00
GetCurrentThreadId.KERNEL32 ref: 06F12F59

Memory Dump Source

Source File: 00000009.00000002.3387224005.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_UNK_.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 439f57c6fafbdbabf822b66f8588a585e929d8c637b48942769e5b4f0e3a6b22
Instruction ID: 21d524df3048b03e14a4d26208f0a36e68cf36fcf72d06817d39aff93e6f7947
Opcode Fuzzy Hash: 439f57c6fafbdbabf822b66f8588a585e929d8c637b48942769e5b4f0e3a6b22
Instruction Fuzzy Hash: C55146B0901709DFDB54DFAAD948BAEBBF1EF88310F208459E019AB390D7356984CF65

Function 06F12E08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 06F12E86
GetCurrentThread.KERNEL32 ref: 06F12EC3
GetCurrentProcess.KERNEL32 ref: 06F12F00
GetCurrentThreadId.KERNEL32 ref: 06F12F59

Memory Dump Source

Source File: 00000009.00000002.3387224005.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f10000_UNK_.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f9441bfa16584152d50b247614724b03be2813c64213fbffdebc0011bc5202a3
Instruction ID: 83db2f50dfd5fdb3e9effc7a9e37d8c39e4d4d59e1c373767029f671bb815980
Opcode Fuzzy Hash: f9441bfa16584152d50b247614724b03be2813c64213fbffdebc0011bc5202a3
Instruction Fuzzy Hash: 6E5146B0901709DFDB54DFAAD948BAEBBF1EF88310F208459E019AB390D7356984CF65

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DO9uvdGMde.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hfpmjoh.3po.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5wrc2wf.iwg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjxiqozw.dp0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fp4axhbv.oq5.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe:Zone.Identifier

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

Windows Analysis Report
DO9uvdGMde.exe

Function 02D1A690 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 02D1FAF8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 02D1FB00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 02D1FA20 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 02D1CB58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02D1BDE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02D1FA28 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre